Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
final.exe

Overview

General Information

Sample name:final.exe
Analysis ID:1581284
MD5:b588b3f94591ffad45b2d809da200fbe
SHA1:e56e246e1cebcffcce9c0603ff616bd759cba403
SHA256:c7265f67b7e2a9697525cc6da6501fdaa8e9a4dadd6322619b7b0ca6a5f24150
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

Meterpreter
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Meterpreter
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
Contains functionality to check if the process is started with administrator privileges
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate device drivers
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • final.exe (PID: 4372 cmdline: "C:\Users\user\Desktop\final.exe" MD5: B588B3F94591FFAD45B2D809DA200FBE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
MeterpreterNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter

Malware Configuration

Threatname: Meterpreter

{"Type": "tcp", "IP": "84.247.147.214", "Port": 8440}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_38b8ceecIdentifies the API address lookup function used by metasploit. Also used by other tools (like beacon).unknown
  • 0x139e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_7bc0f998Identifies the API address lookup function leverage by metasploit shellcodeunknown
  • 0x1277:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
  • 0x14af:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
  • 0x15fd:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
  • 0x12e3:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
  • 0x151b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
  • 0x1669:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpJoeSecurity_MeterpreterYara detected MeterpreterJoe Security
    00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpMALWARE_Win_MeterpreterDetects Meterpreter payloadditekSHen
    • 0xa58:$s1: PACKET TRANSMIT
    • 0xa68:$s2: PACKET RECEIVE
    • 0x9c8:$s3: \\%s\pipe\%s
    • 0xa08:$s3: \\%s\pipe\%s
    • 0x940:$s4: %04x-%04x:%s
    • 0x821c:$s5: server.dll
    Click to see the 10 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.final.exe.7ff6cfaf4000.7.unpackJoeSecurity_MeterpreterYara detected MeterpreterJoe Security
      0.2.final.exe.7ff6cfaf4000.7.unpackWindows_Trojan_Metasploit_c9773203Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.unknown
      • 0x2ba69:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
      0.2.final.exe.7ff6cfaf4000.7.unpackMALWARE_Win_MeterpreterDetects Meterpreter payloadditekSHen
      • 0x22258:$s1: PACKET TRANSMIT
      • 0x22268:$s2: PACKET RECEIVE
      • 0x221c8:$s3: \\%s\pipe\%s
      • 0x22208:$s3: \\%s\pipe\%s
      • 0x22140:$s4: %04x-%04x:%s
      • 0x29a1c:$s5: server.dll
      0.2.final.exe.7ff6cfaf0000.6.unpackJoeSecurity_MeterpreterYara detected MeterpreterJoe Security
        0.2.final.exe.7ff6cfaf0000.6.unpackWindows_Trojan_Metasploit_38b8ceecIdentifies the API address lookup function used by metasploit. Also used by other tools (like beacon).unknown
        • 0x2f39e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
        Click to see the 21 entries

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Found malware configuration
        Source: 0.2.final.exe.7ff6cfaf0000.6.unpackMalware Configuration Extractor: Meterpreter {"Type": "tcp", "IP": "84.247.147.214", "Port": 8440}
        Multi AV Scanner detection for submitted file
        Source: final.exeReversingLabs: Detection: 50%
        Source: final.exeVirustotal: Detection: 48%Perma Link
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for sample
        Source: final.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE7B28 CryptDecodeObjectEx,GetLastError,CryptAcquireContextW,CryptAcquireContextW,CryptImportPublicKeyInfo,CryptEncrypt,calloc,memcpy_s,CryptEncrypt,free,LocalFree,CryptDestroyKey,CryptReleaseContext,0_2_0000021954FE7B28
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE78D0 calloc,CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptImportKey,free,0_2_0000021954FE78D0
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE7678 memcpy_s,CryptDuplicateKey,GetLastError,CryptSetKeyParam,CryptGenRandom,GetLastError,CryptSetKeyParam,htonl,malloc,memcpy_s,CryptEncrypt,GetLastError,htonl,memcpy_s,memcpy_s,malloc,htonl,memcpy_s,memcpy_s,CryptDestroyKey,0_2_0000021954FE7678
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE74BC calloc,htonl,htonl,CryptDuplicateKey,GetLastError,CryptSetKeyParam,CryptSetKeyParam,CryptDecrypt,memmove_s,htonl,htonl,malloc,memcpy_s,CryptDestroyKey,0_2_0000021954FE74BC
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE7AC8 CryptDestroyKey,CryptReleaseContext,free,0_2_0000021954FE7AC8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB4790 GetLastError,CryptDestroyHash,CryptReleaseContext,fclose,0_2_0000021957DB4790
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB4770 GetLastError,CryptAcquireContextA,GetLastError,CryptCreateHash,GetLastError,_fread_nolock,CryptHashData,_fread_nolock,CryptGetHashParam,GetLastError,CryptGetHashParam,GetLastError,CryptDestroyHash,CryptReleaseContext,fclose,0_2_0000021957DB4770
        Source: final.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB5660 SetLastError,lstrcmpiW,GetFileAttributesW,SetLastError,RemoveDirectoryW,GetLastError,lstrlenW,lstrlenW,wsprintfW,FindFirstFileW,lstrcpyW,lstrcmpiW,lstrcmpiW,lstrlenW,lstrlenW,lstrlenW,wsprintfW,SetFileAttributesW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,0_2_0000021957DB5660
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB51C0 _snprintf,strrchr,_snprintf,strrchr,GetLastError,FindFirstFileW,GetLastError,_snprintf,_snprintf,free,free,FindNextFileW,GetLastError,FindClose,free,free,free,0_2_0000021957DB51C0
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB5940 FindFirstFileW,FindClose,0_2_0000021957DB5940
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB7060 calloc,swprintf,FindFirstFileW,calloc,swprintf,free,FindNextFileW,FindClose,free,GetLastError,GetLastError,free,0_2_0000021957DB7060
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB6F00 swprintf,FindFirstFileW,FindNextFileW,FindClose,GetLastError,GetLastError,0_2_0000021957DB6F00
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB1260 GetLogicalDriveStringsA,GetLastError,GetDriveTypeA,malloc,WNetGetUniversalNameA,free,GetDiskFreeSpaceExA,0_2_0000021957DB1260
        Source: C:\Users\user\Desktop\final.exeCode function: 4x nop then push rbx0_2_00007FF6CFAF2313

        Networking

        barindex
        Yara detected Meterpreter
        Source: Yara matchFile source: 0.2.final.exe.7ff6cfaf4000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.final.exe.7ff6cfaf0000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.final.exe.7ff6cfaf4000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.final.exe.21955170000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.final.exe.21954fe0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.final.exe.21955170000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: 84.247.147.214
        Source: global trafficTCP traffic: 192.168.2.6:49849 -> 84.247.147.214:8440
        Source: Joe Sandbox ViewASN Name: SKYLOGIC-ASIT SKYLOGIC-ASIT
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: unknownTCP traffic detected without corresponding DNS query: 84.247.147.214
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FEB8D8 recv,recv,GetLastError,SetLastError,SetLastError,htonl,malloc,memcpy_s,recv,GetLastError,SetLastError,SetLastError,GetLastError,free,0_2_0000021954FEB8D8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DC3E80 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,GetForegroundWindow,GetWindowThreadProcessId,EnumChildWindows,OpenProcess,GetSystemTime,GetDateFormatW,GetTimeFormatW,_snwprintf,_snwprintf,CloseHandle,GetAsyncKeyState,GetKeyNameTextW,ToUnicodeEx,GetKeyNameTextW,_snwprintf,0_2_0000021957DC3E80
        Source: final.exeBinary or memory string: GetRawInputData
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DC3E80 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,GetForegroundWindow,GetWindowThreadProcessId,EnumChildWindows,OpenProcess,GetSystemTime,GetDateFormatW,GetTimeFormatW,_snwprintf,_snwprintf,CloseHandle,GetAsyncKeyState,GetKeyNameTextW,ToUnicodeEx,GetKeyNameTextW,_snwprintf,0_2_0000021957DC3E80
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DC3B50 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,GetAsyncKeyState,GetKeyNameTextW,ToUnicodeEx,GetKeyNameTextW,_snwprintf,0_2_0000021957DC3B50
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE78D0 calloc,CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptImportKey,free,0_2_0000021954FE78D0

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 0.2.final.exe.7ff6cfaf4000.7.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 0.2.final.exe.7ff6cfaf4000.7.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter payload Author: ditekSHen
        Source: 0.2.final.exe.7ff6cfaf0000.6.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
        Source: 0.2.final.exe.7ff6cfaf0000.6.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 0.2.final.exe.7ff6cfaf0000.6.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 0.2.final.exe.7ff6cfaf0000.6.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter payload Author: ditekSHen
        Source: 0.2.final.exe.21955170000.3.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 0.2.final.exe.7ff6cfaf4000.7.raw.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
        Source: 0.2.final.exe.7ff6cfaf4000.7.raw.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 0.2.final.exe.7ff6cfaf4000.7.raw.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 0.2.final.exe.21955170000.3.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter payload Author: ditekSHen
        Source: 0.2.final.exe.7ff6cfaf4000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter payload Author: ditekSHen
        Source: 0.2.final.exe.21954fe0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
        Source: 0.2.final.exe.21954fe0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 0.2.final.exe.21954fe0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 0.2.final.exe.21954fe0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter payload Author: ditekSHen
        Source: 0.2.final.exe.21955170000.3.raw.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
        Source: 0.2.final.exe.21955170000.3.raw.unpack, type: UNPACKEDPEMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 0.2.final.exe.21955170000.3.raw.unpack, type: UNPACKEDPEMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 0.2.final.exe.21955170000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter payload Author: ditekSHen
        Source: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
        Source: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter payload Author: ditekSHen
        Source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
        Source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter payload Author: ditekSHen
        Source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
        Source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
        Source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
        Source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects Meterpreter payload Author: ditekSHen
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021955175D70 NtAllocateVirtualMemory,0_2_0000021955175D70
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021955175DCC NtProtectVirtualMemory,0_2_0000021955175DCC
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DBBE70 calloc,_snprintf,mbstowcs,calloc,mbstowcs,malloc,CreatePipe,CreatePipe,LoadLibraryA,GetProcAddress,GetProcAddress,OpenProcess,malloc,GetLastError,wprintf,GetLastError,free,GetLastError,GetLastError,wprintf,GetLastError,FreeLibrary,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,DuplicateTokenEx,GetLastError,LoadLibraryA,GetProcAddress,GetProcAddress,CreateProcessAsUserW,GetLastError,LoadLibraryA,GetProcAddress,mbstowcs,malloc,mbstowcs,mbstowcs,malloc,mbstowcs,GetLastError,FreeLibrary,free,free,FreeLibrary,GetLastError,LoadLibraryA,GetCurrentProcessId,GetProcAddress,CreateProcessAsUserW,CreateProcessW,GetLastError,FreeLibrary,CloseHandle,CreateProcessW,GetLastError,ResumeThread,GetLastError,CloseHandle,CloseHandle,CloseHandle,free,free,free,free,free,0_2_0000021957DBBE70
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DC0C30 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,GetLastError,CloseHandle,0_2_0000021957DC0C30
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00000219551760F80_2_00000219551760F8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_000002195517283C0_2_000002195517283C
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021955187C3C0_2_0000021955187C3C
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00000219551810F40_2_00000219551810F4
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_000002195518C8E80_2_000002195518C8E8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021955176F280_2_0000021955176F28
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021955188B7C0_2_0000021955188B7C
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00000219551887CC0_2_00000219551887CC
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_000002195518DA540_2_000002195518DA54
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00000219551906480_2_0000021955190648
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021955190EAC0_2_0000021955190EAC
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00000219551861040_2_0000021955186104
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021955191D380_2_0000021955191D38
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_000002195517D1740_2_000002195517D174
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_000002195518E9B80_2_000002195518E9B8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021955185DF80_2_0000021955185DF8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFAF18400_2_00007FF6CFAF1840
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB050F40_2_00007FF6CFB050F4
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB0A1040_2_00007FF6CFB0A104
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB108E80_2_00007FF6CFB108E8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFAFA0F80_2_00007FF6CFAFA0F8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFAF683C0_2_00007FF6CFAF683C
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB0BC3C0_2_00007FF6CFB0BC3C
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB0C7CC0_2_00007FF6CFB0C7CC
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB0CB7C0_2_00007FF6CFB0CB7C
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFAFAF280_2_00007FF6CFAFAF28
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB14EAC0_2_00007FF6CFB14EAC
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB146480_2_00007FF6CFB14648
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB11A540_2_00007FF6CFB11A54
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB09DF80_2_00007FF6CFB09DF8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB129B80_2_00007FF6CFB129B8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB011740_2_00007FF6CFB01174
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB15D380_2_00007FF6CFB15D38
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE7B280_2_0000021954FE7B28
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FF93CC0_2_0000021954FF93CC
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FF977C0_2_0000021954FF977C
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FFD4E80_2_0000021954FFD4E8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE6CF80_2_0000021954FE6CF8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FF1CF40_2_0000021954FF1CF4
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FF883C0_2_0000021954FF883C
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE343C0_2_0000021954FE343C
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FF69F80_2_0000021954FF69F8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00000219550012480_2_0000021955001248
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FFE6540_2_0000021954FFE654
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FEDD740_2_0000021954FEDD74
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021955001AAC0_2_0000021955001AAC
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FF6D040_2_0000021954FF6D04
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00000219550029380_2_0000021955002938
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FFF5B80_2_0000021954FFF5B8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DBBE700_2_0000021957DBBE70
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DCDE100_2_0000021957DCDE10
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DEFE040_2_0000021957DEFE04
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DE46340_2_0000021957DE4634
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DEC5D00_2_0000021957DEC5D0
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DE8DE00_2_0000021957DE8DE0
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DEF5A00_2_0000021957DEF5A0
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DE643C0_2_0000021957DE643C
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB63B00_2_0000021957DB63B0
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DF0BAC0_2_0000021957DF0BAC
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DEA30C0_2_0000021957DEA30C
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB3A800_2_0000021957DB3A80
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DC79300_2_0000021957DC7930
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DE51200_2_0000021957DE5120
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DE608C0_2_0000021957DE608C
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DE38180_2_0000021957DE3818
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DDC8240_2_0000021957DDC824
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DE07E40_2_0000021957DE07E4
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DDFF880_2_0000021957DDFF88
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DDEFA80_2_0000021957DDEFA8
        Source: C:\Users\user\Desktop\final.exeCode function: String function: 00000219551925C0 appears 33 times
        Source: C:\Users\user\Desktop\final.exeCode function: String function: 00007FF6CFB165C0 appears 33 times
        Source: 0.2.final.exe.7ff6cfaf4000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 0.2.final.exe.7ff6cfaf4000.7.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
        Source: 0.2.final.exe.7ff6cfaf0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
        Source: 0.2.final.exe.7ff6cfaf0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 0.2.final.exe.7ff6cfaf0000.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 0.2.final.exe.7ff6cfaf0000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
        Source: 0.2.final.exe.21955170000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 0.2.final.exe.7ff6cfaf4000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
        Source: 0.2.final.exe.7ff6cfaf4000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 0.2.final.exe.7ff6cfaf4000.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 0.2.final.exe.21955170000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
        Source: 0.2.final.exe.7ff6cfaf4000.7.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
        Source: 0.2.final.exe.21954fe0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
        Source: 0.2.final.exe.21954fe0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 0.2.final.exe.21954fe0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 0.2.final.exe.21954fe0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
        Source: 0.2.final.exe.21955170000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
        Source: 0.2.final.exe.21955170000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 0.2.final.exe.21955170000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 0.2.final.exe.21955170000.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
        Source: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
        Source: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
        Source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
        Source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
        Source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
        Source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
        Source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
        Source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
        Source: classification engineClassification label: mal100.troj.evad.winEXE@1/1@0/1
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DC5E42 GetLastError,FormatMessageA,free,SetLastError,0_2_0000021957DC5E42
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE1F34 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetLastError,CreateEventW,GetCurrentProcess,DuplicateHandle,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,free,GetLastError,free,CloseHandle,CloseHandle,0_2_0000021954FE1F34
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE9E60 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,0_2_0000021954FE9E60
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB9E40 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,wcsstr,CloseHandle,FreeLibrary,0_2_0000021957DB9E40
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DC0C30 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,GetLastError,CloseHandle,0_2_0000021957DC0C30
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DC1B60 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,0_2_0000021957DC1B60
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DBCA70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,0_2_0000021957DBCA70
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB1260 GetLogicalDriveStringsA,GetLastError,GetDriveTypeA,malloc,WNetGetUniversalNameA,free,GetDiskFreeSpaceExA,0_2_0000021957DB1260
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DC72F0 CoInitialize,CoCreateInstance,VariantInit,_Wcsftime,VariantClear,GetLastError,CoUninitialize,0_2_0000021957DC72F0
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DC4A10 ExpandEnvironmentStringsA,FindResourceA,GetLastError,LoadResource,LockResource,SizeofResource,DeleteFileA,GetFileAttributesA,fwrite,fclose,GetLastError,LoadLibraryA,GetLastError,0_2_0000021957DC4A10
        Source: C:\Users\user\Desktop\final.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
        Source: C:\Users\user\Desktop\final.exeMutant created: NULL
        Source: final.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\final.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: final.exeReversingLabs: Detection: 50%
        Source: final.exeVirustotal: Detection: 48%
        Source: C:\Users\user\Desktop\final.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: wininet.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: napinsp.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: pnrpnsp.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: wshbth.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: nlaapi.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: winrnr.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: dpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: netapi32.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: netutils.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: wkscli.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: cscapi.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\Desktop\final.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: final.exeStatic PE information: Image base 0x140000000 > 0x60000000
        Source: final.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFAF14C0 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00007FF6CFAF14C0
        Source: final.exeStatic PE information: section name: .xdata
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_000002195519A832 push rsp; ret 0_2_000002195519A839
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021955192558 push rsp; ret 0_2_0000021955192559
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB1E832 push rsp; ret 0_2_00007FF6CFB1E839
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFB16558 push rsp; ret 0_2_00007FF6CFB16559
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DC11D0 ClearEventLogA,GetLastError,0_2_0000021957DC11D0
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FF69F8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0000021954FF69F8

        Malware Analysis System Evasion

        barindex
        Contains functionality to check if the process is started with administrator privileges
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB9E40 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,wcsstr,CloseHandle,FreeLibrary,0_2_0000021957DB9E40
        Source: C:\Users\user\Desktop\final.exeCode function: malloc,EnumDeviceDrivers,GetDeviceDriverFileNameW,free,free,free,0_2_0000021957DC2020
        Source: C:\Users\user\Desktop\final.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-57531
        Source: C:\Users\user\Desktop\final.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-57399
        Source: C:\Users\user\Desktop\final.exeAPI coverage: 5.5 %
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB5660 SetLastError,lstrcmpiW,GetFileAttributesW,SetLastError,RemoveDirectoryW,GetLastError,lstrlenW,lstrlenW,wsprintfW,FindFirstFileW,lstrcpyW,lstrcmpiW,lstrcmpiW,lstrlenW,lstrlenW,lstrlenW,wsprintfW,SetFileAttributesW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,0_2_0000021957DB5660
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB51C0 _snprintf,strrchr,_snprintf,strrchr,GetLastError,FindFirstFileW,GetLastError,_snprintf,_snprintf,free,free,FindNextFileW,GetLastError,FindClose,free,free,free,0_2_0000021957DB51C0
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB5940 FindFirstFileW,FindClose,0_2_0000021957DB5940
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB7060 calloc,swprintf,FindFirstFileW,calloc,swprintf,free,FindNextFileW,FindClose,free,GetLastError,GetLastError,free,0_2_0000021957DB7060
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB6F00 swprintf,FindFirstFileW,FindNextFileW,FindClose,GetLastError,GetLastError,0_2_0000021957DB6F00
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB1260 GetLogicalDriveStringsA,GetLastError,GetDriveTypeA,malloc,WNetGetUniversalNameA,free,GetDiskFreeSpaceExA,0_2_0000021957DB1260
        Source: final.exe, 00000000.00000002.3424884655.000002195507E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Users\user\Desktop\final.exeAPI call chain: ExitProcess graph end nodegraph_0-57697
        Source: C:\Users\user\Desktop\final.exeAPI call chain: ExitProcess graph end nodegraph_0-57076
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FF730C __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException,0_2_0000021954FF730C
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FFC170 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_0000021954FFC170
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFAF14C0 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00007FF6CFAF14C0
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FF3B7C GetProcessHeap,HeapAlloc,HeapFree,0_2_0000021954FF3B7C
        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFAF1180 Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_initterm,0_2_00007FF6CFAF1180
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_00007FF6CFAF2F89 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,0_2_00007FF6CFAF2F89
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FFB7A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0000021954FFB7A8
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE73FC GetModuleHandleW,SetUnhandledExceptionFilter,ExitProcess,ExitThread,0_2_0000021954FE73FC
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DE80D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0000021957DE80D4

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Contains functionality to change the desktop window for a process (likely to hide graphical interactions)
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DC29D0 GetCurrentProcessId,GetCurrentProcessId,OpenWindowStationA,RevertToSelf,OpenWindowStationA,GetProcessWindowStation,SetProcessWindowStation,GetLastError,OpenDesktopA,GetLastError,SetThreadDesktop,GetLastError,SwitchDesktop,GetLastError,CloseDesktop,CloseWindowStation,SetProcessWindowStation,0_2_0000021957DC29D0
        Contains functionality to inject code into remote processes
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DBAA20 VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,TerminateProcess,0_2_0000021957DBAA20
        Contains functionality to inject threads in other processes
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE669C VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,0_2_0000021954FE669C
        Found direct / indirect Syscall (likely to bypass EDR)
        Source: C:\Users\user\Desktop\final.exeNtAllocateVirtualMemory: Indirect: 0x219561DABAEJump to behavior
        Source: C:\Users\user\Desktop\final.exeNtProtectVirtualMemory: Indirect: 0x219561DAC03Jump to behavior
        Source: C:\Users\user\Desktop\final.exeNtProtectVirtualMemory: Indirect: 0x219561983D3Jump to behavior
        Source: C:\Users\user\Desktop\final.exeNtAllocateVirtualMemory: Indirect: 0x21955175DBEJump to behavior
        Source: C:\Users\user\Desktop\final.exeNtAllocateVirtualMemory: Indirect: 0x2195619837EJump to behavior
        Source: C:\Users\user\Desktop\final.exeNtProtectVirtualMemory: Indirect: 0x21955175E0FJump to behavior
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE9CB4 AllocateAndInitializeSid,SetEntriesInAclW,AllocateAndInitializeSid,LocalAlloc,InitializeAcl,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorSacl,0_2_0000021954FE9CB4
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE9CB4 AllocateAndInitializeSid,SetEntriesInAclW,AllocateAndInitializeSid,LocalAlloc,InitializeAcl,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorSacl,0_2_0000021954FE9CB4
        Source: C:\Users\user\Desktop\final.exeCode function: GetComputerNameA,GetLastError,LoadLibraryA,GetProcAddress,GetProcAddress,GetNativeSystemInfo,GetProcAddress,GetLocaleInfoA,malloc,GetLocaleInfoA,GetLocaleInfoA,malloc,GetLocaleInfoA,_snprintf,_snprintf,free,free,NetWkstaGetInfo,free,NetApiBufferFree,0_2_0000021957DC15C0
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE9F30 CreateNamedPipeA,CreateNamedPipeA,GetLastError,CreateEventW,CreateEventW,0_2_0000021954FE9F30
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FFB018 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0000021954FFB018
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DC18F0 GetTimeZoneInformation,GetLocalTime,_snwprintf_s,0_2_0000021957DC18F0
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FE32C0 GetVersionExW,GetLastError,SetLastError,VirtualAlloc,VirtualAlloc,GetLastError,SetLastError,VirtualFree,VirtualFree,0_2_0000021954FE32C0
        Source: C:\Users\user\Desktop\final.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Remote Access Functionality

        barindex
        Yara detected Meterpreter
        Source: Yara matchFile source: 0.2.final.exe.7ff6cfaf4000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.final.exe.7ff6cfaf0000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.final.exe.7ff6cfaf4000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.final.exe.21955170000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.final.exe.21954fe0000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.final.exe.21955170000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021954FEB658 bind,WSAGetLastError,listen,accept,closesocket,0_2_0000021954FEB658
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB95B0 malloc,inet_addr,inet_addr,WSASocketA,WSAGetLastError,htons,bind,WSAGetLastError,WSACreateEvent,WSAGetLastError,WSAEventSelect,WSAGetLastError,closesocket,free,0_2_0000021957DB95B0
        Source: C:\Users\user\Desktop\final.exeCode function: 0_2_0000021957DB8AA0 malloc,WSASocketA,WSASocketA,setsockopt,closesocket,WSASocketA,WSAGetLastError,htons,htons,htons,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,WSACreateEvent,WSAGetLastError,WSAEventSelect,WSAGetLastError,closesocket,free,0_2_0000021957DB8AA0

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire Infrastructure1
        Valid Accounts        		2
        Native API        		1
        Valid Accounts        		1
        Valid Accounts        		1
        Masquerading        		31
        Input Capture        		2
        System Time Discovery        		Remote Services31
        Input Capture        		2
        Encrypted Channel        		Exfiltration Over Other Network Medium1
        Data Encrypted for Impact
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		11
        Access Token Manipulation        		1
        Valid Accounts        		LSASS Memory31
        Security Software Discovery        		Remote Desktop Protocol11
        Archive Collected Data        		1
        Non-Standard Port        		Exfiltration Over Bluetooth1
        System Shutdown/Reboot
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
        Process Injection        		11
        Access Token Manipulation        		Security Account Manager2
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Ingress Tool Transfer        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
        Abuse Elevation Control Mechanism        		21
        Process Injection        		NTDS25
        System Information Discovery        		Distributed Component Object ModelInput Capture1
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
        DLL Side-Loading        		1
        Deobfuscate/Decode Files or Information        		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Abuse Elevation Control Mechanism        		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items3
        Obfuscated Files or Information        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
        Indicator Removal        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
        DLL Side-Loading        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        final.exe50%ReversingLabsWin64.Trojan.Generic
        final.exe49%VirustotalBrowse
        final.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        84.247.147.2140%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bg.microsoft.map.fastly.net
        		199.232.214.172
        		truefalse
          		high

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          84.247.147.214true
          • Avira URL Cloud: safe
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          84.247.147.214
          		unknownNorway
          		29286SKYLOGIC-ASITtrue

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1581284
          Start date and time:2024-12-27 10:26:09 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 36s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:21
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:final.exe
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@1/1@0/1
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 27
          • Number of non-executed functions: 302
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
          • Excluded IPs from analysis (whitelisted): 2.16.158.48, 2.16.158.75, 2.16.158.50, 2.16.158.58, 2.16.158.27, 2.16.158.40, 2.16.158.35, 2.16.158.72, 2.16.158.26, 13.107.246.63, 20.190.147.10, 20.223.35.26, 52.149.20.212, 150.171.27.10, 20.109.210.53
          • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, login.live.com, wu-b-net.trafficmanager.net

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          bg.microsoft.map.fastly.netn5Szx8qsFB.lnkGet hashmaliciousUnknownBrowse
          • 199.232.214.172
          A4FY1OA97K.lnkGet hashmaliciousDanaBotBrowse
          • 199.232.214.172
          vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
          • 199.232.210.172
          54861 Proforma Invoice AMC2273745.xlam.xlsxGet hashmaliciousUnknownBrowse
          • 199.232.214.172
          6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
          • 199.232.214.172
          C8QT9HkXEb.exeGet hashmaliciousLummaCBrowse
          • 199.232.210.172
          P9UXlizXVS.exeGet hashmaliciousAsyncRATBrowse
          • 199.232.214.172
          Setup64v4.1.9.exeGet hashmaliciousUnknownBrowse
          • 199.232.214.172
          0Ty.png.exeGet hashmaliciousXmrigBrowse
          • 199.232.214.172
          0442.pdf.exeGet hashmaliciousUnknownBrowse
          • 199.232.210.172

          ASNs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          SKYLOGIC-ASITsparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
          • 193.92.15.21
          arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
          • 213.209.160.213
          bot.sh4.elfGet hashmaliciousMiraiBrowse
          • 95.210.240.235
          armv4l.elfGet hashmaliciousMiraiBrowse
          • 37.252.205.152
          rebirth.mpsl.elfGet hashmaliciousMirai, OkiruBrowse
          • 213.209.175.58
          rebirth.mips.elfGet hashmaliciousMirai, OkiruBrowse
          • 95.210.222.212
          jade.arm.elfGet hashmaliciousMiraiBrowse
          • 95.210.240.246
          spc.elfGet hashmaliciousMirai, MoobotBrowse
          • 37.1.182.219
          x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
          • 154.73.28.144
          x86.elfGet hashmaliciousMirai, MoobotBrowse
          • 197.234.45.8

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\21c8026919fd094ab07ec3c180a9f210_9e146be9-c76a-4720-bcdb-53011b87bd06

          Download File
          Process:C:\Users\user\Desktop\final.exe
          File Type:data
          Category:dropped
          Size (bytes):49
          Entropy (8bit):1.2701062923235522
          Encrypted:false
          SSDEEP:3:/l1PL3n:fPL3
          MD5:CD8FA61AD2906643348EEF98A988B873
          SHA1:0B10E2F323B5C73F3A6EA348633B62AE522DDF39
          SHA-256:49A11A24821F2504B8C91BA9D8A6BD6F421ED2F0212C1C771BF1CAC9DE32AD75
          SHA-512:1E6F44AB3231232221CF0F4268E96A13C82E3F96249D7963B78805B693B52D3EBDABF873DB240813DF606D8C207BD2859338D67BA94F33ECBA43EA9A4FEFA086
          Malicious:false
          Reputation:moderate, very likely benign file
          Preview:........................................user.

          Static File Info

          General

          File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
          Entropy (8bit):7.530839836417826
          TrID:
          • Win64 Executable (generic) (12005/4) 74.95%
          • Generic Win/DOS Executable (2004/3) 12.51%
          • DOS Executable Generic (2002/1) 12.50%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
          File name:final.exe
          File size:222'208 bytes
          MD5:b588b3f94591ffad45b2d809da200fbe
          SHA1:e56e246e1cebcffcce9c0603ff616bd759cba403
          SHA256:c7265f67b7e2a9697525cc6da6501fdaa8e9a4dadd6322619b7b0ca6a5f24150
          SHA512:9fb0c574174749b6951a455483018a577bf12fd07dcdf40c76954a9a9f5d66bfa90d32dd6ecd54cf4d80dae1aa93419ddebbe5795eff21d57423096eb168b8a9
          SSDEEP:6144:qKFqPZVAezfKPndoVyB0GOG60RCDUo4k:M7bWvdoVuOGNX
          TLSH:23245BFA21C5EF8FCCD1AC3D365E5A3A19FF050CBCE45D6ED930616726E1620AB1A424
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xg...............'."...`.................@....................................h\....`... ............................

          File Icon

          Icon Hash:00928e8e8686b000

          Static PE Info

          General

          Entrypoint:0x1400013d0
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x140000000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x6758E1F3 [Wed Dec 11 00:50:59 2024 UTC]
          TLS Callbacks:0x40001be0, 0x1, 0x40001bb0, 0x1
          CLR (.Net) Version:
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:fd7aab5b29d3b532a2c4a433c3001035

          Entrypoint Preview

          Instruction
          dec eax
          sub esp, 28h
          dec eax
          mov eax, dword ptr [00035025h]
          mov dword ptr [eax], 00000001h
          call 00007F60E08229EFh
          nop
          nop
          dec eax
          add esp, 28h
          ret
          nop dword ptr [eax]
          dec eax
          sub esp, 28h
          dec eax
          mov eax, dword ptr [00035005h]
          mov dword ptr [eax], 00000000h
          call 00007F60E08229CFh
          nop
          nop
          dec eax
          add esp, 28h
          ret
          nop dword ptr [eax]
          dec eax
          sub esp, 28h
          call 00007F60E082451Ch
          dec eax
          cmp eax, 01h
          sbb eax, eax
          dec eax
          add esp, 28h
          ret
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          dec eax
          lea ecx, dword ptr [00000009h]
          jmp 00007F60E0822C29h
          nop dword ptr [eax+00h]
          ret
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          nop
          push ebx
          inc ebp
          test eax, eax
          mov eax, ecx
          dec eax
          mov ebx, edx
          je 00007F60E0822CB2h
          inc ebp
          mov ebx, eax
          inc ebp
          xor edx, edx
          inc ebp
          mov ecx, edx
          xor ecx, ecx
          nop word ptr [eax+eax+00000000h]
          inc esi
          lea eax, dword ptr [ecx+ecx]
          xor edx, edx
          nop word ptr [eax+eax+00000000h]
          inc esp
          add eax, eax
          imul eax, edx
          add edx, 01h
          lea eax, dword ptr [ecx+eax*2]
          imul eax, ecx
          cmp edx, 000000FFh
          jne 00007F60E0822C3Bh

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0x3a0000xa90.idata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x370000x2a0.pdata
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x3d0000x94.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x360200x28.rdata
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x3a2dc0x200.idata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x20980x2200b7466da9cb5482a395b5e7097f2df9ceFalse0.5379136029411765data6.073216813591525IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .data0x40000x31d600x31e009f47c65e825a414b0ac317c5040296d8False0.7402294799498746OpenPGP Public Key7.564514495940763IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rdata0x360000x5700x600b5ed47624ba4c0f0050e53d80da5b723False0.4049479166666667data4.178796886678781IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .pdata0x370000x2a00x40074d68af08385fa30df4df48038e9a885False0.376953125data3.10806794883094IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .xdata0x380000x2140x400a3c8bc396518b0831e56ffff0ddaf0bdFalse0.224609375data2.440825672288817IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .bss0x390000x1800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .idata0x3a0000xa900xc00309e3e1c9117cddd85c2361f0cc768eaFalse0.3033854166666667data3.96061988632706IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .CRT0x3b0000x600x200346e4358ceef8792ef40a0d8696d798bFalse0.068359375data0.28655982431271465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .tls0x3c0000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .reloc0x3d0000x940x200ccb2e4aa7fea611993fc5736da46f68bFalse0.29296875data1.856304748828552IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Imports

          DLLImport
          KERNEL32.dllDeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetLastError, GetProcAddress, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualAlloc, VirtualProtect, VirtualQuery, WriteProcessMemory
          api-ms-win-crt-environment-l1-1-0.dll__p__environ, __p__wenviron
          api-ms-win-crt-heap-l1-1-0.dll_set_new_mode, calloc, free, malloc
          api-ms-win-crt-math-l1-1-0.dll__setusermatherr
          api-ms-win-crt-private-l1-1-0.dll__C_specific_handler, memcpy
          api-ms-win-crt-runtime-l1-1-0.dll__p___argc, __p___argv, __p___wargv, _cexit, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _exit, _initialize_narrow_environment, _initialize_wide_environment, _initterm, _set_app_type, _set_invalid_parameter_handler, abort, exit, signal
          api-ms-win-crt-stdio-l1-1-0.dll__acrt_iob_func, __p__commode, __p__fmode, __stdio_common_vfprintf, __stdio_common_vfwprintf, fwrite
          api-ms-win-crt-string-l1-1-0.dllstrlen, strncmp
          api-ms-win-crt-time-l1-1-0.dll__daylight, __timezone, __tzname, _tzset
          api-ms-win-crt-utility-l1-1-0.dllsrand

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Dec 27, 2024 10:28:00.354885101 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:00.474525928 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:00.474630117 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:01.991139889 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:02.225707054 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:02.366390944 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:02.485884905 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:02.931464911 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:02.992319107 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:03.111972094 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:03.548171043 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:03.602437973 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:03.722246885 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.159677029 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.210114956 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:04.210832119 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:04.330249071 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.921773911 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.921842098 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.921854019 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.921896935 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:04.922105074 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.922115088 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.922161102 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.922173977 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.922199965 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:04.922199965 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:04.930155039 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.931711912 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.931801081 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.931857109 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:04.932110071 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:04.940107107 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.940187931 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.940298080 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:04.948489904 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:04.991328001 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.152658939 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.152693987 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.152937889 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.156553984 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.156655073 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.156727076 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.164576054 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.164683104 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.164741993 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.172636032 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.172736883 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.172853947 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.180715084 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.180975914 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.181030035 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.188760042 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.188857079 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.188977957 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.196858883 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.196914911 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.196989059 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.204857111 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.204938889 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.204989910 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.212898016 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.213037968 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.213090897 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.220923901 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.221014977 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.221065044 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.229010105 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.229023933 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.229079008 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.237039089 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.237107038 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.237169981 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.457293034 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.492218018 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.492233038 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.492291927 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.534146070 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576702118 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576716900 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576728106 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576787949 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.576788902 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.576828957 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576841116 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576853037 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576872110 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576884031 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576884985 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.576895952 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576900959 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.576909065 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576920986 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576926947 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.576946974 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576958895 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576962948 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.576975107 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576987028 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.576992035 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.577018976 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.577147007 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.577158928 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.577207088 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.577276945 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.577289104 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.577300072 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.577311993 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.577317953 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.577325106 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.577337027 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.577347994 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.577354908 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.577364922 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.577373028 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.577377081 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.577388048 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.577399015 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.577409983 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.577410936 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.577439070 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.577450991 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.578341961 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.578352928 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.578363895 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.578376055 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.578387022 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.578388929 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.578398943 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.578409910 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.578411102 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.578421116 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.578433037 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.578444004 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.578444958 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.578458071 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.578460932 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.578469992 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.578485966 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.578511000 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.612039089 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.612121105 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.612196922 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.614902973 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.617155075 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.617188931 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.617197037 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.620666027 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.620701075 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.620768070 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.663187027 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.696762085 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.696851969 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.697074890 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.699563026 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.699714899 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.699763060 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.705526114 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.705641985 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.705718994 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.711509943 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.711582899 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.711858988 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.716404915 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.716512918 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.716562986 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.721271038 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.721479893 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.721690893 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.726130962 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.726255894 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.726383924 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.731034040 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.731106043 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.732095003 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.735872984 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.735999107 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.736079931 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.740746021 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.740854979 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.741015911 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.745655060 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.745728970 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.745826006 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.749187946 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.749278069 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.749370098 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.752613068 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.752765894 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.752819061 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.755989075 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.756113052 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.756550074 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.759394884 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.759527922 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.759601116 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.762780905 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.762885094 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.763010979 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.766252995 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.766300917 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.766477108 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.769588947 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.769730091 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.769778967 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.772994995 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.773150921 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.773503065 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.776401997 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.776530027 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.776580095 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.779850006 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.779911995 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.780025005 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.783233881 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.783338070 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.783391953 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.786598921 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.786714077 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.786813021 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.789956093 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.790069103 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.790210009 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.793303967 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.793412924 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.793453932 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.796658993 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.796737909 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.796819925 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.799976110 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.800081968 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.800230980 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.803359985 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.803412914 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.803539991 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.806624889 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.806725979 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.806833029 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.809941053 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.810040951 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.810209036 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.813288927 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.813420057 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.813468933 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.816750050 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.816838980 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.816891909 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.819941044 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.820050001 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.820168972 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.823342085 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.823471069 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.823961020 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.826607943 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:05.881969929 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:05.882268906 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:06.001763105 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:06.001823902 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:06.669409990 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:06.710074902 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:06.726680994 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:06.846293926 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:07.388613939 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:07.444542885 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:07.524002075 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:07.643471956 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:08.079349041 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:08.131964922 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:08.132287025 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:08.251851082 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:08.685682058 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:08.725675106 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:08.741586924 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:08.861376047 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:09.294445038 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:09.335103989 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:09.350889921 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:09.470558882 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:09.470573902 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.182771921 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.225709915 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:10.242300987 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:10.361917973 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.875829935 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.875894070 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.876116037 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:10.876430035 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.876605034 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.877448082 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:10.877785921 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.877948999 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.878020048 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:10.879154921 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.879452944 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.879821062 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:10.880562067 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.880808115 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.880876064 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:10.881911039 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.882050037 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:10.882142067 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.108778000 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.108863115 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.108911991 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.109144926 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.109258890 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.109302998 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.110498905 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.110835075 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.110883951 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.111897945 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.112035036 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.112093925 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.113214970 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.113359928 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.113420963 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.114634991 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.114717960 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.114806890 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.115983963 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.116059065 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.116106033 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.117295980 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.117383957 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.117455959 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.118655920 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.118741989 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.118788004 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.119956017 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.120069981 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.120163918 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.121308088 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.121432066 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.121478081 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.122652054 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.122735977 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.122819901 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.309570074 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.340759993 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.340827942 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.340857029 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.341351986 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.341398954 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.341444016 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.342581034 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.342627048 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.342667103 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.343835115 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.343909979 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.343975067 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.345237970 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.345251083 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.345283031 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.346589088 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.346679926 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.346726894 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.347878933 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.347923040 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.347995996 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.349278927 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.349363089 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.349658012 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.350634098 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.350711107 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.350732088 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.351938963 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.352015018 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.352087021 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.353298903 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.353347063 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.353384972 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.354641914 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.354688883 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.354727983 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:28:11.397567987 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.428915977 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:28:11.548563957 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:29:12.112443924 CET84404984984.247.147.214192.168.2.6
          Dec 27, 2024 10:29:12.163284063 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:29:12.164088964 CET498498440192.168.2.684.247.147.214
          Dec 27, 2024 10:29:12.283580065 CET84404984984.247.147.214192.168.2.6

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          Dec 27, 2024 10:27:57.471467972 CET1.1.1.1192.168.2.60x692cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
          Dec 27, 2024 10:27:57.471467972 CET1.1.1.1192.168.2.60x692cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          System Behavior

          General

          Target ID:0
          Start time:04:27:08
          Start date:27/12/2024
          Path:C:\Users\user\Desktop\final.exe
          Wow64 process (32bit):false
          Commandline:"C:\Users\user\Desktop\final.exe"
          Imagebase:0x7ff6cfaf0000
          File size:222'208 bytes
          MD5 hash:B588B3F94591FFAD45B2D809DA200FBE
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_Meterpreter, Description: Yara detected Meterpreter, Source: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: MALWARE_Win_Meterpreter, Description: Detects Meterpreter payload, Source: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmp, Author: ditekSHen
          • Rule: JoeSecurity_Meterpreter, Description: Yara detected Meterpreter, Source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: MALWARE_Win_Meterpreter, Description: Detects Meterpreter payload, Source: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Author: ditekSHen
          • Rule: JoeSecurity_Meterpreter, Description: Yara detected Meterpreter, Source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Author: unknown
          • Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Author: unknown
          • Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Author: unknown
          • Rule: MALWARE_Win_Meterpreter, Description: Detects Meterpreter payload, Source: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Author: ditekSHen
          Reputation:low
          Has exited:false

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:1.4%
            Dynamic/Decrypted Code Coverage:89.1%
            Signature Coverage:29.8%
            Total number of Nodes:533
            Total number of Limit Nodes:44
            execution_graph 57052 21954fed418 57057 21954ff4198 57052->57057 57054 21954fed428 memcpy_s 57055 21954fed44e 57054->57055 57056 21954fed43e CreateMutexExW 57054->57056 57056->57055 57058 21954ff41b0 57057->57058 57059 21954ff422c 57057->57059 57061 21954ff41e8 HeapAlloc 57058->57061 57066 21954ff4211 57058->57066 57070 21954ff4216 57058->57070 57073 21954ff41c8 57058->57073 57077 21954ff673c DecodePointer 57058->57077 57080 21954ff673c DecodePointer 57059->57080 57061->57058 57065 21954ff4221 57061->57065 57062 21954ff4231 57081 21954ff66a0 65 API calls _getptd_noexit 57062->57081 57065->57054 57078 21954ff66a0 65 API calls _getptd_noexit 57066->57078 57079 21954ff66a0 65 API calls _getptd_noexit 57070->57079 57073->57061 57074 21954ff6c90 65 API calls 2 library calls 57073->57074 57075 21954ff6d04 65 API calls 6 library calls 57073->57075 57076 21954ff67bc GetModuleHandleExW GetProcAddress ExitProcess __crtCorExitProcess 57073->57076 57074->57073 57075->57073 57077->57058 57078->57070 57079->57065 57080->57062 57081->57065 57082 21954febed8 57089 21954fed490 57082->57089 57085 21954febf11 send 57085->57085 57086 21954febf2e GetLastError 57085->57086 57092 21954fed4b0 57086->57092 57090 21954febf0d 57089->57090 57091 21954fed499 WaitForSingleObject 57089->57091 57090->57085 57090->57086 57091->57090 57093 21954febf3f 57092->57093 57094 21954fed4b9 ReleaseMutex 57092->57094 57094->57093 57095 7ff6cfaf13d0 57098 7ff6cfaf1180 57095->57098 57097 7ff6cfaf13e6 57099 7ff6cfaf11b0 57098->57099 57100 7ff6cfaf11cd 57099->57100 57101 7ff6cfaf11b9 Sleep 57099->57101 57102 7ff6cfaf11e1 57100->57102 57149 7ff6cfaf2d20 __stdio_common_vfprintf __acrt_iob_func 57100->57149 57101->57099 57104 7ff6cfaf134c _initterm 57102->57104 57105 7ff6cfaf1200 57102->57105 57114 7ff6cfaf12ef 57102->57114 57104->57105 57115 7ff6cfaf1f70 57105->57115 57107 7ff6cfaf1228 SetUnhandledExceptionFilter _set_invalid_parameter_handler 57137 7ff6cfaf1d80 57107->57137 57109 7ff6cfaf1250 malloc 57110 7ff6cfaf127a 57109->57110 57109->57114 57111 7ff6cfaf1280 strlen malloc memcpy 57110->57111 57111->57111 57112 7ff6cfaf12b3 57111->57112 57138 7ff6cfaf2fe0 57112->57138 57114->57097 57116 7ff6cfaf1f8f 57115->57116 57118 7ff6cfaf1fa0 57115->57118 57116->57107 57117 7ff6cfaf2280 57117->57116 57119 7ff6cfaf2289 57117->57119 57118->57116 57118->57117 57120 7ff6cfaf219e 57118->57120 57131 7ff6cfaf201a 57118->57131 57123 7ff6cfaf22b1 57119->57123 57151 7ff6cfaf1e00 9 API calls 57119->57151 57120->57123 57127 7ff6cfaf21b9 57120->57127 57121 7ff6cfaf22c2 57153 7ff6cfaf1d90 9 API calls 57121->57153 57152 7ff6cfaf1d90 9 API calls 57123->57152 57125 7ff6cfaf22ce 57125->57107 57129 7ff6cfaf21ca 57127->57129 57129->57127 57130 7ff6cfaf1e00 9 API calls 57129->57130 57150 7ff6cfaf1d90 9 API calls 57129->57150 57130->57129 57131->57116 57131->57120 57131->57121 57131->57123 57131->57127 57131->57129 57132 7ff6cfaf2081 57131->57132 57132->57129 57132->57131 57133 7ff6cfaf1e00 9 API calls 57132->57133 57134 7ff6cfaf2130 57132->57134 57135 7ff6cfaf212d 57132->57135 57133->57132 57134->57116 57136 7ff6cfaf2162 VirtualProtect 57134->57136 57135->57134 57136->57134 57137->57109 57154 7ff6cfaf1b80 57138->57154 57142 7ff6cfaf3013 57161 7ff6cfaf1680 57142->57161 57144 7ff6cfaf3018 57166 7ff6cfaf1840 57144->57166 57146 7ff6cfaf301d 57147 7ff6cfaf3030 GetCurrentProcess WriteProcessMemory 57146->57147 57148 7ff6cfaf3056 57147->57148 57148->57114 57149->57102 57150->57129 57151->57119 57152->57121 57153->57125 57155 7ff6cfaf1b10 VirtualAlloc 57154->57155 57156 7ff6cfaf14c0 57155->57156 57157 7ff6cfaf1522 57156->57157 57158 7ff6cfaf1589 LoadLibraryA 57157->57158 57159 7ff6cfaf15ae GetProcAddress VirtualProtect VirtualProtect 57158->57159 57159->57142 57162 7ff6cfaf16e2 LoadLibraryA 57161->57162 57164 7ff6cfaf1764 GetProcAddress VirtualProtect VirtualProtect 57162->57164 57164->57144 57167 7ff6cfaf18c5 LoadLibraryA 57166->57167 57169 7ff6cfaf1954 GetProcAddress VirtualProtect VirtualProtect 57167->57169 57171 7ff6cfaf1a20 GetProcAddress VirtualProtect VirtualProtect 57169->57171 57171->57146 57173 21954fed6d4 57174 21954fed705 57173->57174 57175 21954fed6fe 57173->57175 57176 21954ff4198 malloc 65 API calls 57174->57176 57177 21954fed70f memcpy_s 57176->57177 57177->57175 57185 21954fed4d0 57177->57185 57180 21954fed733 57196 21954ff4158 57180->57196 57181 21954fed73d CreateThread 57181->57175 57183 21954fed777 57181->57183 57192 21954fed52c 57183->57192 57186 21954ff4198 malloc 65 API calls 57185->57186 57187 21954fed4e0 memcpy_s 57186->57187 57188 21954fed4fa CreateEventW 57187->57188 57191 21954fed4e8 57187->57191 57189 21954fed512 57188->57189 57188->57191 57190 21954ff4158 free 65 API calls 57189->57190 57190->57191 57191->57180 57191->57181 57193 21954fed53e CloseHandle 57192->57193 57194 21954fed53a 57192->57194 57195 21954ff4158 free 65 API calls 57193->57195 57194->57180 57195->57194 57197 21954ff415d RtlFreeHeap 57196->57197 57201 21954ff418d _dosmaperr 57196->57201 57198 21954ff4178 57197->57198 57197->57201 57202 21954ff66a0 65 API calls _getptd_noexit 57198->57202 57200 21954ff417d GetLastError 57200->57201 57201->57175 57202->57200 57203 21954ff6370 57204 21954ff6382 57203->57204 57205 21954ff63ff 57203->57205 57251 21954ff6710 GetProcessHeap 57204->57251 57207 21954ff6455 57205->57207 57208 21954ff6403 _CRT_INIT 57205->57208 57210 21954ff64b8 57207->57210 57211 21954ff645a 57207->57211 57240 21954ff638b _CRT_INIT 57208->57240 57272 21954ff67d4 67 API calls free 57208->57272 57209 21954ff6387 57209->57240 57252 21954ff8508 106 API calls 7 library calls 57209->57252 57210->57240 57279 21954ff8360 65 API calls 2 library calls 57210->57279 57276 21954ffb2d4 57211->57276 57217 21954ff6397 _RTC_Initialize 57223 21954ff63a7 GetCommandLineA 57217->57223 57217->57240 57218 21954ff642b 57228 21954ff643a _CRT_INIT 57218->57228 57273 21954ffabb4 66 API calls free 57218->57273 57222 21954ff6435 57274 21954ff8588 68 API calls 2 library calls 57222->57274 57253 21954ffb0c4 GetEnvironmentStringsW 57223->57253 57228->57240 57275 21954ff8588 68 API calls 2 library calls 57228->57275 57234 21954ff63c5 57237 21954ff63d0 57234->57237 57238 21954ff63c9 57234->57238 57268 21954ffac28 78 API calls 3 library calls 57237->57268 57267 21954ff8588 68 API calls 2 library calls 57238->57267 57243 21954ff63d5 57244 21954ff63e9 57243->57244 57269 21954ffaee4 77 API calls 5 library calls 57243->57269 57250 21954ff63ed 57244->57250 57271 21954ffabb4 66 API calls free 57244->57271 57247 21954ff63fd 57247->57238 57248 21954ff63de 57248->57244 57270 21954ff6954 76 API calls 4 library calls 57248->57270 57250->57240 57251->57209 57252->57217 57254 21954ffb0f2 WideCharToMultiByte 57253->57254 57255 21954ff63b9 57253->57255 57257 21954ffb192 FreeEnvironmentStringsW 57254->57257 57258 21954ffb141 57254->57258 57266 21954ffa884 69 API calls 5 library calls 57255->57266 57257->57255 57280 21954ffb848 65 API calls malloc 57258->57280 57260 21954ffb149 57260->57257 57261 21954ffb151 WideCharToMultiByte 57260->57261 57262 21954ffb184 FreeEnvironmentStringsW 57261->57262 57263 21954ffb179 57261->57263 57262->57255 57264 21954ff4158 free 65 API calls 57263->57264 57265 21954ffb181 57264->57265 57265->57262 57266->57234 57267->57240 57268->57243 57269->57248 57270->57244 57271->57247 57272->57218 57273->57222 57274->57228 57275->57240 57277 21954ffb2e7 TlsGetValue 57276->57277 57278 21954ffb2e4 57276->57278 57278->57277 57279->57240 57280->57260 57281 219551760f8 57283 219551761a7 57281->57283 57282 21955176468 LoadLibraryA 57282->57283 57283->57282 57284 21955176349 __CxxFrameHandler2 57283->57284 57285 21954fe78d0 57314 21954fe4424 57285->57314 57287 21954fe78ed 57288 21954fe7902 57287->57288 57354 21954fe7ac8 67 API calls free 57287->57354 57325 21954ff49ac 57288->57325 57292 21954fe7930 CryptAcquireContextW 57293 21954fe7965 57292->57293 57294 21954fe794d GetLastError 57292->57294 57297 21954fe7975 CryptGenRandom 57293->57297 57313 21954fe791e 57293->57313 57294->57292 57294->57293 57296 21954fe7aa1 57298 21954fe79a6 CryptImportKey 57297->57298 57299 21954fe7999 GetLastError 57297->57299 57298->57299 57300 21954fe79cc 57298->57300 57299->57313 57332 21954fe4c0c 74 API calls 57300->57332 57302 21954fe79e3 57333 21954fe7b28 57302->57333 57306 21954fe7a3e 57307 21954fe7a71 57306->57307 57308 21954fe7a4f 57306->57308 57357 21954fe4910 76 API calls 4 library calls 57307->57357 57356 21954fe4910 76 API calls 4 library calls 57308->57356 57311 21954fe7a67 57312 21954ff4158 free 65 API calls 57311->57312 57312->57313 57358 21954fe4d7c 101 API calls _DllMainCRTStartup 57313->57358 57359 21954fe4a18 htonl 57314->57359 57316 21954fe4436 57317 21954fe4be4 75 API calls 57316->57317 57318 21954fe4451 57317->57318 57319 21954fe4394 82 API calls 57318->57319 57323 21954fe447f 57318->57323 57320 21954fe445e 57319->57320 57321 21954fe4a4c 74 API calls 57320->57321 57320->57323 57322 21954fe4478 57321->57322 57322->57323 57324 21954fe44fc 68 API calls 57322->57324 57323->57287 57324->57323 57360 21954ff7270 57325->57360 57329 21954ff49d4 57331 21954fe790f 57329->57331 57369 21954ff66a0 65 API calls _getptd_noexit 57329->57369 57331->57292 57331->57313 57332->57302 57334 21954fe7b5d 57333->57334 57339 21954fe7c8e 57333->57339 57335 21954fe7b65 CryptDecodeObjectEx 57334->57335 57334->57339 57337 21954fe7ba0 GetLastError 57335->57337 57338 21954fe7bad CryptAcquireContextW 57335->57338 57336 21954fe7c45 57342 21954fe7cf7 LocalFree 57336->57342 57343 21954fe7cfd 57336->57343 57337->57339 57340 21954fe7bcf CryptAcquireContextW 57338->57340 57341 21954fe7bed CryptImportPublicKeyInfo 57338->57341 57339->57336 57344 21954ff4158 free 65 API calls 57339->57344 57340->57337 57340->57341 57341->57337 57345 21954fe7c06 CryptEncrypt 57341->57345 57342->57343 57346 21954fe7d06 CryptDestroyKey 57343->57346 57347 21954fe7d0c 57343->57347 57344->57336 57348 21954ff49ac calloc 65 API calls 57345->57348 57346->57347 57349 21954fe7d15 CryptReleaseContext 57347->57349 57350 21954fe7a29 57347->57350 57351 21954fe7c3d 57348->57351 57349->57350 57355 21954fe46e8 77 API calls _DllMainCRTStartup 57350->57355 57351->57336 57372 21954ff5db8 57351->57372 57353 21954fe7c5f CryptEncrypt 57353->57337 57353->57339 57354->57288 57355->57306 57356->57311 57357->57313 57358->57296 57361 21954ff7285 57360->57361 57366 21954ff72a2 57360->57366 57362 21954ff7293 57361->57362 57361->57366 57370 21954ff66a0 65 API calls _getptd_noexit 57362->57370 57364 21954ff72ba HeapAlloc 57365 21954ff49c1 57364->57365 57364->57366 57365->57331 57368 21954ff66a0 65 API calls _getptd_noexit 57365->57368 57366->57364 57366->57365 57371 21954ff673c DecodePointer 57366->57371 57368->57329 57369->57331 57370->57365 57371->57366 57376 21954ff5dd5 memcpy_s 57372->57376 57377 21954ff5dd9 memcpy_s 57372->57377 57373 21954ff5dde 57381 21954ff66a0 65 API calls _getptd_noexit 57373->57381 57375 21954ff5de3 57382 21954ff7470 14 API calls _invalid_parameter_noinfo 57375->57382 57376->57353 57377->57373 57377->57376 57378 21954ff5e19 57377->57378 57378->57376 57383 21954ff66a0 65 API calls _getptd_noexit 57378->57383 57381->57375 57382->57376 57383->57375 57384 21957dc2430 57385 21957dc243c __crtCompareStringA_stat _wctomb_s_l 57384->57385 57397 21957dc2390 GetCurrentThread OpenThreadToken 57385->57397 57387 21957dc24b1 57388 21957dc2581 57387->57388 57389 21957dc24b9 LookupAccountSidW 57387->57389 57390 21957dc2513 57389->57390 57391 21957dc2504 GetLastError 57389->57391 57402 21957ddcdb0 92 API calls 5 library calls 57390->57402 57393 21957dc2571 57403 21957ddb178 57393->57403 57395 21957dc2579 57396 21957ddb178 free 67 API calls 57395->57396 57396->57388 57398 21957dc23c6 GetCurrentProcess OpenProcessToken 57397->57398 57399 21957dc23f4 GetTokenInformation 57397->57399 57398->57399 57400 21957dc23e3 GetLastError 57398->57400 57399->57400 57401 21957dc2418 57399->57401 57400->57387 57401->57387 57402->57393 57404 21957ddb1ad _dosmaperr 57403->57404 57405 21957ddb17d RtlFreeHeap 57403->57405 57404->57395 57405->57404 57406 21957ddb198 57405->57406 57409 21957ddfda0 67 API calls _getptd_noexit 57406->57409 57408 21957ddb19d GetLastError 57408->57404 57409->57408 57410 21954fe65e8 57411 21954fe660f _DllMainCRTStartup 57410->57411 57412 21954fe6678 57410->57412 57411->57412 57413 21954fe661f VirtualProtect 57411->57413 57413->57412 57414 21954fe663e VirtualProtect 57413->57414 57414->57412 57416 21954fe4dc8 57417 21954fe4de9 57416->57417 57418 21954fe4def 57417->57418 57434 21954fe4ef8 74 API calls rand 57417->57434 57420 21954fe4e09 57435 21954fe4910 76 API calls 4 library calls 57420->57435 57422 21954fe4e24 57423 21954fe4e4c 57422->57423 57466 21954fe4a4c 74 API calls 57422->57466 57436 21954fe7678 57423->57436 57426 21954fe4e3b 57426->57423 57467 21954fe4f98 65 API calls 4 library calls 57426->57467 57430 21954fe4e94 57468 21954fe44fc 68 API calls 3 library calls 57430->57468 57431 21954fe4e8f 57432 21954ff4158 free 65 API calls 57431->57432 57432->57430 57434->57420 57435->57422 57469 21954fe6ba8 57436->57469 57439 21954ff5db8 memcpy_s 65 API calls 57440 21954fe76c2 57439->57440 57442 21954fe76e4 CryptDuplicateKey 57440->57442 57465 21954fe782a 57440->57465 57441 21954fe7883 57449 21954fe78a7 CryptDestroyKey 57441->57449 57450 21954fe4e61 SetLastError GetLastError 57441->57450 57444 21954fe76ff GetLastError 57442->57444 57445 21954fe770c CryptSetKeyParam 57442->57445 57443 21954ff4198 malloc 65 API calls 57446 21954fe784a htonl 57443->57446 57444->57465 57445->57444 57447 21954fe7738 CryptGenRandom 57445->57447 57448 21954ff5db8 memcpy_s 65 API calls 57446->57448 57451 21954fe7753 GetLastError 57447->57451 57452 21954fe775b CryptSetKeyParam 57447->57452 57453 21954fe7870 57448->57453 57449->57450 57450->57430 57450->57431 57451->57452 57452->57444 57454 21954fe7779 htonl 57452->57454 57455 21954ff5db8 memcpy_s 65 API calls 57453->57455 57456 21954ff4198 malloc 65 API calls 57454->57456 57455->57441 57457 21954fe779a 57456->57457 57458 21954ff5db8 memcpy_s 65 API calls 57457->57458 57459 21954fe77bd CryptEncrypt 57458->57459 57460 21954fe77e6 GetLastError 57459->57460 57461 21954fe77ee htonl 57459->57461 57460->57461 57462 21954ff5db8 memcpy_s 65 API calls 57461->57462 57463 21954fe7814 57462->57463 57464 21954ff5db8 memcpy_s 65 API calls 57463->57464 57464->57465 57465->57441 57465->57443 57466->57426 57467->57423 57468->57418 57470 21954fe6bc9 57469->57470 57471 21954fe6bba 57469->57471 57483 21954ff5100 57470->57483 57486 21954ff5aa0 GetSystemTimeAsFileTime 57471->57486 57474 21954fe6bc1 57487 21954ff512c 65 API calls _getptd 57474->57487 57477 21954ff5100 rand 65 API calls 57478 21954fe6c04 57477->57478 57479 21954ff5100 rand 65 API calls 57478->57479 57480 21954fe6c2b 57479->57480 57481 21954ff5100 rand 65 API calls 57480->57481 57482 21954fe6c58 57481->57482 57482->57439 57488 21954ff839c 57483->57488 57486->57474 57487->57470 57493 21954ff83c0 GetLastError 57488->57493 57490 21954ff83a7 57491 21954fe6bd8 57490->57491 57507 21954ff691c 65 API calls 3 library calls 57490->57507 57491->57477 57494 21954ffb2d4 _CRT_INIT TlsGetValue 57493->57494 57495 21954ff83dd 57494->57495 57496 21954ff842c SetLastError 57495->57496 57508 21954ffb7c8 65 API calls _calloc_impl 57495->57508 57496->57490 57498 21954ff83f2 57498->57496 57509 21954ffb2f0 TlsSetValue 57498->57509 57508->57498 57510 21954febb88 57519 21954fe6af8 GetSystemTime SystemTimeToFileTime 57510->57519 57515 21954febc31 57517 21954fe6af8 GetSystemTime SystemTimeToFileTime _DllMainCRTStartup 57518 21954febbba 57517->57518 57518->57515 57518->57517 57520 21954fed590 WaitForSingleObject 57518->57520 57521 21954feb840 57518->57521 57526 21954feb8d8 57518->57526 57561 21954fe11b0 110 API calls _DllMainCRTStartup 57518->57561 57519->57518 57520->57518 57522 21954fed490 _DllMainCRTStartup WaitForSingleObject 57521->57522 57523 21954feb868 select 57522->57523 57524 21954fed4b0 _DllMainCRTStartup ReleaseMutex 57523->57524 57525 21954feb8b9 57524->57525 57525->57518 57527 21954feb901 __crtGetStringTypeA_stat 57526->57527 57528 21954fed490 _DllMainCRTStartup WaitForSingleObject 57527->57528 57531 21954feb94c 57528->57531 57529 21954feb988 57532 21954febb40 GetLastError 57529->57532 57533 21954feb998 57529->57533 57543 21954feba00 memcpy_s 57529->57543 57530 21954feb958 recv 57530->57531 57556 21954feba48 57530->57556 57531->57529 57531->57530 57535 21954febb55 57532->57535 57536 21954febb4d 57532->57536 57538 21954feb9eb SetLastError 57533->57538 57544 21954feb9a3 57533->57544 57534 21954febb3a SetLastError 57534->57532 57539 21954fed4b0 _DllMainCRTStartup ReleaseMutex 57535->57539 57537 21954ff4158 free 65 API calls 57536->57537 57537->57535 57542 21954febb21 57538->57542 57541 21954febb5e 57539->57541 57540 21954feb9a9 recv 57540->57544 57545 21954feb9cb GetLastError 57540->57545 57541->57518 57542->57532 57547 21954feba27 htonl 57543->57547 57544->57538 57544->57540 57545->57544 57546 21954feb9d8 SetLastError 57545->57546 57546->57532 57546->57538 57548 21954ff4198 malloc 65 API calls 57547->57548 57549 21954feba40 57548->57549 57550 21954ff5db8 memcpy_s 65 API calls 57549->57550 57549->57556 57552 21954feba63 57550->57552 57551 21954feba6e recv 57551->57552 57553 21954feba96 GetLastError 57551->57553 57552->57551 57555 21954febac2 _DllMainCRTStartup 57552->57555 57553->57552 57553->57556 57554 21954febb27 57563 21954fe74bc 78 API calls 4 library calls 57554->57563 57555->57532 57555->57554 57558 21954febaf3 57555->57558 57556->57532 57556->57534 57558->57532 57562 21954fe7d34 69 API calls 57558->57562 57560 21954febb17 SetLastError 57560->57542 57561->57518 57562->57560 57563->57556 57564 21954febd88 57565 21954febdb1 57564->57565 57566 21954febe9e SetHandleInformation 57564->57566 57586 21954ff5568 70 API calls _wcstombs_s_l 57565->57586 57599 21954fe6af8 GetSystemTime SystemTimeToFileTime 57566->57599 57569 21954febeb3 57570 21954febdd2 57587 21954fe6af8 GetSystemTime SystemTimeToFileTime 57570->57587 57572 21954febdd7 strstr strrchr 57572->57566 57573 21954febe23 strrchr 57572->57573 57574 21954febe61 57572->57574 57596 21954ff62d4 68 API calls strtoxl 57573->57596 57588 21954ff62d4 68 API calls strtoxl 57574->57588 57576 21954febe6a 57578 21954febe6f 57576->57578 57579 21954febe7c 57576->57579 57598 21954feb6d0 13 API calls memcpy_s 57578->57598 57589 21954feb3c0 57579->57589 57581 21954febe40 57597 21954feb4d4 11 API calls 2 library calls 57581->57597 57583 21954febe7a 57583->57566 57583->57569 57585 21954febe5f 57585->57583 57586->57570 57587->57572 57588->57576 57600 21954ff4af0 57589->57600 57592 21954feb426 WSAGetLastError 57594 21954feb4a3 57592->57594 57593 21954feb42e socket gethostbyname inet_ntoa inet_addr htons 57602 21954feb33c 57593->57602 57594->57583 57596->57581 57597->57585 57598->57583 57599->57569 57601 21954feb412 WSAStartup 57600->57601 57601->57592 57601->57593 57612 21954fe6af8 GetSystemTime SystemTimeToFileTime 57602->57612 57604 21954feb365 57613 21954fe6af8 GetSystemTime SystemTimeToFileTime 57604->57613 57606 21954feb36c connect 57607 21954feb382 57606->57607 57608 21954feb39f 57606->57608 57607->57604 57611 21954feb396 closesocket 57607->57611 57614 21954fe6a9c Sleep Sleep 57607->57614 57615 21954fe6af8 GetSystemTime SystemTimeToFileTime 57607->57615 57608->57594 57611->57608 57612->57604 57613->57606 57615->57607 57616 21954fed7e0 57617 21954fed7ed ResumeThread 57616->57617 57618 21954fed7e9 57616->57618 57617->57618 57619 21954fed460 57620 21954fed483 57619->57620 57621 21954fed465 57619->57621 57622 21954fed4b0 _DllMainCRTStartup ReleaseMutex 57621->57622 57623 21954fed472 CloseHandle 57622->57623 57624 21954ff4158 free 65 API calls 57623->57624 57624->57620 57625 21957dc15c0 57626 21957dc15e0 _wctomb_s_l 57625->57626 57627 21957dc161c GetComputerNameA 57626->57627 57628 21957dc1636 GetLastError 57627->57628 57629 21957dc1643 57627->57629 57637 21957dc18b3 57628->57637 57659 21957dc25d0 57629->57659 57631 21957dc1677 LoadLibraryA 57632 21957dc168c GetProcAddress GetProcAddress 57631->57632 57634 21957dc16c4 57631->57634 57633 21957dc16b4 GetNativeSystemInfo 57632->57633 57632->57634 57633->57634 57635 21957dc1825 NetWkstaGetInfo 57634->57635 57636 21957dc1702 GetProcAddress 57634->57636 57635->57637 57653 21957dc184d 57635->57653 57638 21957dc17d6 57636->57638 57639 21957dc1729 GetLocaleInfoA 57636->57639 57690 21957ddcdb0 92 API calls 5 library calls 57638->57690 57643 21957dc176d GetLocaleInfoA 57639->57643 57644 21957dc174f 57639->57644 57641 21957dc17d4 57649 21957dc1810 57641->57649 57654 21957ddb178 free 67 API calls 57641->57654 57646 21957dc1786 57643->57646 57647 21957dc17a4 57643->57647 57672 21957ddb1b8 57644->57672 57648 21957ddb1b8 malloc 67 API calls 57646->57648 57647->57638 57652 21957dc17b6 57647->57652 57651 21957dc178e GetLocaleInfoA 57648->57651 57649->57635 57655 21957ddb178 free 67 API calls 57649->57655 57650 21957dc1757 GetLocaleInfoA 57650->57643 57651->57647 57689 21957ddcdb0 92 API calls 5 library calls 57652->57689 57657 21957ddb178 free 67 API calls 57653->57657 57654->57649 57655->57635 57658 21957dc18a6 NetApiBufferFree 57657->57658 57658->57637 57691 21957ddb8e0 57659->57691 57661 21957dc25f9 GetModuleHandleA 57662 21957dc261a GetProcAddress 57661->57662 57663 21957dc260b GetLastError 57661->57663 57664 21957dc263a GetLastError 57662->57664 57671 21957dc2651 _wctomb_s_l 57662->57671 57663->57631 57664->57631 57665 21957dc2676 57665->57631 57666 21957dc2852 57694 21957ddcdb0 92 API calls 5 library calls 57666->57694 57667 21957dc2820 57693 21957ddcdb0 92 API calls 5 library calls 57667->57693 57670 21957dc2850 57670->57631 57671->57665 57671->57666 57671->57667 57673 21957ddb1d0 57672->57673 57674 21957ddb24c 57672->57674 57676 21957ddb208 HeapAlloc 57673->57676 57681 21957ddb231 57673->57681 57685 21957ddb1e8 57673->57685 57686 21957ddb236 57673->57686 57698 21957ddfed8 DecodePointer 57673->57698 57701 21957ddfed8 DecodePointer 57674->57701 57676->57673 57680 21957ddb241 57676->57680 57677 21957ddb251 57702 21957ddfda0 67 API calls _getptd_noexit 57677->57702 57680->57650 57699 21957ddfda0 67 API calls _getptd_noexit 57681->57699 57685->57676 57695 21957ddff14 67 API calls 2 library calls 57685->57695 57696 21957ddff88 67 API calls 6 library calls 57685->57696 57697 21957dded6c GetModuleHandleExW GetProcAddress ExitProcess __crtCorExitProcess 57685->57697 57700 21957ddfda0 67 API calls _getptd_noexit 57686->57700 57689->57641 57690->57641 57692 21957ddb8f0 57691->57692 57692->57661 57692->57692 57693->57670 57694->57670 57695->57685 57696->57685 57698->57673 57699->57686 57700->57680 57701->57677 57702->57680 57703 21957db7660 57704 21957db7682 57703->57704 57707 21957db78c0 GetModuleHandleA GetProcAddress 57704->57707 57706 21957db7690 57708 21957db7905 57707->57708 57709 21957db791d GetAdaptersAddresses 57707->57709 57727 21957db76c0 73 API calls 3 library calls 57708->57727 57711 21957ddb1b8 malloc 67 API calls 57709->57711 57713 21957db794c 57711->57713 57712 21957db7910 57712->57706 57714 21957db7954 57713->57714 57715 21957db795d GetAdaptersAddresses 57713->57715 57714->57706 57716 21957db797c GetLastError 57715->57716 57717 21957db7989 57715->57717 57718 21957db799b 57716->57718 57719 21957db79a2 _wctomb_s_l 57717->57719 57720 21957db7990 57717->57720 57722 21957ddb178 free 67 API calls 57718->57722 57723 21957db79cc GetVersionExA 57719->57723 57728 21957db76c0 73 API calls 3 library calls 57720->57728 57722->57714 57724 21957db79e2 57723->57724 57725 21957db7b5d 57724->57725 57726 21957db7aa3 htonl 57724->57726 57725->57718 57726->57724 57727->57712 57728->57718 57729 21957db7ba0 57730 21957db7bca GetModuleHandleA GetProcAddress 57729->57730 57731 21957ddb1b8 malloc 67 API calls 57730->57731 57732 21957db7c08 57731->57732 57733 21957db7c31 GetLastError 57732->57733 57739 21957db7c3e _itow 57732->57739 57740 21957db7c10 57732->57740 57734 21957db7f4b 57733->57734 57737 21957ddb178 free 67 API calls 57734->57737 57735 21957db7d50 GetModuleHandleA GetProcAddress 57735->57734 57736 21957db7dd9 InternalGetForwardIpTable2 57735->57736 57738 21957db7de6 GetLastError 57736->57738 57744 21957db7df3 _itow 57736->57744 57737->57740 57738->57734 57739->57735 57741 21957db7cf0 htonl 57739->57741 57741->57739 57742 21957db7e3a GetLastError 57742->57744 57744->57734 57744->57742 57744->57744 57745 21957db7ede htonl 57744->57745 57746 21957db82a0 htonl htonl htonl htonl 57744->57746 57745->57744 57746->57744

            Executed Functions

            Function 0000021957DC15C0 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 184libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Info$Locale$AddressProc$malloc$ComputerErrorLastLibraryLoadNameNativeSystem_snprintf
            • String ID: %s_%s$GetNativeSystemInfo$GetSystemDefaultLangID$IA64$IsWow64Process$Unknown$kernel32.dll$x64$x86
            • API String ID: 3227938556-198457881
            • Opcode ID: d61d16017b4c316a5310614dfa8ac355e2c69d75cd53264cc4053125f2f673e8
            • Instruction ID: 1c80d79dadbccb0276ec9cf67ad5d0cf01a5d01e8bcbda0013657f594ed9d20f
            • Opcode Fuzzy Hash: d61d16017b4c316a5310614dfa8ac355e2c69d75cd53264cc4053125f2f673e8
            • Instruction Fuzzy Hash: B781D773314B81A1EA7A9B51E86C7D973A6FBA4B84FC44025CE4963794DF3EC685C700
            Function 0000021954FE7678 Relevance: 30.2, APIs: 20, Instructions: 156encryptionCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Cryptmemcpy_s$rand$ErrorLasthtonl$Parammalloc$DestroyDuplicateEncryptRandom_time64
            • String ID:
            • API String ID: 1004770496-0
            • Opcode ID: 536757e0e4d74ae8bebd4fc0368281c311563d31adef33189db2cfd0cfd07d52
            • Instruction ID: 9cb13f866dd0a63e39cb5ceedb808d835d18d294b43ca29f287e7267be312cd5
            • Opcode Fuzzy Hash: 536757e0e4d74ae8bebd4fc0368281c311563d31adef33189db2cfd0cfd07d52
            • Instruction Fuzzy Hash: 6F61AF32200644A7EBA1DF6AE46C7DE77A2F7A9B84F854025CE4DA3B51EF38C485C740
            Function 0000021954FE7B28 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 152encryptionCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Crypt$Context$Acquire$DecodeDestroyEncryptErrorFreeImportInfoLastLocalObjectPublicReleasecallocfree
            • String ID: Microsoft Enhanced Cryptographic Provider v1.0
            • API String ID: 1995003288-1948191093
            • Opcode ID: 86348a71941b5ccb4ce4e1005db7dad4ca412435f72da5af6bf57939213d00cc
            • Instruction ID: 9d4077bea68af1853b490d6659cea217875aebf0f75da26e51e9a2d49277a87f
            • Opcode Fuzzy Hash: 86348a71941b5ccb4ce4e1005db7dad4ca412435f72da5af6bf57939213d00cc
            • Instruction Fuzzy Hash: B7518132701740ABF796CF7AA8686ED37A6F799B88F844125DE0963B58EB34C491C740
            Function 0000021954FEB8D8 Relevance: 21.2, APIs: 14, Instructions: 190networkCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 162 21954feb8d8-21954feb94c call 21954ff57c0 call 21954fed490 167 21954feb950 162->167 168 21954feb953-21954feb956 167->168 169 21954feb988-21954feb98b 168->169 170 21954feb958-21954feb976 recv 168->170 173 21954feb991-21954feb996 169->173 174 21954febb40-21954febb4b GetLastError 169->174 171 21954febaac-21954febab1 170->171 172 21954feb97c-21954feb981 170->172 177 21954febb3a SetLastError 171->177 172->168 178 21954feb983-21954feb986 172->178 175 21954feb998-21954feb9a1 173->175 176 21954feba00-21954feba46 call 21954ff4260 call 21954fe6b54 htonl call 21954ff4198 173->176 179 21954febb55-21954febb80 call 21954fed4b0 174->179 180 21954febb4d-21954febb50 call 21954ff4158 174->180 182 21954feb9a3 175->182 183 21954feb9eb-21954feb9f3 SetLastError 175->183 199 21954feba48-21954feba4b 176->199 200 21954feba50-21954feba69 call 21954ff5db8 176->200 177->174 178->167 180->179 186 21954feb9a9-21954feb9c9 recv 182->186 188 21954febb21-21954febb25 183->188 190 21954feb9f8 186->190 191 21954feb9cb-21954feb9d6 GetLastError 186->191 188->174 194 21954feb9fa-21954feb9fc 190->194 193 21954feb9d8-21954feb9e5 SetLastError 191->193 191->194 193->174 193->183 194->183 196 21954feb9fe 194->196 196->186 199->177 203 21954feba6b 200->203 204 21954febacc-21954febad8 call 21954fe6b7c 200->204 205 21954feba6e-21954feba94 recv 203->205 210 21954febb27-21954febb38 call 21954fe74bc 204->210 211 21954febada-21954febaf1 call 21954ff5b10 204->211 207 21954febab6 205->207 208 21954feba96-21954febaa1 GetLastError 205->208 212 21954febab8-21954febaba 207->212 208->212 213 21954febaa3-21954febaa6 208->213 210->177 211->210 220 21954febaf3-21954febb07 call 21954fe7ed8 211->220 216 21954febac2-21954febaca 212->216 217 21954febabc-21954febac0 212->217 213->171 213->174 216->174 216->204 217->205 220->174 223 21954febb09-21954febb1f call 21954fe7d34 SetLastError 220->223 223->188
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$recv$ObjectSingleWaitfreehtonlmallocmemcpy_s
            • String ID:
            • API String ID: 3866035104-0
            • Opcode ID: 261bf08567c0345739ebc6b984987a5760d6242b0b46c19ea545e5013e1adeb6
            • Instruction ID: a74ead5a34e02c130a79a2507c0b95543f55325ce7bc9f627a10949bae7410c2
            • Opcode Fuzzy Hash: 261bf08567c0345739ebc6b984987a5760d6242b0b46c19ea545e5013e1adeb6
            • Instruction Fuzzy Hash: C4719432304641A2EBA2DF6A94AC7EA6392F76DB85FC400359E4E73755EE38C5988700
            Function 00007FF6CFAF1840 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 165memorylibraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ProtectVirtual$AddressProc$LibraryLoad
            • String ID: E$F$G
            • API String ID: 1793461016-338091178
            • Opcode ID: 507d1070e4c45a737aec08b2c717e30df919f12258b0c5ad8a9a9cfbeca39e0a
            • Instruction ID: 0b78e1f66731fdad68a55fada5373541813dfee154f5210923a17b220d24ff1d
            • Opcode Fuzzy Hash: 507d1070e4c45a737aec08b2c717e30df919f12258b0c5ad8a9a9cfbeca39e0a
            • Instruction Fuzzy Hash: 3F514B63A0C6D185D7608B26EC1177EBF90E7DA794F088235EB8987BC5CA3DD205DB04
            Function 00007FF6CFAF14C0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 110librarymemoryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ProtectVirtual$AddressLibraryLoadProc
            • String ID: A$B$a
            • API String ID: 3300690313-883054411
            • Opcode ID: 0587d3474e72c9ddfb5d6ad485b372bca62f4445df4fb607119e720d7fd62f7b
            • Instruction ID: 346e1f46fc7650edd70df6ca6559d7499003dd29b7d55ee850447c0c0b3770da
            • Opcode Fuzzy Hash: 0587d3474e72c9ddfb5d6ad485b372bca62f4445df4fb607119e720d7fd62f7b
            • Instruction Fuzzy Hash: 4F416C72A0828186E7648B25F84076EBBA4E7D9784F449035EB8ECBF98DA3DC5459B00
            Function 00007FF6CFAF1180 Relevance: 12.1, APIs: 8, Instructions: 138sleepstringCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: malloc$ExceptionFilterSleepUnhandled_set_invalid_parameter_handlermemcpystrlen
            • String ID:
            • API String ID: 959198572-0
            • Opcode ID: ceb19fe3a488432c8b1551b84bcbc5cea8ce5ce6f2cf6ec382853e121b565f9e
            • Instruction ID: faf7631fa91cec1897afc3ea2e51ebdec2f4fb8fd83d197d85b6b615356b4883
            • Opcode Fuzzy Hash: ceb19fe3a488432c8b1551b84bcbc5cea8ce5ce6f2cf6ec382853e121b565f9e
            • Instruction Fuzzy Hash: B6517731E09642C2FB919F95E884679A3A2AF49B96F454035CDCCCB396CF3EF8418320
            Function 0000021954FE78D0 Relevance: 10.6, APIs: 7, Instructions: 129encryptionCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Crypt$ContextErrorLastfree$AcquireDestroyImportRandomReleasecalloc
            • String ID:
            • API String ID: 3461984619-0
            • Opcode ID: 4be7ac936702cc9fac9c671321bcd04e18df2c7142f146a3a3d2a5415c786d98
            • Instruction ID: 91506ace0548d2d007ec3855ea03d1e4c7e31478ce8f11951fa1308d75717f67
            • Opcode Fuzzy Hash: 4be7ac936702cc9fac9c671321bcd04e18df2c7142f146a3a3d2a5415c786d98
            • Instruction Fuzzy Hash: 0D519D72200680A6EBA2DF65E42C3DA33E1FB99B85F844125CF4977B65EF38C5A5C701
            Function 00000219551760F8 Relevance: 3.4, APIs: 2, Instructions: 449libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: FrameHandler2LibraryLoad
            • String ID:
            • API String ID: 2889079456-0
            • Opcode ID: 6263d641ec332dac5ed4f08b61926634c6d686e0cac3bee97d0370188f5a9ba6
            • Instruction ID: 3b6dd8e57f5095e20675b4a8b52a384df06b9d1219de338c9c10e97b82a16b14
            • Opcode Fuzzy Hash: 6263d641ec332dac5ed4f08b61926634c6d686e0cac3bee97d0370188f5a9ba6
            • Instruction Fuzzy Hash: 1D12AA72711B40DAEB55CF28D5643AD3BE6FB14788F904129EE4D23BA9EB38D865C700
            Function 0000021955175D70 Relevance: .0, Instructions: 18COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 897fa961467e1982a37d83bff4f1e479853ad524e593d0e96e02107750d50967
            • Instruction ID: 5e39b99c1d00195344648efb3e22551354686aa813461bb35f9c403f405f4f4c
            • Opcode Fuzzy Hash: 897fa961467e1982a37d83bff4f1e479853ad524e593d0e96e02107750d50967
            • Instruction Fuzzy Hash: 4CF09BB6928B84CAC660DF59F48054ABBA4F3D9794F50421AFBC893B28DB3CC1648F40
            Function 0000021955175DCC Relevance: .0, Instructions: 16COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d9c26f420a070a27776db9401e22a808cf6f39c44704009fcc6a7be001eccab0
            • Instruction ID: 20fce5bf185ba90077fd4eb14b39db380d4b366c3d2c6a4156074c8d202f2a5e
            • Opcode Fuzzy Hash: d9c26f420a070a27776db9401e22a808cf6f39c44704009fcc6a7be001eccab0
            • Instruction Fuzzy Hash: CBE04876918B8486C610DB59F48004ABBB4F3AA794F60451AFACC53B29DB78C1A48F40
            Function 0000021957DB7BA0 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 231libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: _errno$AddressAllocErrorHandleHeapLastModuleProc_callnewhfreemalloc
            • String ID: FreeMibTable$GetIpForwardTable2$Iphlpapi.dll
            • API String ID: 2660982488-3103947123
            • Opcode ID: b307b91af8b729022f37c0c8e8bd6165278b201f90ecf1e054bb3da487e2102c
            • Instruction ID: c5fbe0c35d0295f4fec2f3f36a5ba82d0249c2fc76389846c34d898cfe641cfa
            • Opcode Fuzzy Hash: b307b91af8b729022f37c0c8e8bd6165278b201f90ecf1e054bb3da487e2102c
            • Instruction Fuzzy Hash: FFB18C73205B80AEE765CF60E85438E77B1F388758F90012ADB8D67B58EB39C685CB00
            Function 0000021957DB78C0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 171libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: malloc$AdaptersAddressAddressesHandleModuleProc
            • String ID: GetAdaptersAddresses$iphlpapi
            • API String ID: 4282841641-4067604246
            • Opcode ID: 575df2be290e25262b057203830c9a8c38573c95af95c73e1cf6fadfa2b8b7e9
            • Instruction ID: 2d639bf7d41773f7b5c2bfe419ab1cfe6d160c53c25b83d2c0334b48dc05dddc
            • Opcode Fuzzy Hash: 575df2be290e25262b057203830c9a8c38573c95af95c73e1cf6fadfa2b8b7e9
            • Instruction Fuzzy Hash: FD71A137201B8496E7B99B12E428BDE3762F798B94FC04416CE4D6BB54DF39C689CB00
            Function 00007FF6CFAF1680 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 109librarymemoryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ProtectVirtual$AddressLibraryLoadProc
            • String ID: C$D$a
            • API String ID: 3300690313-1257207961
            • Opcode ID: 87348d0821792ebe43af0dbfbefb2f3c3ef970b0762843c38a0865e34f606b5e
            • Instruction ID: 4b33ecadb0b91b38893823f47d2c395a885af9ff0d5e704b03754491c100f530
            • Opcode Fuzzy Hash: 87348d0821792ebe43af0dbfbefb2f3c3ef970b0762843c38a0865e34f606b5e
            • Instruction Fuzzy Hash: 62413B62A0C28189D7648B25F85176ABFA1E7DA748F048135EB8D87B89DA3DC106CB14
            Function 0000021957DC2430 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: CurrentErrorLastOpenProcessThreadTokenfree$AccountLookup_snprintf
            • String ID: %s\%s
            • API String ID: 240425499-4073750446
            • Opcode ID: e242add32841560cdfe654b6d70ecc6591a0beee93dcf6d6ecf923edda6c7af7
            • Instruction ID: 0fe9b98668ed55a718c4b3f691ff4def46abd098806b03ea750f6fe59331789d
            • Opcode Fuzzy Hash: e242add32841560cdfe654b6d70ecc6591a0beee93dcf6d6ecf923edda6c7af7
            • Instruction Fuzzy Hash: 94315E73248AC591FB359B51E4687CA63A6F794788FC00025D78C63B99EF3DC296CB44
            Function 0000021954FEB3C0 Relevance: 10.6, APIs: 7, Instructions: 69networkCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLastStartupgethostbynamehtonsinet_addrinet_ntoasocket
            • String ID:
            • API String ID: 1867335311-0
            • Opcode ID: 087ffb903e7fcb0e122cb0209354bf26c0504c40a63e6edc634c5cd5bf866d16
            • Instruction ID: 3a405293802c1905e6bcd16bd0e5005882bff55318514aee3a4019917c7b01fc
            • Opcode Fuzzy Hash: 087ffb903e7fcb0e122cb0209354bf26c0504c40a63e6edc634c5cd5bf866d16
            • Instruction Fuzzy Hash: 9621C336224780A2E356CF22F41869E7366F798B85F804125EE4953B65EF3DC495C700
            Function 0000021957DC2390 Relevance: 9.0, APIs: 6, Instructions: 40threadCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Token$CurrentOpenProcessThread$ErrorInformationLast
            • String ID:
            • API String ID: 632756016-0
            • Opcode ID: e6080538c0e51e8925914fbd4c5c2ec6947c27a3090a601901efe863dd72282b
            • Instruction ID: 50513589bdb3df14289adccde57e18f76e6867984253d5907d1c70390ac2ab32
            • Opcode Fuzzy Hash: e6080538c0e51e8925914fbd4c5c2ec6947c27a3090a601901efe863dd72282b
            • Instruction Fuzzy Hash: 4F019233304A4192EB658B91F858B9EA3A1F794BD8FC44429DA4867B64DE79D6CCCB00
            Function 0000021954FED6D4 Relevance: 4.6, APIs: 3, Instructions: 56threadCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: CreateThreadfreemalloc
            • String ID:
            • API String ID: 3849813375-0
            • Opcode ID: 2dd0a75860658378dc80deed017ee76db5e66a5d81a7471cc82188f01678071b
            • Instruction ID: 40171f8416208f25dfbabaefe4f00461a36488a4a0f9ce4e81b02ba4fdbfa544
            • Opcode Fuzzy Hash: 2dd0a75860658378dc80deed017ee76db5e66a5d81a7471cc82188f01678071b
            • Instruction Fuzzy Hash: 0B21B431200B0191EBD6CF29A82829977A6F7A9F84F984535DE8D73B95FF34C4B18340
            Function 00007FF6CFAF2FE0 Relevance: 4.5, APIs: 3, Instructions: 31memoryinjectionCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Virtual$AddressLibraryLoadProcProtect$Process$AllocCurrentMemoryWrite
            • String ID:
            • API String ID: 3304235953-0
            • Opcode ID: 26c4988c75e1b9cb567723bb948e5dba362f5074e4f4639a1e7c22fe8a6128bd
            • Instruction ID: f22a646b673a0b3ae6f6ed3c3d4841a188b221cb2a41f04123922a84297b65ce
            • Opcode Fuzzy Hash: 26c4988c75e1b9cb567723bb948e5dba362f5074e4f4639a1e7c22fe8a6128bd
            • Instruction Fuzzy Hash: 6DF09A60B2D01281E6553BE2B8197EA87486F05BD6F020038ECCD8B796CE2EA2424360
            Function 0000021954FE65E8 Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ProtectVirtual
            • String ID:
            • API String ID: 544645111-0
            • Opcode ID: 59938fcfa06f0913cafd36c43ba4ebd3d599ec6d05b5f0c86c53cb303ffe1d60
            • Instruction ID: b9aa99c4f70d9b07f2194d350075935c06cc2594133258e6620637a29d33ca87
            • Opcode Fuzzy Hash: 59938fcfa06f0913cafd36c43ba4ebd3d599ec6d05b5f0c86c53cb303ffe1d60
            • Instruction Fuzzy Hash: 0011C43231474492FBA18B65E02C3AAA3A2FB99B91F994135DE4967794DF3CC8918B00
            Function 0000021954FEBED8 Relevance: 3.0, APIs: 2, Instructions: 39networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0000021954FED490: WaitForSingleObject.KERNEL32(?,?,?,?,0000021954FE5F17,?,?,00000000,0000021954FE5EE7,?,?,000000FF,0000021954FE86A7,?,?,00000000), ref: 0000021954FED49F
            • send.WS2_32 ref: 0000021954FEBF22
            • GetLastError.KERNEL32 ref: 0000021954FEBF2E
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLastObjectSingleWaitsend
            • String ID:
            • API String ID: 2747804604-0
            • Opcode ID: 8dbadb2c7f3b60870d7da2ce4a95adc8736abbc9b241fb486a3673103278a968
            • Instruction ID: f4660885bcfdbb6408dcf3de28b843893b0d31adce2a323e7cbed8879481d39d
            • Opcode Fuzzy Hash: 8dbadb2c7f3b60870d7da2ce4a95adc8736abbc9b241fb486a3673103278a968
            • Instruction Fuzzy Hash: BC019A32710B9082D7919B6AA49C1896761F39DFD1F985021AF4D63B16CE34C8A18740
            Function 0000021954FEB33C Relevance: 3.0, APIs: 2, Instructions: 38networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0000021954FE6AF8: GetSystemTime.KERNEL32(?,?,?,?,?,?,0000021954FEA132), ref: 0000021954FE6B01
              • Part of subcall function 0000021954FE6AF8: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,0000021954FEA132), ref: 0000021954FE6B11
            • connect.WS2_32 ref: 0000021954FEB375
              • Part of subcall function 0000021954FE6A9C: Sleep.KERNEL32(?,?,00000000,0000021954FEA381), ref: 0000021954FE6AC8
            • closesocket.WS2_32 ref: 0000021954FEB399
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Time$System$FileSleepclosesocketconnect
            • String ID:
            • API String ID: 1644115700-0
            • Opcode ID: de48944ab0b21d1451bfbfd31f0ba0b0719a6e681b460e2dadfc9831c1046912
            • Instruction ID: 00d42d27701ab8df059362bd7f4550c625b216c66cfb0492ae101d06f4268866
            • Opcode Fuzzy Hash: de48944ab0b21d1451bfbfd31f0ba0b0719a6e681b460e2dadfc9831c1046912
            • Instruction Fuzzy Hash: 28F0493170468052F381EB2AB85D19DA322B35AFE1FD04430EE5473BA6DA34C4E18701
            Function 0000021954FED418 Relevance: 3.0, APIs: 2, Instructions: 20synchronizationCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • malloc.LIBCMT ref: 0000021954FED423
              • Part of subcall function 0000021954FF4198: _FF_MSGBANNER.LIBCMT ref: 0000021954FF41C8
              • Part of subcall function 0000021954FF4198: _NMSG_WRITE.LIBCMT ref: 0000021954FF41D2
              • Part of subcall function 0000021954FF4198: HeapAlloc.KERNEL32(?,?,00000000,0000021954FFB878,?,?,?,0000021954FFBADC,?,?,?,0000021954FFB9DB), ref: 0000021954FF41ED
              • Part of subcall function 0000021954FF4198: _callnewh.LIBCMT ref: 0000021954FF4206
              • Part of subcall function 0000021954FF4198: _errno.LIBCMT ref: 0000021954FF4211
              • Part of subcall function 0000021954FF4198: _errno.LIBCMT ref: 0000021954FF421C
            • CreateMutexExW.KERNEL32(?,?,00000000,0000021954FE818D,?,?,000000FF,0000021954FEA10D), ref: 0000021954FED445
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errno$AllocCreateHeapMutex_callnewhmalloc
            • String ID:
            • API String ID: 845756553-0
            • Opcode ID: 2c8d53b43a190d248f8758da1e221aa72d61f626a59820d566605caf1819f7f9
            • Instruction ID: 65274505459cf9522d568a52daa9092bd3657c0842acc1f0c156592de77ee7bc
            • Opcode Fuzzy Hash: 2c8d53b43a190d248f8758da1e221aa72d61f626a59820d566605caf1819f7f9
            • Instruction Fuzzy Hash: B0E0862171161062FB9B9B3E982A39911439BA9710F8880344D0D26781ED2854D18700
            Function 0000021954FED52C Relevance: 2.5, APIs: 2, Instructions: 15COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: CloseHandlefree
            • String ID:
            • API String ID: 3486141430-0
            • Opcode ID: c11b276bb9f4944b8a1af0da200c4e8cad3dbb6b43dbf7016c48cc059049d0e7
            • Instruction ID: df790703222640bd95bd31766c9b7cd8bf7d2ad98327e69158ff87141d6418d7
            • Opcode Fuzzy Hash: c11b276bb9f4944b8a1af0da200c4e8cad3dbb6b43dbf7016c48cc059049d0e7
            • Instruction Fuzzy Hash: 03D0A76071150666FE97D279947C3F801514B7EB46FD400308C2A77751FA0884E48300
            Function 0000021954FED460 Relevance: 2.5, APIs: 2, Instructions: 13COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 0000021954FED4B0: ReleaseMutex.KERNEL32(?,?,?,?,0000021954FED472,?,?,00000000,0000021954FE81CD,?,?,000000FF,0000021954FEA10D), ref: 0000021954FED4BC
            • CloseHandle.KERNEL32(?,?,00000000,0000021954FE81CD,?,?,000000FF,0000021954FEA10D), ref: 0000021954FED475
            • free.LIBCMT ref: 0000021954FED47E
              • Part of subcall function 0000021954FF4158: RtlFreeHeap.NTDLL(?,?,00000000,0000021954FF842A,?,?,?,0000021954FF83A7,?,?,00000000,0000021954FF5139,?,?,000000FF,0000021954FEA0FA), ref: 0000021954FF416E
              • Part of subcall function 0000021954FF4158: _errno.LIBCMT ref: 0000021954FF4178
              • Part of subcall function 0000021954FF4158: GetLastError.KERNEL32(?,?,00000000,0000021954FF842A,?,?,?,0000021954FF83A7,?,?,00000000,0000021954FF5139,?,?,000000FF,0000021954FEA0FA), ref: 0000021954FF4180
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: CloseErrorFreeHandleHeapLastMutexRelease_errnofree
            • String ID:
            • API String ID: 1340716177-0
            • Opcode ID: f9b3a13a19af26197f74f9fed11a08d855bff9d4a55ae2b9edd1b84ae57a78c0
            • Instruction ID: 6603959c1f030ddbc11d00320b14c164767fa9b0e0cbaafaee1d40a62c94299f
            • Opcode Fuzzy Hash: f9b3a13a19af26197f74f9fed11a08d855bff9d4a55ae2b9edd1b84ae57a78c0
            • Instruction Fuzzy Hash: 99D01265712501A2FFABB776A47D2E502115F7EB83FC810309D163B752AE1884E44340
            Function 0000021954FEB840 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0000021954FED490: WaitForSingleObject.KERNEL32(?,?,?,?,0000021954FE5F17,?,?,00000000,0000021954FE5EE7,?,?,000000FF,0000021954FE86A7,?,?,00000000), ref: 0000021954FED49F
            • select.WS2_32 ref: 0000021954FEB8A8
              • Part of subcall function 0000021954FED4B0: ReleaseMutex.KERNEL32(?,?,?,?,0000021954FED472,?,?,00000000,0000021954FE81CD,?,?,000000FF,0000021954FEA10D), ref: 0000021954FED4BC
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: MutexObjectReleaseSingleWaitselect
            • String ID:
            • API String ID: 3242039827-0
            • Opcode ID: db0b29e53d2390392e5bad00db30b233bcadb38117ac466ffa792672b22e91f4
            • Instruction ID: ef1d103e8f599b1c5aa3233817b124077c2aad14f782621d979f1f7d3f439b54
            • Opcode Fuzzy Hash: db0b29e53d2390392e5bad00db30b233bcadb38117ac466ffa792672b22e91f4
            • Instruction Fuzzy Hash: 11014836614B8186D760CB15F49878AB3A0F39CB9AF444125EF8D43B19CB38C495CB40
            Function 0000021954FED7E0 Relevance: 1.5, APIs: 1, Instructions: 10threadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ResumeThread
            • String ID:
            • API String ID: 947044025-0
            • Opcode ID: 71187b4ab369fcca2fb38275db086f8da2ded7e540c6e835f2e731d1d0d11366
            • Instruction ID: 20e9c59d0febef3c8832c5a56c57f21c52f0e4360f82b0d86493ff67781f7c39
            • Opcode Fuzzy Hash: 71187b4ab369fcca2fb38275db086f8da2ded7e540c6e835f2e731d1d0d11366
            • Instruction Fuzzy Hash: 87C08C34B02042A6FEDB9329CCAD3E41111937C706FD00430CC0AA2360FA1988E34200

            Non-executed Functions

            Function 0000021957DBBE70 Relevance: 144.2, APIs: 68, Strings: 14, Instructions: 656libraryloaderpipeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: free$malloc$AddressCloseCreateHandlePipeProccallocmbstowcs$LibraryLoadOpenProcess_snprintf
            • String ID: %s\%s$CreateEnvironmentBlock$CreateProcessWithTokenW$DestroyEnvironmentBlock$InitializeProcThreadAttributeList$UpdateProcThreadAttribute$WTSQueryUserToken$[execute] InitializeProcThreadAttributeList: [%d]$[execute] UpdateProcThreadAttribute: [%d]$advapi32.dll$kernel32.dll$process$userenv.dll$wtsapi32.dll
            • API String ID: 107160605-350882186
            • Opcode ID: 273df3ab8073fd9a85a289f6731ca2619f4c98a038d3392261fbd8fb4866828a
            • Instruction ID: 6bffaaff3509e7d11782d52f3bca2ac4d328c021e758c95d09e2be5ae5d0962c
            • Opcode Fuzzy Hash: 273df3ab8073fd9a85a289f6731ca2619f4c98a038d3392261fbd8fb4866828a
            • Instruction Fuzzy Hash: 1B626037201B44A6EB2A8F61E8687DD37A2F798B88FD40525DE4D6B764DF39C684C700
            Function 0000021957DC1B60 Relevance: 75.4, APIs: 7, Strings: 36, Instructions: 152COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLastProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
            • String ID: SeAssignPrimaryTokenPrivilege$SeAuditPrivilege$SeBackupPrivilege$SeChangeNotifyPrivilege$SeCreateGlobalPrivilege$SeCreatePagefilePrivilege$SeCreatePermanentPrivilege$SeCreateSymbolicLinkPrivilege$SeCreateTokenPrivilege$SeDebugPrivilege$SeDelegateSessionUserImpersonatePrivilege$SeEnableDelegationPrivilege$SeImpersonatePrivilege$SeIncreaseBasePriorityPrivilege$SeIncreaseQuotaPrivilege$SeIncreaseWorkingSetPrivilege$SeLoadDriverPrivilege$SeLockMemoryPrivilege$SeMachineAccountPrivilege$SeManageVolumePrivilege$SeProfileSingleProcessPrivilege$SeRelabelPrivilege$SeRemoteShutdownPrivilege$SeRestorePrivilege$SeSecurityPrivilege$SeShutdownPrivilege$SeSyncAgentPrivilege$SeSystemEnvironmentPrivilege$SeSystemProfilePrivilege$SeSystemtimePrivilege$SeTakeOwnershipPrivilege$SeTcbPrivilege$SeTimeZonePrivilege$SeTrustedCredManAccessPrivilege$SeUndockPrivilege$SeUnsolicitedInputPrivilege
            • API String ID: 1944759421-3792899055
            • Opcode ID: f060d016d6762fefcb347429756e6b32491f26269708908a01eed642021edd51
            • Instruction ID: dce958eedf94e21f8d5a3e16b2d639b27cf9dae83b8ebfa65957bcab3bc83b2c
            • Opcode Fuzzy Hash: f060d016d6762fefcb347429756e6b32491f26269708908a01eed642021edd51
            • Instruction Fuzzy Hash: 0581B876205F40A9EB268F50F8982CA77B9F758754FD50626DE8D23B24EF39C294C780
            Function 0000021957DB5660 Relevance: 52.7, APIs: 25, Strings: 5, Instructions: 155stringCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$AttributesDirectoryFileRemovelstrcmpi
            • String ID: %s*.*$%s\%s$%s\*.*$\$\*.*
            • API String ID: 626095338-4183413870
            • Opcode ID: 9831522c60dedf6d6774768b34e41b9312853720c7a236d40a4b0124bb04fa8d
            • Instruction ID: 11f00fdc41128976c23aec0cacb779a5e8d25e5a519e0c0950cd6186849f56ea
            • Opcode Fuzzy Hash: 9831522c60dedf6d6774768b34e41b9312853720c7a236d40a4b0124bb04fa8d
            • Instruction Fuzzy Hash: F2719132204941A5EB7A8F25EC6C7ED2362F7A4794FC44911C58B665E4DF3AD7CACB00
            Function 0000021957DC3E80 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 214keyboardtimethreadCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: State$FormatProcessTimeWindow_snwprintf$AsyncChildCloseDateEnumForegroundHandleKeyboardOpenSystemThreadWindows
            • String ID: **-[ %s | PID: %d-[ @ %s %s UTC**$%ls$<%ls>$<^%ls>$Logging started
            • API String ID: 3707447748-1085417204
            • Opcode ID: d3e79ae6f5030d5aa5b94369cdb76a586312ea81c85c4bf2cfaee5fc10ed05e3
            • Instruction ID: dbb43fa3fa7e05f0137a37f90002a064cf33a12fd2136c23a347cf8b397d8698
            • Opcode Fuzzy Hash: d3e79ae6f5030d5aa5b94369cdb76a586312ea81c85c4bf2cfaee5fc10ed05e3
            • Instruction Fuzzy Hash: A0A1B673204B85A6EB39CF61E8687D937A2F7A4744FC00416DA49676A8DF3AC389D700
            Function 0000021954FE1F34 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 281COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: CloseHandleProcess$OpenToken$AdjustCurrentErrorLastLookupPrivilegePrivilegesValuefree
            • String ID: @$SeDebugPrivilege
            • API String ID: 1310624317-3223528420
            • Opcode ID: 23216d7dc9d9bb7185eb783ef61c10f3e1c46da9a1b2c3763caab6a19a5dd595
            • Instruction ID: 2ba87bac108fca8c99ee52e55d9b1ce076731d009f053440c8199092c9dfff6d
            • Opcode Fuzzy Hash: 23216d7dc9d9bb7185eb783ef61c10f3e1c46da9a1b2c3763caab6a19a5dd595
            • Instruction Fuzzy Hash: 8AC19F72701600AAF796CFBAA4687DD33A2F79DB88F8445259E0977B59EF38C451C700
            Function 0000021954FE2D0C Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 191librarysleepmemoryCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$CloseHandleLibrary$AddressAllocFreeLoadProcResumeSleepThreadVirtualmalloc
            • String ID: @$NtQueueApcThread$ntdll
            • API String ID: 788658222-2122203831
            • Opcode ID: e28f8d3b0a94c1fa76fc258f4b18b3fc9ae4f00b3e7cc8b731660635709f8cee
            • Instruction ID: 1336d4aae214d8fd5c3be11cec80b1f3ea091d48a754e3b42ad3a96ef064162c
            • Opcode Fuzzy Hash: e28f8d3b0a94c1fa76fc258f4b18b3fc9ae4f00b3e7cc8b731660635709f8cee
            • Instruction Fuzzy Hash: 34817E31701A50A6FB9ADB65982C3ED23A2BB6EB89F850038DD0D77795FF38C5958200
            Function 0000021957DB51C0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 137stringCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: _snprintffreestrrchr$ErrorLast_errno_invalid_parameter_noinfo_output_s_lmalloc
            • String ID: %s\%s$%s\*
            • API String ID: 3538828039-2848263008
            • Opcode ID: 73cf2a5f424161d45d50012f836bf4844f1cad1a103353099d682a1f5c636c7d
            • Instruction ID: 2c6e7c655d851ccfeb415bc3fb25fa29d28d8c800e18cd6c1c827946bbda4066
            • Opcode Fuzzy Hash: 73cf2a5f424161d45d50012f836bf4844f1cad1a103353099d682a1f5c636c7d
            • Instruction Fuzzy Hash: 7351E337201B80A4EA7A9B12A83C3DD2392F7A4BD0FC44021DD4E27791EE7AD6C98700
            Function 0000021957DB8AA0 Relevance: 31.8, APIs: 21, Instructions: 292COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: closesocketfreemalloc
            • String ID:
            • API String ID: 2077312491-0
            • Opcode ID: 9196965176fe657b5ce01377ddc0585382b4f09df4b2cc0edba76ce66c326b6c
            • Instruction ID: 0b92fc3e4ae3618110a9ec904ba17266cb524a0ad33be104df9349156c157efb
            • Opcode Fuzzy Hash: 9196965176fe657b5ce01377ddc0585382b4f09df4b2cc0edba76ce66c326b6c
            • Instruction Fuzzy Hash: E4D19F37201B40AAE7798F21E4683ED33E2F768754FD04525CA5EABB94DF3AD6848740
            Function 0000021957DB9E40 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 139libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: AddressProc$CloseHandleLibraryProcessToken$AdjustCurrentFreeLoadLookupOpenPrivilegePrivilegesValuewcsstr
            • String ID: CreateToolhelp32Snapshot$Process32FirstW$Process32NextW$SeDebugPrivilege$csrss.exe$kernel32
            • API String ID: 3269807286-2225489067
            • Opcode ID: e4d7b3dfb789e64eeffc40ca7f01de04c4177eb8c9a57531a8ac5cd7b2995390
            • Instruction ID: 3adaad56073380aabe5599fe0f001079f3986fef6785069fac26a007f090f53a
            • Opcode Fuzzy Hash: e4d7b3dfb789e64eeffc40ca7f01de04c4177eb8c9a57531a8ac5cd7b2995390
            • Instruction Fuzzy Hash: 77519233204B41A2EA69CB11E85879A73A2F794B94FC44525EE4D67798DF3EC689CB00
            Function 0000021957DB7060 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136fileCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Find$File$freeswprintf$CloseErrorFirstLastNextcalloc
            • String ID: $%s\%s$%s\*.*
            • API String ID: 4266919821-2005348348
            • Opcode ID: 6673e6317c88d755f4041ef638945631fee9a6beec32eb33d82ddd1cae58b02d
            • Instruction ID: 1178c1df92f9fa412a3adb73560bcd9c5751e7990e1a46ce909b441b2e21c4eb
            • Opcode Fuzzy Hash: 6673e6317c88d755f4041ef638945631fee9a6beec32eb33d82ddd1cae58b02d
            • Instruction Fuzzy Hash: 90519633104540A6EBBA9B14E4287ED63A2F7A5BB0FC44312FA5D676D4DB79CAC1CB10
            Function 0000021957DBAA20 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 131injectionthreadmemoryCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Process$Memory$ThreadWrite$AllocContextVirtual$AddressHandleModuleProcReadResumeTerminate
            • String ID: @$NtUnmapViewOfSection$ntdll.dll
            • API String ID: 2043341788-1860678162
            • Opcode ID: e1894763686c02517727ca011ed665c7b048f152c118d67275aa2992468156ec
            • Instruction ID: 25019872271d779fbc5b2026ac84b44317c1f8f0298dee69bb7a554020a81aa5
            • Opcode Fuzzy Hash: e1894763686c02517727ca011ed665c7b048f152c118d67275aa2992468156ec
            • Instruction Fuzzy Hash: 1C518A73300A8197DB7A8B11A858B9A73A2F794B84FC44414DE8D27B14DF3DE689CB04
            Function 0000021957DC4A10 Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 72filelibraryCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Resource$ErrorFileLastLoad$AttributesDeleteEnvironmentExpandFindLibraryLockSizeofStringsfclosefwrite
            • String ID: %TEMP%\hook.dll$IMG
            • API String ID: 2872302291-3642725959
            • Opcode ID: 2e99bb8f9fbf9ea902abd755648c462e99d612e76b8f54aef322ea1f47e03c19
            • Instruction ID: fcea25b2ce462fc183f46977926fd0e3f517d23a58d484db5a11e8d00d9aff40
            • Opcode Fuzzy Hash: 2e99bb8f9fbf9ea902abd755648c462e99d612e76b8f54aef322ea1f47e03c19
            • Instruction Fuzzy Hash: FA318632301A45A1EA3ADB11F8687D86362F7A8B98FC40521DE4D63765DE3DD788C704
            Function 0000021957DC29D0 Relevance: 25.7, APIs: 17, Instructions: 176COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: CloseProcessStationWindow$CurrentDesktop
            • String ID:
            • API String ID: 1313067402-0
            • Opcode ID: dfb414d9ffe6c9737e9b0e549f3745369579eab341de9d48fae0df6c834fcb1e
            • Instruction ID: 0898a17b62c912e2eaa01e7939e9b48df2a2f1037910228fbe2c193ac9f23605
            • Opcode Fuzzy Hash: dfb414d9ffe6c9737e9b0e549f3745369579eab341de9d48fae0df6c834fcb1e
            • Instruction Fuzzy Hash: 9161B636301B4092FB3A9F26986CB996797F768FD4FC40424CD4A63794EE3AE6C58300
            Function 0000021957DC7930 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 311comCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: CreateInitializeInstance
            • String ID: NullRenderer$SampleGrabber$WebCam$vids
            • API String ID: 3519745914-1378241838
            • Opcode ID: d70c58dc8c7489dcbcbedc65eafe372f036abd47e1fe7897caa803372a7eb301
            • Instruction ID: cf4ff5c66f820f5a7cbd5c2d48e0f7f64411a27d4264f200f674ceeb7a690098
            • Opcode Fuzzy Hash: d70c58dc8c7489dcbcbedc65eafe372f036abd47e1fe7897caa803372a7eb301
            • Instruction Fuzzy Hash: 0CE13B37300B46E6EB6A8F65E4683D927A6F798B98FC44412DE4D53718DF3AD685C300
            Function 0000021954FE30A4 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 144memoryCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: AddressCreateErrorEventHandleHeapLastModuleProcProcess
            • String ID: @
            • API String ID: 892381570-2766056989
            • Opcode ID: c2b15439a61c68073dfa259295b0fad313b0be722636cd0dc7cdbdf5674a7e68
            • Instruction ID: 311fe8d4428d8c7e73b269fcb42a31c63c9e44dbe2a20360702ff61051c4b4bf
            • Opcode Fuzzy Hash: c2b15439a61c68073dfa259295b0fad313b0be722636cd0dc7cdbdf5674a7e68
            • Instruction Fuzzy Hash: 9251B032300B40A7F7968F65A82C7DA37A6F76DB99F840129DE4973B95EF38C5958300
            Function 0000021957DB4770 Relevance: 22.6, APIs: 15, Instructions: 139encryptionCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Crypt$ContextErrorLast$AcquireDestroyHashReleasefclose
            • String ID:
            • API String ID: 1196782254-0
            • Opcode ID: 51e38b88491cdfe90dfbaf43d839a775d28147cda2719968ecd73e89b000c654
            • Instruction ID: 9494f733c5570363da79ee9896aec9cea522cafe8bcae2394679a1cd16a9d578
            • Opcode Fuzzy Hash: 51e38b88491cdfe90dfbaf43d839a775d28147cda2719968ecd73e89b000c654
            • Instruction Fuzzy Hash: E951B433204A81A2EB75CB51E868BED63A2F794B84FC40415EB4E67B54DF3AC685CB00
            Function 0000021957DB95B0 Relevance: 21.2, APIs: 14, Instructions: 190COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: closesocketfreemalloc
            • String ID:
            • API String ID: 2077312491-0
            • Opcode ID: ea0b3ddfa0ff0199f44bcce18787dc932e76c5d02a35c477cab87147dd287a96
            • Instruction ID: 9a934def8b8ce91c921260de3f357e6388a7c9a6f6c2a0b8424f7e510489578d
            • Opcode Fuzzy Hash: ea0b3ddfa0ff0199f44bcce18787dc932e76c5d02a35c477cab87147dd287a96
            • Instruction Fuzzy Hash: 7E917037201B80E6DB6A8B21E46839D33E2F758B90FD44125DE4D97B50EF39D6A5CB40
            Function 0000021954FE74BC Relevance: 21.1, APIs: 14, Instructions: 126encryptionCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Crypt_errnohtonl$DestroyDuplicateErrorLast_calloc_implcalloc
            • String ID:
            • API String ID: 303704353-0
            • Opcode ID: bc6a5906c909449b96a0f30f713dd0d0ed1ced9e539ca9288c0e3b519148bde1
            • Instruction ID: d6a0a69e8963b557e14ed27a3e3aaf112dc1743fbaabbe070636c3d94c1e5f0f
            • Opcode Fuzzy Hash: bc6a5906c909449b96a0f30f713dd0d0ed1ced9e539ca9288c0e3b519148bde1
            • Instruction Fuzzy Hash: 1451B332300680A7EB96DF79D46CBED33A2FB69789FC040259E0963A51EF34D599C740
            Function 0000021957DC3B50 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 99keyboardCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: State$AsyncKeyboardNameText_snwprintf
            • String ID: %ls$<%ls>$<^%ls>
            • API String ID: 819054474-3418244432
            • Opcode ID: 33235a40435f24e216f71f80dc561726490d3ff6eb4cd791df0bc76ef463b396
            • Instruction ID: 30883159664327c99d6f56e6e3d74b0bac71cf2050bcb2f7555eb1ce255a10d4
            • Opcode Fuzzy Hash: 33235a40435f24e216f71f80dc561726490d3ff6eb4cd791df0bc76ef463b396
            • Instruction Fuzzy Hash: C0416332204B85A6E739CF51E4687DD73B6F794740FC40426DA8963698DF3AD689CB40
            Function 0000021954FE343C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Handle$AddressCloseErrorLastModuleOpenProcProcess
            • String ID: @
            • API String ID: 2874160401-2766056989
            • Opcode ID: 0fae972100c46bb3e4d4b1f3af653e7eb4df5bbcf134ce59fcdaec468370ddec
            • Instruction ID: 58e6468419e04c7b73f903c4c326460f93b3630bf33adce4ad1d7aa7216b948a
            • Opcode Fuzzy Hash: 0fae972100c46bb3e4d4b1f3af653e7eb4df5bbcf134ce59fcdaec468370ddec
            • Instruction Fuzzy Hash: 7B51C53130474162F7E68B2AA82C7DA6697BBADBC5F8840399E4E77755FF38C4918700
            Function 0000021957DC72F0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120comCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Variant$ClearCreateErrorInitInitializeInstanceLastUninitializeWcsftime
            • String ID: FriendlyName
            • API String ID: 958359432-3623505368
            • Opcode ID: 9128a2d4bde0696104bd75e15fdad6d9c082e6470d85eeba55f15ac565fbeb3c
            • Instruction ID: 049b43d14995456b549813e62b8a24f3a35b9b09502308897e49e6e30974e6b1
            • Opcode Fuzzy Hash: 9128a2d4bde0696104bd75e15fdad6d9c082e6470d85eeba55f15ac565fbeb3c
            • Instruction Fuzzy Hash: BB519E33204B86E6EB65CF29E4587CD6762F798B98FD04012DA4E57B24CF3AC689C700
            Function 0000021957DC0C30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72shutdownCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ProcessToken$AdjustCloseCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesValueWindows
            • String ID: SeShutdownPrivilege
            • API String ID: 3672536310-3733053543
            • Opcode ID: e6058901e5fb28a31204120e572d961cf1c969e80c36a7bb041349746026fb86
            • Instruction ID: fe6dfa927083b1a9aab59fe28a9508a0cd0b3d9732bdd94f33a7e2f2df367866
            • Opcode Fuzzy Hash: e6058901e5fb28a31204120e572d961cf1c969e80c36a7bb041349746026fb86
            • Instruction Fuzzy Hash: DB31C572204B4192EB258F22F8587DE63A6F798B84FD84025DE49A7764DF3DD185CB00
            Function 0000021954FE32C0 Relevance: 13.6, APIs: 9, Instructions: 104memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLastVirtual$AllocFree$Version
            • String ID:
            • API String ID: 3256425159-0
            • Opcode ID: 77679a5fb3e1c1ab315c02acde03835fae1c16f4b851e5c0e808603718184e39
            • Instruction ID: 52d42e21441218180e2507137f1c5f06a23a0d94cba49becb9d1e3bf3f74bd07
            • Opcode Fuzzy Hash: 77679a5fb3e1c1ab315c02acde03835fae1c16f4b851e5c0e808603718184e39
            • Instruction Fuzzy Hash: A5419331304A00A6F7A6CB26E86CBD962A2F7ADB81FD44035DE4E63761EF39C5958740
            Function 0000021954FE9CB4 Relevance: 13.6, APIs: 9, Instructions: 102memoryCOMMON
            Download Yara Rule
            APIs
            • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9D0E
            • SetEntriesInAclW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9D62
            • AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9DAC
            • LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9DBE
            • InitializeAcl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9DD1
              • Part of subcall function 0000021954FE9880: LoadLibraryA.KERNEL32(?,?,?,?,00000000,0000021954FE9DF3), ref: 0000021954FE98B9
              • Part of subcall function 0000021954FE9880: GetProcAddress.KERNEL32(?,?,?,?,00000000,0000021954FE9DF3), ref: 0000021954FE98CE
            • LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9DFB
            • InitializeSecurityDescriptor.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9E0C
            • SetSecurityDescriptorDacl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9E21
            • SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9E35
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Initialize$DescriptorSecurity$AllocAllocateLocal$AddressDaclEntriesLibraryLoadProcSacl
            • String ID:
            • API String ID: 2917215309-0
            • Opcode ID: 3e0dc7a48cc64f17c8737a42c11a4634ec3bcfb1b0654e2be72749e9e126e212
            • Instruction ID: 45c6e9b2490b8419cb8ad29fcbe22d2f2647fcb0addb0580a7fcd159550040b9
            • Opcode Fuzzy Hash: 3e0dc7a48cc64f17c8737a42c11a4634ec3bcfb1b0654e2be72749e9e126e212
            • Instruction Fuzzy Hash: 10415E72201781EBE721CF20E458BCE77B9F799788F805118EB8917B28DB39C159CB00
            Function 0000021957DB6F00 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79fileCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Find$ErrorFileLast$CloseFirstNext_vswprintf_s_lswprintf
            • String ID: %s\%s
            • API String ID: 1768775470-4073750446
            • Opcode ID: 65e647714a9457902db9632cff63c9a7d3b588161277f13fc15a91db76c95323
            • Instruction ID: 24c1599a138aa0921d7a18e3f2f4feb873c6577b280ba7d5dc3d6dc45586ce95
            • Opcode Fuzzy Hash: 65e647714a9457902db9632cff63c9a7d3b588161277f13fc15a91db76c95323
            • Instruction Fuzzy Hash: 59318633104640A5D67A9F11A8686ED7362F768BA0FC44511F99D27AD4DF3AE7C5CB00
            Function 0000021957DB1260 Relevance: 10.6, APIs: 7, Instructions: 127shareCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Drive$DiskErrorFreeLastLogicalNameSpaceStringsTypeUniversalfreemalloc
            • String ID:
            • API String ID: 2456301943-0
            • Opcode ID: 10341e06ab8650c73411dc1875913576874542e8597a1e5bbb13f0b0848d5f36
            • Instruction ID: 3518f6cd94cca1d12f6355a2c581b027e2e6c5b47d06b222bdeaad30b2bfb91a
            • Opcode Fuzzy Hash: 10341e06ab8650c73411dc1875913576874542e8597a1e5bbb13f0b0848d5f36
            • Instruction Fuzzy Hash: 66518F32214B8592EB399B52A4683DD6762F795B84FD04026CF4A67B94EF3EC689C700
            Function 0000021954FF3C58 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 89memoryCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32 ref: 0000021954FF3C80
              • Part of subcall function 0000021954FF3DAC: GetProcessHeap.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3DBD
              • Part of subcall function 0000021954FF3DAC: HeapAlloc.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3DEA
              • Part of subcall function 0000021954FF3DAC: GetModuleHandleA.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3E07
              • Part of subcall function 0000021954FF3DAC: LoadLibraryA.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3E1C
              • Part of subcall function 0000021954FF3DAC: HeapFree.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3ED2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Heap$Process$AllocFreeHandleLibraryLoadModule
            • String ID: IoCompletion
            • API String ID: 376688017-2167567656
            • Opcode ID: 6fe9e8b7abb9e389a92c2bd2e2ba2e19bae14d9ed8b5c32e194542f777d0c4dc
            • Instruction ID: 0e31d4d88417070e80103483c8e009b36b02f2278972ed84c036e03c695a62e0
            • Opcode Fuzzy Hash: 6fe9e8b7abb9e389a92c2bd2e2ba2e19bae14d9ed8b5c32e194542f777d0c4dc
            • Instruction Fuzzy Hash: E931A271700744A3F7528B2AA86C3DA6692B7AAFE4F884125DE1D777A5EF38C5858300
            Function 0000021954FE9F30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79pipeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0000021954FE9E60: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE9F53), ref: 0000021954FE9E7F
              • Part of subcall function 0000021954FE9E60: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE9F53), ref: 0000021954FE9E91
              • Part of subcall function 0000021954FE9E60: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE9F53), ref: 0000021954FE9E9B
            • CreateNamedPipeA.KERNEL32 ref: 0000021954FE9FA1
            • CreateNamedPipeA.KERNEL32 ref: 0000021954FE9FFC
            • GetLastError.KERNEL32 ref: 0000021954FEA00F
              • Part of subcall function 0000021954FE9CB4: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9D0E
              • Part of subcall function 0000021954FE9CB4: SetEntriesInAclW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9D62
              • Part of subcall function 0000021954FE9CB4: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9DAC
              • Part of subcall function 0000021954FE9CB4: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9DBE
              • Part of subcall function 0000021954FE9CB4: InitializeAcl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9DD1
              • Part of subcall function 0000021954FE9CB4: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9DFB
              • Part of subcall function 0000021954FE9CB4: InitializeSecurityDescriptor.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9E0C
              • Part of subcall function 0000021954FE9CB4: SetSecurityDescriptorDacl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9E21
              • Part of subcall function 0000021954FE9CB4: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9E35
            • CreateEventW.KERNEL32 ref: 0000021954FEA025
            • CreateEventW.KERNEL32 ref: 0000021954FEA040
              • Part of subcall function 0000021954FE9E60: LookupPrivilegeValueW.ADVAPI32 ref: 0000021954FE9EAC
              • Part of subcall function 0000021954FE9E60: AdjustTokenPrivileges.ADVAPI32 ref: 0000021954FE9EF1
              • Part of subcall function 0000021954FE9E60: CloseHandle.KERNEL32 ref: 0000021954FE9F09
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: CreateInitialize$DescriptorSecurity$AllocAllocateErrorEventLastLocalNamedPipeProcessToken$AdjustCloseCurrentDaclEntriesHandleLookupOpenPrivilegePrivilegesSaclValue
            • String ID: SeSecurityPrivilege
            • API String ID: 2580897795-2333288578
            • Opcode ID: c0a90f85d8111a44e6b8cbd811343e2e48d8ac8e4059c34d7401d3d578086b2b
            • Instruction ID: 54769d3d51c2e307c8836e8cdb5c0024de493a914654ebec23209292fb3a051f
            • Opcode Fuzzy Hash: c0a90f85d8111a44e6b8cbd811343e2e48d8ac8e4059c34d7401d3d578086b2b
            • Instruction Fuzzy Hash: A8317732604741A3EB92CF68F4687DA77A2F769355F900235EB5D13B95EB38C1A48B00
            Function 0000021957DBCA70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
            • String ID: SeDebugPrivilege
            • API String ID: 3038321057-2896544425
            • Opcode ID: 0b8505b3e389b9134e3f59458fb6ce0beccf35feec147dbc47654f66b675d623
            • Instruction ID: 5b184281a77b46e19fa9bf0c8215ba111108aec19f9891ba44ea02f808885391
            • Opcode Fuzzy Hash: 0b8505b3e389b9134e3f59458fb6ce0beccf35feec147dbc47654f66b675d623
            • Instruction Fuzzy Hash: 2F21A633304B4592EB198F26B46879E77A2F798BC0FC44025EA4E67754DF79C584CB00
            Function 0000021957DBF330 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54memoryinjectionCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLastVirtual$AllocMemoryProcessProtectWrite
            • String ID: @
            • API String ID: 3698175283-2766056989
            • Opcode ID: e4fa63e5e9d5846121dc159aa26e75dea73eb0a7e132a94be6e4f48d1a2812a0
            • Instruction ID: d32af60475c0e0e516e56f39c4eb8cb21daab4213d9ecc3a4ea920bcba541467
            • Opcode Fuzzy Hash: e4fa63e5e9d5846121dc159aa26e75dea73eb0a7e132a94be6e4f48d1a2812a0
            • Instruction Fuzzy Hash: 0711BF72300F4192E6358F12B818A8AA7A2B759FD4FC80025EF8C67768DF39D685CB04
            Function 0000021957DC2020 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: free$Device_errno$AllocDriverDriversEnumFileHeapName_callnewhmalloc
            • String ID:
            • API String ID: 3108112982-0
            • Opcode ID: 6a82ede4a5cce2ca9fba0610594ab6970d11fdb9926c52d1d54ebbd9294b6b7f
            • Instruction ID: 98a43ed3e0e9fe8243a7e846217448b126946114e725251cdd02c6ddd783b280
            • Opcode Fuzzy Hash: 6a82ede4a5cce2ca9fba0610594ab6970d11fdb9926c52d1d54ebbd9294b6b7f
            • Instruction Fuzzy Hash: B4419E76204BC592EA359B12E8687DA63A6F7A4BC8FC04029CF8D63795DF39C285C714
            Function 0000021954FE9E60 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
            • String ID:
            • API String ID: 3398352648-0
            • Opcode ID: c221d4536eda60f3cb7af6df3fd0b568ad983bae2d2a2312475f6d7132335152
            • Instruction ID: 741dec0be5e2f8cfa8c98c6eb96dda146c738f862c3a5460fefff2041eda1807
            • Opcode Fuzzy Hash: c221d4536eda60f3cb7af6df3fd0b568ad983bae2d2a2312475f6d7132335152
            • Instruction Fuzzy Hash: 03212832710B00AAFB51CB71E8586CE33B5F358B88F984526DE4DA3B28DF38C5858750
            Function 0000021954FEDD74 Relevance: 7.8, Strings: 6, Instructions: 310COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: incorrect data check$incorrect header check$invalid window size$need dictionary$need more for packet flush$unknown compression method
            • API String ID: 0-180575908
            • Opcode ID: 8cf2268b0b23cfcc319c5f15693c9241eb1696f00c0a6317e88dbc963bb49e47
            • Instruction ID: 7c316d56c19e0f02ae4863e576229528ab61ca07e31743dcc6c89e54d6b6bed3
            • Opcode Fuzzy Hash: 8cf2268b0b23cfcc319c5f15693c9241eb1696f00c0a6317e88dbc963bb49e47
            • Instruction Fuzzy Hash: 49D161B3100A4497E7E58F2DD4A839877E1F359F59F958126CA0CA7798EB38C8A1CB50
            Function 000002195517D174 Relevance: 7.8, Strings: 6, Instructions: 310COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: incorrect data check$incorrect header check$invalid window size$need dictionary$need more for packet flush$unknown compression method
            • API String ID: 0-180575908
            • Opcode ID: 8cf2268b0b23cfcc319c5f15693c9241eb1696f00c0a6317e88dbc963bb49e47
            • Instruction ID: b909e5d28f368cf9881a42b0ab24d4f90b444457e89436722705cafd56633ae6
            • Opcode Fuzzy Hash: 8cf2268b0b23cfcc319c5f15693c9241eb1696f00c0a6317e88dbc963bb49e47
            • Instruction Fuzzy Hash: E9D13FB311064897FB668F2DC4A43587BF1F358FA8F958115DA0DA73A9DB38C891CB50
            Function 00007FF6CFB01174 Relevance: 7.8, Strings: 6, Instructions: 310COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: incorrect data check$incorrect header check$invalid window size$need dictionary$need more for packet flush$unknown compression method
            • API String ID: 0-180575908
            • Opcode ID: 8cf2268b0b23cfcc319c5f15693c9241eb1696f00c0a6317e88dbc963bb49e47
            • Instruction ID: 05afd5625fc0860c59df075a222d279893f94c8a08f1b7d4d4f5a48665982195
            • Opcode Fuzzy Hash: 8cf2268b0b23cfcc319c5f15693c9241eb1696f00c0a6317e88dbc963bb49e47
            • Instruction Fuzzy Hash: 4CD16EB3504A8586EB688F29C59022C77F0F749F59F568135CA4EC73A8DF78D851CB60
            Function 0000021957DB63B0 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 254COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: wcsstr$_errno_invalid_parameter_noinfo
            • String ID: file:$iehistory:$mapi:
            • API String ID: 409387605-1942739989
            • Opcode ID: 8f2e0dcacb17a4cc9a80030cee9d965110b4eadd185ccebe005fbd2464d70260
            • Instruction ID: cf016c19893cb73cab1f0da0c55782f163aeea55c6c927db0588f6b650c03ba9
            • Opcode Fuzzy Hash: 8f2e0dcacb17a4cc9a80030cee9d965110b4eadd185ccebe005fbd2464d70260
            • Instruction Fuzzy Hash: F3C15933200B8196EB35CF65E4687DD37A5F798B88F904115DA8D6BB98DF7AC285C700
            Function 0000021954FEB658 Relevance: 7.5, APIs: 5, Instructions: 33networkCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLastacceptbindclosesocketlisten
            • String ID:
            • API String ID: 3590725066-0
            • Opcode ID: 2962b24761c8496bfc89598e3310068c15f196740ef48667076fefa36fd2a119
            • Instruction ID: ef23237b5fc65e49336e0eeeb9257126a9f68c7d4164e658e576902acaaf33aa
            • Opcode Fuzzy Hash: 2962b24761c8496bfc89598e3310068c15f196740ef48667076fefa36fd2a119
            • Instruction Fuzzy Hash: 8AF08630614A4093F696CB79A56C2A92252A7697B2FD44320E97A637F5DF3884D64600
            Function 0000021955176F28 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 152COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: callocfree
            • String ID: Microsoft Enhanced Cryptographic Provider v1.0
            • API String ID: 306872129-1948191093
            • Opcode ID: b273a615b39022b41ce68c06b810540ba1eee57a95d1184d7d3678b906281aac
            • Instruction ID: c8b0ae48797622dd0b398ad418af64a042ec915e06b61e0e5a2fa0e747a14171
            • Opcode Fuzzy Hash: b273a615b39022b41ce68c06b810540ba1eee57a95d1184d7d3678b906281aac
            • Instruction Fuzzy Hash: 1F51D032711740AAF711CF75A868AED3FB6F799B88F840125DE1967B59DB38C481C740
            Function 00007FF6CFAFAF28 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 152COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: callocfree
            • String ID: Microsoft Enhanced Cryptographic Provider v1.0
            • API String ID: 306872129-1948191093
            • Opcode ID: b273a615b39022b41ce68c06b810540ba1eee57a95d1184d7d3678b906281aac
            • Instruction ID: 59c8d8fa2430f0df865c3f6d6b88e5914dc8a7b48214810bea18adcc0b38a19e
            • Opcode Fuzzy Hash: b273a615b39022b41ce68c06b810540ba1eee57a95d1184d7d3678b906281aac
            • Instruction Fuzzy Hash: 60517D32B047428AE794CFA5A8509BD7BB5FB89B89F044135DE9D87B48DF38D441C760
            Function 0000021957DC18F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Time$InformationLocalZone_snwprintf_s_vsnprintf_s_l
            • String ID: %d-%02d-%02d %02d:%02d:%02d.%d %S (UTC%s%d)
            • API String ID: 3645815937-3952767286
            • Opcode ID: f604f099a605e8d491d0025adc00f255eb96ab1c42a2837c12d9a4f8c05270ee
            • Instruction ID: 6e8622fbc3b1e38d7b8dd733ad84a55eb8059de432e6f69478b320e9159a1376
            • Opcode Fuzzy Hash: f604f099a605e8d491d0025adc00f255eb96ab1c42a2837c12d9a4f8c05270ee
            • Instruction Fuzzy Hash: 70417B7321878496D725CF26E45479EBBE1F398780F90412AEB8953B68DB3DC245CF00
            Function 00007FF6CFAF2313 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 82COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: signal
            • String ID: CCG
            • API String ID: 1946981877-1584390748
            • Opcode ID: 4cfffa02bae35398f1b45c27ff80c55eda14475b69abb5357ebd2ce2568ececa
            • Instruction ID: 6f49774698b069ba1681f11c925ee02e9a82a8edf4fcdb431612033f20590210
            • Opcode Fuzzy Hash: 4cfffa02bae35398f1b45c27ff80c55eda14475b69abb5357ebd2ce2568ececa
            • Instruction Fuzzy Hash: 93219CA1E08106C7FAE85EE54451378A3D1DF89362F18867AD99DCF3D5DD2CA8838331
            Function 0000021954FE669C Relevance: 6.1, APIs: 4, Instructions: 75injectionmemorythreadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Virtual$AllocCreateMemoryProcessProtectRemoteThreadWrite
            • String ID:
            • API String ID: 1113946311-0
            • Opcode ID: aa14c4fb38ac3394644739bda08455861bd088babe5acd8fb09608007883f2a6
            • Instruction ID: bc921d74190a26f6b4f586cc5e902acc6f2b7f346d88e356583f652736402cde
            • Opcode Fuzzy Hash: aa14c4fb38ac3394644739bda08455861bd088babe5acd8fb09608007883f2a6
            • Instruction Fuzzy Hash: B6219E35305B54A2FBA6CF16A468BA976E6B75DFC0F9841359E4C23B14EF38C991CB00
            Function 0000021957DC5E42 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 16f104c24d3fd1b47eabaf3941857e72fb4de25b1a9cefe4807c3ba0106ed8a1
            • Instruction ID: 387160d9a0240ca129b4b492093391a8f99fd573d4d7932fe514b87dd1b32711
            • Opcode Fuzzy Hash: 16f104c24d3fd1b47eabaf3941857e72fb4de25b1a9cefe4807c3ba0106ed8a1
            • Instruction Fuzzy Hash: BB31A237205F84C6D7A58F29E49038D73A5F388B98F504126DE8D53B28DF39C594CB50
            Function 0000021957DB4790 Relevance: 6.1, APIs: 4, Instructions: 64encryptionCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Crypt$ContextErrorLast$AcquireDestroyHashReleasefclose
            • String ID:
            • API String ID: 1196782254-0
            • Opcode ID: d169795d55c26b315c5a488ac205db0e03a64bfd7a65e3490f82d4ab695909a6
            • Instruction ID: 8de9405a4d6c087472fa33e8a1adac3e378c20ed0e50925cd4f6f52b3f99934b
            • Opcode Fuzzy Hash: d169795d55c26b315c5a488ac205db0e03a64bfd7a65e3490f82d4ab695909a6
            • Instruction Fuzzy Hash: A521B237211B4091EB6ACB52E8687AD23A2F798BC0FC44425EE4E67B54CE39C685CB00
            Function 0000021954FE73FC Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(?,?,?,0000021954FE74A5,?,?,?,?,0000021954FF659A), ref: 0000021954FE7415
            • SetUnhandledExceptionFilter.KERNEL32(?,?,?,0000021954FE74A5,?,?,?,?,0000021954FF659A), ref: 0000021954FE7449
            • ExitProcess.KERNEL32 ref: 0000021954FE745E
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ExceptionExitFilterHandleModuleProcessUnhandled
            • String ID:
            • API String ID: 3470424200-0
            • Opcode ID: c6269571f9423230e7005e19299938f6bc604d11c8158a44725843b88f62c439
            • Instruction ID: e36cf891615d4b9fa29c944101bcd78ca7320553a895e1a4e45861d480dc993d
            • Opcode Fuzzy Hash: c6269571f9423230e7005e19299938f6bc604d11c8158a44725843b88f62c439
            • Instruction Fuzzy Hash: 17F06831100641E3FFE65F35E87D39A73A2A729756FC84039D906662A1DE3CC8D4C601
            Function 0000021954FF1CF4 Relevance: 5.7, Strings: 4, Instructions: 660COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: invalid bit length repeat$invalid block type$invalid stored block lengths$too many length or distance symbols
            • API String ID: 0-26694007
            • Opcode ID: c1391f78833404c098f16dfb889da69c3349a9974b7301cab5b6b33420b94831
            • Instruction ID: dff21b92d3b65f47cd187759a0bcb6a268454b919ffd396ba4cc2a5980c4f429
            • Opcode Fuzzy Hash: c1391f78833404c098f16dfb889da69c3349a9974b7301cab5b6b33420b94831
            • Instruction Fuzzy Hash: 1252F573210A40ABE769CF69E46C6AD77B2F365748F914519DF8763B90EB39D480CB00
            Function 00000219551810F4 Relevance: 5.7, Strings: 4, Instructions: 660COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: invalid bit length repeat$invalid block type$invalid stored block lengths$too many length or distance symbols
            • API String ID: 0-26694007
            • Opcode ID: b39bf7a289c35b82ae3c62de009e1b9b67985e9dfdf386adf07b9a6e347de40f
            • Instruction ID: bf39548527481ce0d5e4caff6762c28813e08b300ab1dd281e4d45bcccd59aa0
            • Opcode Fuzzy Hash: b39bf7a289c35b82ae3c62de009e1b9b67985e9dfdf386adf07b9a6e347de40f
            • Instruction Fuzzy Hash: 4F52D073610A409BF735CF69E0A86AD7BB6F364798F904519DB8B97B85DB38D480CB00
            Function 00007FF6CFB050F4 Relevance: 5.7, Strings: 4, Instructions: 660COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: invalid bit length repeat$invalid block type$invalid stored block lengths$too many length or distance symbols
            • API String ID: 0-26694007
            • Opcode ID: b39bf7a289c35b82ae3c62de009e1b9b67985e9dfdf386adf07b9a6e347de40f
            • Instruction ID: 2d13c34ec01dcf529971872bfa54575cbddccd939180e53a186d4de43ab0b865
            • Opcode Fuzzy Hash: b39bf7a289c35b82ae3c62de009e1b9b67985e9dfdf386adf07b9a6e347de40f
            • Instruction Fuzzy Hash: F152BEB3A14A828BE724CF25E64066D77B5FB45399B108539DB8B87B94DFBCE440CB10
            Function 0000021954FE7AC8 Relevance: 4.5, APIs: 3, Instructions: 23encryptionCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • CryptDestroyKey.ADVAPI32(?,?,00000000,0000021954FE8216,?,?,00000002,0000021954FEA3B8), ref: 0000021954FE7AE6
            • CryptReleaseContext.ADVAPI32(?,?,00000000,0000021954FE8216,?,?,00000002,0000021954FEA3B8), ref: 0000021954FE7AFD
            • free.LIBCMT ref: 0000021954FE7B0A
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Crypt$ContextDestroyReleasefree
            • String ID:
            • API String ID: 290532017-0
            • Opcode ID: c5cc86a71744da32e750a1e961e94fb5223222249f7a05fc89cb01266f1832b6
            • Instruction ID: c0e86de4185f91ed2016db1fb9b95025fe70ea79f29e4ed40edd107087d97b53
            • Opcode Fuzzy Hash: c5cc86a71744da32e750a1e961e94fb5223222249f7a05fc89cb01266f1832b6
            • Instruction Fuzzy Hash: DDF0302531374895FF86DB66C47D3F92352EBAAF45F8844358D0D67264DF2884D1C211
            Function 0000021954FF3B7C Relevance: 3.8, APIs: 3, Instructions: 55memoryCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(?,?,?,0000021954FE311C), ref: 0000021954FF3B8D
            • HeapAlloc.KERNEL32(?,?,?,0000021954FE311C), ref: 0000021954FF3BB5
              • Part of subcall function 0000021954FF3DAC: GetProcessHeap.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3DBD
              • Part of subcall function 0000021954FF3DAC: HeapAlloc.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3DEA
              • Part of subcall function 0000021954FF3DAC: GetModuleHandleA.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3E07
              • Part of subcall function 0000021954FF3DAC: LoadLibraryA.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3E1C
              • Part of subcall function 0000021954FF3DAC: HeapFree.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3ED2
            • HeapFree.KERNEL32(?,?,?,0000021954FE311C), ref: 0000021954FF3C33
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Heap$AllocFreeProcess$HandleLibraryLoadModule
            • String ID:
            • API String ID: 712249010-0
            • Opcode ID: 660bae7052753d10ee6f77e20682f626ff013786d76bc12d5e91b9551fef34e7
            • Instruction ID: 2b9e888a1b6149483374e62c3fc1991ddb11723528bef70692385ebb34f5d130
            • Opcode Fuzzy Hash: 660bae7052753d10ee6f77e20682f626ff013786d76bc12d5e91b9551fef34e7
            • Instruction Fuzzy Hash: C2210935605740B2FA968F29E8683D833A2B76AB44FC58425DD0DA3361EF79C4D18710
            Function 0000021957DC11D0 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ClearErrorEventLast
            • String ID:
            • API String ID: 1161489092-0
            • Opcode ID: 8d0e3bca98e7226f9964a7b3476bf161f88636ab2a28c041c59cf7da08daded1
            • Instruction ID: 16a04c57482b9f8cab7e6e2a61b2b359d06bbb3178e9a6b37bec4ca7b2298f7f
            • Opcode Fuzzy Hash: 8d0e3bca98e7226f9964a7b3476bf161f88636ab2a28c041c59cf7da08daded1
            • Instruction Fuzzy Hash: 63016236705B4182E7199B53B85829967A2F79CFC0FD98035DE49A3764DE3CD5858300
            Function 0000021957DB5940 Relevance: 3.0, APIs: 2, Instructions: 29fileCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID:
            • API String ID: 2295610775-0
            • Opcode ID: b861eba7944ffa3dc088cac6ad5b8e939feb1775cde942e8820f5c4531c6accf
            • Instruction ID: a07f3bef8fa7ab42c075485b059cfda2e4fb238ccd0b5f4cc9b8acaf752791ea
            • Opcode Fuzzy Hash: b861eba7944ffa3dc088cac6ad5b8e939feb1775cde942e8820f5c4531c6accf
            • Instruction Fuzzy Hash: 3DF0E776616A00CACB65CF35F844349B3E1F348B64F448221EAAC877A8DB3CCA95CF00
            Function 0000021954FE6CF8 Relevance: 1.9, APIs: 1, Instructions: 449COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: FrameHandler2
            • String ID:
            • API String ID: 438124390-0
            • Opcode ID: 6263d641ec332dac5ed4f08b61926634c6d686e0cac3bee97d0370188f5a9ba6
            • Instruction ID: b8d46d2956fffdfed9cae6be3fa6d36f75bd267a27d95cd5ef59c3a1b957c820
            • Opcode Fuzzy Hash: 6263d641ec332dac5ed4f08b61926634c6d686e0cac3bee97d0370188f5a9ba6
            • Instruction Fuzzy Hash: 59129C72701B44DAEB95CF68D5683AD33E6FB19789F904125DF4923B88EB38D865C700
            Function 00007FF6CFAFA0F8 Relevance: 1.9, APIs: 1, Instructions: 449COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: FrameHandler2
            • String ID:
            • API String ID: 438124390-0
            • Opcode ID: 6263d641ec332dac5ed4f08b61926634c6d686e0cac3bee97d0370188f5a9ba6
            • Instruction ID: 7af728be57abc331f1a446b5622e4833afd1f545c7073b3825dbce86967b3417
            • Opcode Fuzzy Hash: 6263d641ec332dac5ed4f08b61926634c6d686e0cac3bee97d0370188f5a9ba6
            • Instruction Fuzzy Hash: CF125A76B05B42CAEB988FA8D5503AD73E5FB04789F104135DE8D9BB98EE38E425C710
            Function 0000021957DB3A80 Relevance: 1.9, APIs: 1, Instructions: 437COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: FrameHandler2
            • String ID:
            • API String ID: 438124390-0
            • Opcode ID: ded8129a0231a52b6a97d285332cd3f418e03d10df9e10029fc08a36bafa33fb
            • Instruction ID: f9fbf271218eaea86f9b5fc8aa4c55861518a37d882a1ee140aa997d5b792d5c
            • Opcode Fuzzy Hash: ded8129a0231a52b6a97d285332cd3f418e03d10df9e10029fc08a36bafa33fb
            • Instruction Fuzzy Hash: 3012B973601B40DAEB698F68D0647ED33E6FB28758F804129EE4D6BB88DB39D554CB00
            Function 000002195517283C Relevance: 1.4, Strings: 1, Instructions: 143COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: @
            • API String ID: 0-2766056989
            • Opcode ID: 06205efcd92bc97c3c00da4e34943cfc5cbabf158734ba96caef57ab47f53102
            • Instruction ID: 0e11e480b5c3988af4f95dfda8c23269c0b3b13f1a8f3ee7e56d17d91fc2b265
            • Opcode Fuzzy Hash: 06205efcd92bc97c3c00da4e34943cfc5cbabf158734ba96caef57ab47f53102
            • Instruction Fuzzy Hash: 6051AD3131474055F7368F9B68287DA7A97B768BC4FC841289E996BB57EF3CC5828700
            Function 00007FF6CFAF683C Relevance: 1.4, Strings: 1, Instructions: 143COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: @
            • API String ID: 0-2766056989
            • Opcode ID: 06205efcd92bc97c3c00da4e34943cfc5cbabf158734ba96caef57ab47f53102
            • Instruction ID: 452a4d81a308af3796f74b65dfac0a62f580edaaf85f3a18911510e8d2d30217
            • Opcode Fuzzy Hash: 06205efcd92bc97c3c00da4e34943cfc5cbabf158734ba96caef57ab47f53102
            • Instruction Fuzzy Hash: 0251A461A0874285FB649F52A84077AA7B5BF49BC5F048138DECDCB755EF3CE5018710
            Function 0000021957DCDE10 Relevance: .3, Instructions: 328COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ac644990d941db505d2c99ea8d48bfca98d60271b88a3557edb8fb50ba12eeac
            • Instruction ID: 10fedacac953d543bae6a09a39208af98830cbdb145fd1db8c6acbe01384f317
            • Opcode Fuzzy Hash: ac644990d941db505d2c99ea8d48bfca98d60271b88a3557edb8fb50ba12eeac
            • Instruction Fuzzy Hash: C8E1E4B3204B8496D724CF06E448B9EB7AAF398B94F958125DF8D53B48DB3AC581CB00
            Function 00007FF6CFAF2F89 Relevance: .1, Instructions: 51COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 0d682816558eb0e194f7969c336fb8996ac4be712a3a6da101f0987ab0ec2c07
            • Instruction ID: a800ad9310ff0c099becd80583bcf77b1b06f8e6e152d0fd9cefd03cfa9d3dd8
            • Opcode Fuzzy Hash: 0d682816558eb0e194f7969c336fb8996ac4be712a3a6da101f0987ab0ec2c07
            • Instruction Fuzzy Hash: 69119647D4EAD146E7660E740C6E0982FA8E753E1674F80BBC7C4C3283DE0E38454722
            Function 0000021957DC25D0 Relevance: 57.9, APIs: 6, Strings: 27, Instructions: 164libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$AddressHandleModuleProc
            • String ID: %s (%u.%u Build %u).$%s (%u.%u Build %u, %S).$RtlGetVersion$Unknown$Windows 10$Windows 11$Windows 2000$Windows 7$Windows 8$Windows 8.1$Windows 95$Windows 98$Windows ME$Windows NT 3.51$Windows NT 4.0$Windows Server 2000$Windows Server 2003$Windows Server 2008$Windows Server 2008 R2$Windows Server 2012$Windows Server 2012 R2$Windows Server 2016$Windows Server 2019$Windows Server 2022$Windows Vista$Windows XP$ntdll
            • API String ID: 1762409328-4127402629
            • Opcode ID: 70492c6c89771c0eb6fb4e9dd5815a2b8d1c7686ab2569aaaf1ae545f61cf35e
            • Instruction ID: c23eaa2c91295bdeba1776627d26c4cfb5b4285c41f9b0239d6090ef49e3adf4
            • Opcode Fuzzy Hash: 70492c6c89771c0eb6fb4e9dd5815a2b8d1c7686ab2569aaaf1ae545f61cf35e
            • Instruction Fuzzy Hash: 1E716D33205944B1FA7ECB50E9A9BE9236AF7B4354FD00416EA4AA39D4DB3AD7C5C700
            Function 0000021957DC8BE0 Relevance: 43.8, APIs: 6, Strings: 19, Instructions: 89COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: wprintf$_errno_ftbuf_invalid_parameter_noinfo_output_s_l_stbuf
            • String ID: '%c'$ALPHA$BEGIN$BRANCH$CHAR$CHAR_CLASS$DIGIT$DOT$END$INV_CHAR_CLASS$NOT_ALPHA$NOT_DIGIT$NOT_WHITESPACE$PLUS$QUESTIONMARK$STAR$UNUSED$WHITESPACE$type: %s
            • API String ID: 1178621126-2416194042
            • Opcode ID: 65592515a192ff7ea0f74599ef63337431020012980b551567459db8e3dd8bdc
            • Instruction ID: 4fcd3fd99f257c1d77b4c421ee55cb45efc7b35d31c71fb75339eb74726d6587
            • Opcode Fuzzy Hash: 65592515a192ff7ea0f74599ef63337431020012980b551567459db8e3dd8bdc
            • Instruction Fuzzy Hash: 3741DD37215B50B4EB2A9B10E4A83D933BABB64744FD60636CD9C23365EF76CA94C340
            Function 0000021957DBDE40 Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 218libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Library$AddressProcProcess$FreeLoadMemoryRead$CloseHandleOpenwcsncpy
            • String ID: GetModuleFileNameExW$GetProcessImageFileNameW$NtQueryInformationProcess$QueryFullProcessImageNameW$kernel32$ntdll$psapi
            • API String ID: 3331711018-385265775
            • Opcode ID: 279cc2cc21c4ba7bab97a25b505af1ed855db2299a09ee7f9a438ada682faedf
            • Instruction ID: bb39f451c3df9965ba66f76f82baf1fc79ec0ec48d4eba9039b42f1377867eb4
            • Opcode Fuzzy Hash: 279cc2cc21c4ba7bab97a25b505af1ed855db2299a09ee7f9a438ada682faedf
            • Instruction Fuzzy Hash: 85917772305B9061FA7FCB12A8687A96396BB68B80FC84415DD4D27798DF3ED685C700
            Function 0000021957DC43D0 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 63libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: AddressLibraryProc$Load$Free
            • String ID: GetProcessImageFileNameW$GetRawInputData$Psapi.dll$QueryFullProcessImageNameW$RegisterRawInputDevices$kernel32.dll$psapi.dll$user32.dll
            • API String ID: 3890210519-1542674857
            • Opcode ID: 41ee8ba01eab39ebff5966cec5c140cdb48fe45c975be7e171e47df5c07bd28e
            • Instruction ID: 4bae0a5e759049806c8ea50decb8461208dcfd6646b515b192c8de037478978d
            • Opcode Fuzzy Hash: 41ee8ba01eab39ebff5966cec5c140cdb48fe45c975be7e171e47df5c07bd28e
            • Instruction Fuzzy Hash: 4E318A36205B01B1FE6FDB15BD7C7A822A6BB68740FD90525880E26364EF6AD6D8C210
            Function 0000021957DBA480 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 180libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLastLibrary$AddressFreeLoadProcfreehtonl
            • String ID: EnumProcessModules$GetModuleBaseNameA$GetModuleFileNameExA$psapi
            • API String ID: 2185136653-4146384186
            • Opcode ID: c87b1d8d7f5816c2f4ac0a0c32c6a5624644b983067b6fe0dd2ef0109e85f5fb
            • Instruction ID: 8d0a7dd43b636ccea2a47b83c463b1cf5b9bbf8bfd8d49f8c59be8ceac6ea71a
            • Opcode Fuzzy Hash: c87b1d8d7f5816c2f4ac0a0c32c6a5624644b983067b6fe0dd2ef0109e85f5fb
            • Instruction Fuzzy Hash: 83818233205B80A5EB3ACF11A8683DA77A2F799B94FC40115CA5E67794DF3ED685CB00
            Function 0000021957DB1C00 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 213libraryloadernetworkCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: malloc$freehtons$AddressHandleModuleProcTable
            • String ID: GetExtendedTcpTable$iphlpapi$tcp$tcp6
            • API String ID: 1620742851-586099951
            • Opcode ID: fc120dca83d29bd6e31b880f616ecfbdd16fedbd6147c81902c76d4bf3c6e90e
            • Instruction ID: 329223332683a17653140b1615bbc95506af966832e14ac6f25ef1c42db7d413
            • Opcode Fuzzy Hash: fc120dca83d29bd6e31b880f616ecfbdd16fedbd6147c81902c76d4bf3c6e90e
            • Instruction Fuzzy Hash: CA910673610641E6DB3ADF25E4543ED77A2F7A4B84FC04016DA8E57794DB3AD684CB00
            Function 0000021957DC63ED Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 196memorysynchronizationCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Heapwave$AllocFree$BufferCreateErrorEventHeaderLastObjectOpenPrepareProcessSingleStartStopWait
            • String ID: WAVE$data$fmt
            • API String ID: 4266746427-502662215
            • Opcode ID: 1d2b77245aa452a1e845222a792248379f44b446485bde4f051b91710fe16402
            • Instruction ID: f798d54f9069e3c28278e5321028598b7f561caa7abc436aa6bbea48b31994fa
            • Opcode Fuzzy Hash: 1d2b77245aa452a1e845222a792248379f44b446485bde4f051b91710fe16402
            • Instruction Fuzzy Hash: BF91A072201B45AAE76ACF25E86D7D837B6F368B48FC48015CE0967764DB3AD6C9C700
            Function 0000021954FE16A8 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 198COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: freewcsncpy$callocmbstowcs$wcscpy
            • String ID: https$pipe$tcp
            • API String ID: 3149679490-2240554849
            • Opcode ID: b83f12c8e6242859e7aade9e4dba6b69bf4435a4c912a8bb5471a14ce235ea99
            • Instruction ID: 640243c13abf7f843b217d5fcbfc8d035de974f4d68a7c653bf43d41ae78b9b8
            • Opcode Fuzzy Hash: b83f12c8e6242859e7aade9e4dba6b69bf4435a4c912a8bb5471a14ce235ea99
            • Instruction Fuzzy Hash: 4771A97130565062EA96EF17982C3DE6392B7AAFC4FC440349E497BB99EF38C5928704
            Function 0000021955170AA8 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 198COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: freewcsncpy$callocmbstowcs$wcscpy
            • String ID: https$pipe$tcp
            • API String ID: 3149679490-2240554849
            • Opcode ID: 402321a01a1597c1514fe4dc203db29ad3154ad7030f28c350452bf73c786cd5
            • Instruction ID: 85086ec815ce01657367a6add4f14f81263c5e6330ab9e78cff59f30abf7700e
            • Opcode Fuzzy Hash: 402321a01a1597c1514fe4dc203db29ad3154ad7030f28c350452bf73c786cd5
            • Instruction Fuzzy Hash: F371847531079061FA26EB26D8283DE7BA6B755FC4FC84024EE496BB97DF38D5828700
            Function 00007FF6CFAF4AA8 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 198COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: freewcsncpy$callocmbstowcs$wcscpy
            • String ID: https$pipe$tcp
            • API String ID: 3149679490-2240554849
            • Opcode ID: 402321a01a1597c1514fe4dc203db29ad3154ad7030f28c350452bf73c786cd5
            • Instruction ID: 089ec9af92c205273d3ea2796f68b0805005bdbfe74bba788be78743c87d153f
            • Opcode Fuzzy Hash: 402321a01a1597c1514fe4dc203db29ad3154ad7030f28c350452bf73c786cd5
            • Instruction Fuzzy Hash: C071B551B1869286EA54EF52D4002BEA7A5FF86FC5F844034EE8D9FB86DF3CD5028724
            Function 0000021957DB6070 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76librarycomloaderCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(?,?,?,?,000002195500E710,0000021957DB5D5B), ref: 0000021957DB609C
            • LoadLibraryA.KERNEL32(?,?,?,?,000002195500E710,0000021957DB5D5B), ref: 0000021957DB60B6
            • GetLastError.KERNEL32(?,?,?,?,000002195500E710,0000021957DB5D5B), ref: 0000021957DB60C5
            • GetProcAddress.KERNEL32(?,?,?,?,000002195500E710,0000021957DB5D5B), ref: 0000021957DB60D7
            • GetLastError.KERNEL32(?,?,?,?,000002195500E710,0000021957DB5D5B), ref: 0000021957DB60E6
            • CoCreateInstance.OLE32(?,?,?,?,000002195500E710,0000021957DB5D5B), ref: 0000021957DB6155
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$AddressCreateInitializeInstanceLibraryLoadProc
            • String ID: CIMakeICommand$CITextToFullTree$LocateCatalogsW$SystemIndex$query.dll
            • API String ID: 3808765035-973766530
            • Opcode ID: 2e6e567e5444bf81e71fd0c3b61a589c99418fef385878775ab290c65391e685
            • Instruction ID: 78298aedd8775cc723d8cbc94057ca1665bf49d17771b3eb1699b7dd78620d65
            • Opcode Fuzzy Hash: 2e6e567e5444bf81e71fd0c3b61a589c99418fef385878775ab290c65391e685
            • Instruction Fuzzy Hash: 5831EB33201F01A2EB6A8F24EC6879C33A6F7A4B88FD44415CA4D66254EF37E696C750
            Function 0000021957DB6AA0 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 304COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID:
            • String ID: AND System.DateModified<='%04d-%02d-%02dT%02d:%02d:%02d'$ AND System.DateModified>='%04d-%02d-%02dT%02d:%02d:%02d'$AND DIRECTORY='%s:%s'$AND SCOPE='%s:%s'$size,path,write
            • API String ID: 0-3277289244
            • Opcode ID: feea4da03c9b5d3ec383f2ac2d324c1aa9b386a1e3b91b41466d44e14750ba06
            • Instruction ID: da5cd02aa387a743db9a3a0b5f4e7823445d682360b47158fc0cb5c7a85ba1c5
            • Opcode Fuzzy Hash: feea4da03c9b5d3ec383f2ac2d324c1aa9b386a1e3b91b41466d44e14750ba06
            • Instruction Fuzzy Hash: E3D14833701A40A6EB29CFA5D4642ED23B2FB54B88F848516DE4D6BB58EF36C685C710
            Function 0000021957DB20B0 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181libraryloadernetworkCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: malloc$freehtons$AddressHandleModuleProcTable
            • String ID: GetExtendedUdpTable$iphlpapi$udp$udp6
            • API String ID: 1620742851-3210492192
            • Opcode ID: ac591898adc96839b938b29adc1809a01a942b901e7ca3f028ae688fbb493ddb
            • Instruction ID: 165217bf65560f4d935ac4837196a44970010894b5be39dd581873931f313d37
            • Opcode Fuzzy Hash: ac591898adc96839b938b29adc1809a01a942b901e7ca3f028ae688fbb493ddb
            • Instruction Fuzzy Hash: 1881E573200651A6DB2ADF25E4687DC3762F364B88FC0440AEA4D5B799DB3DD785CB40
            Function 0000021954FEC15C Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 155COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Http$FreeGlobal$Option$ConfigCurrentErrorLastOpenProxyRequestUsercalloc
            • String ID: GET$POST
            • API String ID: 3882491962-3192705859
            • Opcode ID: 81f59d42fcb2c759907b2907cf04a6eef665407c114728a68e78015ea48cbbc3
            • Instruction ID: a6a2be8433dc25bf96e13a17b7cfca3b5c95507325ae5cd91bf2c2c27d7f0809
            • Opcode Fuzzy Hash: 81f59d42fcb2c759907b2907cf04a6eef665407c114728a68e78015ea48cbbc3
            • Instruction Fuzzy Hash: 64613D72201B80EAEBA6CF65D4683DC33A6F759B8DF844029EE4967B59EF34C594C340
            Function 0000021957DBE990 Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 148threadCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: htonl$ContextErrorLastThread
            • String ID: eax$ebp$ebx$ecx$edi$edx$eflags$eip$esi$esp
            • API String ID: 1258935475-2196928098
            • Opcode ID: 8ae6589e8fdf7d87bc66684a447083349fd9445f78d2a5cca4bf9c95062c6406
            • Instruction ID: fc6e3cd2282d1e23b180b9c1155b5a28299bbe9cc2ed04f88e2718b0cc5fb12e
            • Opcode Fuzzy Hash: 8ae6589e8fdf7d87bc66684a447083349fd9445f78d2a5cca4bf9c95062c6406
            • Instruction Fuzzy Hash: 267142B2200B80DAE726CF60E8583D977B5F754758F900216DE4D27B58DF7AC689CB40
            Function 0000021957DB3120 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 98libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Library$AddressFreeProc$Load_errno_invalid_parameter_noinfo$DirectorySystem
            • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
            • API String ID: 3103270816-744132762
            • Opcode ID: 489e94149f977efdcf847796908ebb71ad91ae9206fd2d0a9e2620440dc13137
            • Instruction ID: 074881602dfc92f39c6c41e5a53c86b99b0e3f7c6ee1b1401fa004d3a47f7250
            • Opcode Fuzzy Hash: 489e94149f977efdcf847796908ebb71ad91ae9206fd2d0a9e2620440dc13137
            • Instruction Fuzzy Hash: DA414036205B44A1EA3ACB40F8683DA73A2F7A8744FC44515D98D67768EF3ED689CB00
            Function 0000021954FE59F4 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 91libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryW.KERNEL32(?,?,?,0000021954FE5602), ref: 0000021954FE5A1A
            • GetProcAddress.KERNEL32(?,?,?,0000021954FE5602), ref: 0000021954FE5A36
            • GetProcAddress.KERNEL32(?,?,?,0000021954FE5602), ref: 0000021954FE5A49
            • GetProcAddress.KERNEL32(?,?,?,0000021954FE5602), ref: 0000021954FE5A5C
            • GetProcAddress.KERNEL32(?,?,?,0000021954FE5602), ref: 0000021954FE5A6F
            • GetProcAddress.KERNEL32(?,?,?,0000021954FE5602), ref: 0000021954FE5A82
            • GetProcAddress.KERNEL32(?,?,?,0000021954FE5602), ref: 0000021954FE5A95
              • Part of subcall function 0000021954FE592C: WriteProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE5ABA,?,?,?,0000021954FE5602), ref: 0000021954FE595D
              • Part of subcall function 0000021954FE592C: VirtualQuery.KERNEL32 ref: 0000021954FE597F
              • Part of subcall function 0000021954FE592C: VirtualProtect.KERNEL32 ref: 0000021954FE599A
              • Part of subcall function 0000021954FE592C: VirtualProtect.KERNEL32 ref: 0000021954FE59BF
              • Part of subcall function 0000021954FE592C: FlushInstructionCache.KERNEL32 ref: 0000021954FE59D3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$Virtual$Protect$CacheFlushInstructionLibraryLoadMemoryProcessQueryWrite
            • String ID: NtClose$NtCreateSection$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryAttributesFile$ntdll
            • API String ID: 1694779802-2731749698
            • Opcode ID: 921737a1885331bb90d0552f19dfc61c4e2cabf09a7e306f68c6e093b898afeb
            • Instruction ID: 425f80e145c91553aecd30363f97495735a39e5a21247b99bb98e0d5876cc67b
            • Opcode Fuzzy Hash: 921737a1885331bb90d0552f19dfc61c4e2cabf09a7e306f68c6e093b898afeb
            • Instruction Fuzzy Hash: F1413175200A49F1EA82DF66F96C6D97366F75DBC5FC85422AE4C27325EE38C199C300
            Function 0000021957DB1900 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 80libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Handle$AddressModuleProc$Close$_snwprintf_s
            • String ID: %d/%s$CreateToolhelp32Snapshot$Process32First$Process32Next$kernel32
            • API String ID: 3929803966-2034424418
            • Opcode ID: e2be7df2759c9085995696c53106a642b9fb4a58e621050a79d27cca1a1c2247
            • Instruction ID: 457b86660f96765f0faa4e62bef1d9761f368db90db34f1a4343ad014d5c82ef
            • Opcode Fuzzy Hash: e2be7df2759c9085995696c53106a642b9fb4a58e621050a79d27cca1a1c2247
            • Instruction Fuzzy Hash: AB318833211B41A5EA3ADF11E868BD93392F758BA0FC805219D6D27794EF3AD385C700
            Function 0000021954FE5C3C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 72libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(?,?,?,0000021954FE566C), ref: 0000021954FE5C63
            • GetProcAddress.KERNEL32(?,?,?,0000021954FE566C), ref: 0000021954FE5C7F
            • GetProcAddress.KERNEL32(?,?,?,0000021954FE566C), ref: 0000021954FE5C92
            • GetProcAddress.KERNEL32(?,?,?,0000021954FE566C), ref: 0000021954FE5CA5
            • GetProcAddress.KERNEL32(?,?,?,0000021954FE566C), ref: 0000021954FE5CB8
            • GetProcAddress.KERNEL32(?,?,?,0000021954FE566C), ref: 0000021954FE5CCB
            • GetProcAddress.KERNEL32(?,?,?,0000021954FE566C), ref: 0000021954FE5CDE
              • Part of subcall function 0000021954FE5B94: VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE5CF9), ref: 0000021954FE5BB2
              • Part of subcall function 0000021954FE5B94: VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE5CF9), ref: 0000021954FE5BCD
              • Part of subcall function 0000021954FE5B94: WriteProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE5CF9), ref: 0000021954FE5BF0
              • Part of subcall function 0000021954FE5B94: VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE5CF9), ref: 0000021954FE5C0D
              • Part of subcall function 0000021954FE5B94: FlushInstructionCache.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE5CF9), ref: 0000021954FE5C20
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$Virtual$Protect$CacheFlushInstructionLibraryLoadMemoryProcessQueryWrite
            • String ID: NtClose$NtCreateSection$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryAttributesFile$ntdll
            • API String ID: 1694779802-2731749698
            • Opcode ID: 73cea3a372248d0903406f2551891e6cad9e6cfda1c14104b0705a019b8e49cb
            • Instruction ID: 4a59cdc45d38e34b510a0d250511967a616b3d208e7650562eb7076e3e5c01ed
            • Opcode Fuzzy Hash: 73cea3a372248d0903406f2551891e6cad9e6cfda1c14104b0705a019b8e49cb
            • Instruction Fuzzy Hash: 4A315EB5200B85E2EE46DB66A96C2D663A6F75DFC4FC45412DD0D2B736DE38C189C340
            Function 0000021957DC55B0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$_errnomalloc$AddressAllocHeapLibraryLoadProc_callnewhfree
            • String ID: stdcall
            • API String ID: 3740261583-1361542064
            • Opcode ID: 65f1ea4021e4819308f355f3a3e5724d40b9b8008ac3ffbdf332fca7b29bb1ea
            • Instruction ID: 2e47d2d4407b20396155ff58e445671d62abbf970f86a9cdfbdd6e64e7a17d24
            • Opcode Fuzzy Hash: 65f1ea4021e4819308f355f3a3e5724d40b9b8008ac3ffbdf332fca7b29bb1ea
            • Instruction Fuzzy Hash: D7519273205B40A2EB7A8F05E82C7AD32A6F768B90FD44525DE5A67790DF3AC6D0C700
            Function 0000021957DBCBE0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 116libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLastLibrary$AddressFreeLoadProc
            • String ID: EnumProcessModules$GetModuleBaseNameW$GetModuleFileNameExW$psapi
            • API String ID: 1529210728-3989420880
            • Opcode ID: b7e925e774a462f29d71dfda95ad5cf6c04b52c078dbb68c226870dff419b4ba
            • Instruction ID: fb61102372bac479567678461c5f40c59dac55f92886b5b793de178f59fbd140
            • Opcode Fuzzy Hash: b7e925e774a462f29d71dfda95ad5cf6c04b52c078dbb68c226870dff419b4ba
            • Instruction Fuzzy Hash: B651C33A301B85A1EA3A9B16E8287D96762F7A8FC0FC84025CE4D27754DE3DC288C700
            Function 0000021957DC3100 Relevance: 21.1, APIs: 14, Instructions: 149pipeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: CreateErrorLastNamedPipe
            • String ID:
            • API String ID: 4201769729-0
            • Opcode ID: b9b3ea9347777d15054754c92fb4d79a40997c4a88476fab64d78c0f96c74820
            • Instruction ID: 13d3e5219256bd868f9e1d00236df6aa3a2ab89e49350d8f3570b105b74c0365
            • Opcode Fuzzy Hash: b9b3ea9347777d15054754c92fb4d79a40997c4a88476fab64d78c0f96c74820
            • Instruction Fuzzy Hash: AD51C17330464097EA3A8B11A8687AEA3EAF7A4B84FD44414CE4563B64DF3AD6C5CB01
            Function 0000021954FF3DAC Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 77memorylibraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3DBD
            • HeapAlloc.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3DEA
            • GetModuleHandleA.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3E07
            • LoadLibraryA.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3E1C
            • GetProcAddress.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3E45
            • GetProcAddress.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3E5F
            • GetProcAddress.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3E8F
            • HeapFree.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3ED2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: AddressHeapProc$AllocFreeHandleLibraryLoadModuleProcess
            • String ID: NtQueryInformationProcess$NtQueryObject$ZwSetIoCompletion$ntdll.dll
            • API String ID: 1214976393-420758874
            • Opcode ID: ca1af204c64362ec079a1a4c0929eea6c168c130040c0dc6d62809e0d194fbe6
            • Instruction ID: cce093b98f175ef481b13edfd36badd8ae251fe47673901176d7bd3ffbd4dc9b
            • Opcode Fuzzy Hash: ca1af204c64362ec079a1a4c0929eea6c168c130040c0dc6d62809e0d194fbe6
            • Instruction Fuzzy Hash: 2931AD71602B40B2FA97CB29E9AC7D427A2AB69B84FD48025CD0D77765EF79C4C9C301
            Function 0000021954FED5C0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 68libraryloaderthreadCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • malloc.LIBCMT ref: 0000021954FED5DB
              • Part of subcall function 0000021954FF4198: _FF_MSGBANNER.LIBCMT ref: 0000021954FF41C8
              • Part of subcall function 0000021954FF4198: _NMSG_WRITE.LIBCMT ref: 0000021954FF41D2
              • Part of subcall function 0000021954FF4198: HeapAlloc.KERNEL32(?,?,00000000,0000021954FFB878,?,?,?,0000021954FFBADC,?,?,?,0000021954FFB9DB), ref: 0000021954FF41ED
              • Part of subcall function 0000021954FF4198: _callnewh.LIBCMT ref: 0000021954FF4206
              • Part of subcall function 0000021954FF4198: _errno.LIBCMT ref: 0000021954FF4211
              • Part of subcall function 0000021954FF4198: _errno.LIBCMT ref: 0000021954FF421C
            • GetCurrentThreadId.KERNEL32 ref: 0000021954FED5F9
            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000021954FEA100), ref: 0000021954FED611
            • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000021954FEA100), ref: 0000021954FED624
            • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000021954FEA100), ref: 0000021954FED646
            • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000021954FEA100), ref: 0000021954FED659
            • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000021954FEA100), ref: 0000021954FED6A4
            • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000021954FEA100), ref: 0000021954FED6AD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Library$AddressFreeLoadProc_errnomalloc$AllocCurrentHeapThread_callnewh
            • String ID: NtOpenThread$OpenThread$kernel32.dll$ntdll.dll
            • API String ID: 802756111-1307226884
            • Opcode ID: eaf22bf39ff7181e78d4e40bc6a6a776988079c175fb37deeb4deb6d352ea9a7
            • Instruction ID: 48cd6770ba518f248b9fea1f133b4bf84dfffd1ea02f6cc80fb899567ad91ebd
            • Opcode Fuzzy Hash: eaf22bf39ff7181e78d4e40bc6a6a776988079c175fb37deeb4deb6d352ea9a7
            • Instruction Fuzzy Hash: 82319F31600B42A2FB42DF21E46C2D83362F7A9B84FC840259D4D23769EF3CC595C700
            Function 0000021954FE9374 Relevance: 19.7, APIs: 13, Instructions: 190filepipeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorEventLastReset$ConnectFileNamedOverlappedPipeReadResultfree
            • String ID:
            • API String ID: 4274170886-0
            • Opcode ID: e85595c4a0fe1b6dea5dfedacbff44a640d8e087392fd50af341a613a61ec583
            • Instruction ID: 5be078fbeaf2746cd56527c9f1194440b83e523742bdede2234284936e3b3edf
            • Opcode Fuzzy Hash: e85595c4a0fe1b6dea5dfedacbff44a640d8e087392fd50af341a613a61ec583
            • Instruction Fuzzy Hash: 4C81E071200641A6EFD2DB26E06CBDD2352E7AAB99FC140359E193B796EF78C4908300
            Function 0000021957DB6850 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: callocfree$DefaultSystem_vswprintf_c_l_vswprintf_s_lsprintf_sswprintf
            • String ID: #filename = %s$%s\$System$size,path
            • API String ID: 655534614-3779978915
            • Opcode ID: 6471449efa2a638df9d9abb4eccb5cd4c7ba6c935d4687b7e9eeee1372b8fbe9
            • Instruction ID: 105eeb8e2ce75ae52c3025ebdf01b9d43e8c4a94d67ee421b6529aaae92f1588
            • Opcode Fuzzy Hash: 6471449efa2a638df9d9abb4eccb5cd4c7ba6c935d4687b7e9eeee1372b8fbe9
            • Instruction Fuzzy Hash: C1614833700B50A5EB2ACF65E9647DD27A6F754B88FC48126DE4D67B84DB36C288C700
            Function 0000021957DBDA40 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 138libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: AddressProc$Library$CloseFreeHandleLoadOpenProcess
            • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$psapi
            • API String ID: 3215039149-2992890082
            • Opcode ID: ca87d087a23e42aa03d309188a8475dff11e6f0720bdf7ca0811bf81af3e2497
            • Instruction ID: 8f28a099313d9ec4673493e0e64cc0e4f17ba8c0d5256f90431bcbee06f659fd
            • Opcode Fuzzy Hash: ca87d087a23e42aa03d309188a8475dff11e6f0720bdf7ca0811bf81af3e2497
            • Instruction Fuzzy Hash: 31518337204A91A5E739DF11E8686DA63A2FB98788FC44025DE4D1BB58DF7EC285CB40
            Function 0000021957DBE1D0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 119COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Token_errno$CloseHandleInformationOpenProcess$AccountAllocHeapLookup_callnewh_invalid_parameter_noinfo_snwprintffreemalloc
            • String ID: %s\%s
            • API String ID: 1082786947-4073750446
            • Opcode ID: 8c5190604d3352baab9025d9f8c83490d3603ae748dbf035e625d4207f3dc3d4
            • Instruction ID: 7c3ce422e959de8d24a169b44a1fde4c76b70695652aeb3daaaa587d05e7555a
            • Opcode Fuzzy Hash: 8c5190604d3352baab9025d9f8c83490d3603ae748dbf035e625d4207f3dc3d4
            • Instruction Fuzzy Hash: 0951A133204B81A6DB7ACF15E8547DE73A2F795B88FC401259A8C17B58DF3AD689CB00
            Function 0000021957DB8070 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 114libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: inet_addr$AddressHandleModuleProc$CreateEntryForward
            • String ID: GetBestInterface$GetIpInterfaceEntry$iphlpapi
            • API String ID: 2699733871-3963187488
            • Opcode ID: bc7c7dbb0541683fe86332b906f16a336992c8f167fdb86b85d5c8f3e64423bc
            • Instruction ID: 0d2537647eb22e5af51751cb9bb956eedcd74fddde51d9122c5cbdc146ffa7ba
            • Opcode Fuzzy Hash: bc7c7dbb0541683fe86332b906f16a336992c8f167fdb86b85d5c8f3e64423bc
            • Instruction Fuzzy Hash: 75519D33609B40DAE725CFA1F85429D77B6F798744F940529EA8DA7B58DF39C284CB00
            Function 0000021954FEA08C Relevance: 18.2, APIs: 12, Instructions: 218threadCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 0000021954FED7A8: LoadLibraryA.KERNEL32(?,?,?,?,0000021954FEA0EB), ref: 0000021954FED7B3
              • Part of subcall function 0000021954FED7A8: GetProcAddress.KERNEL32(?,?,?,?,0000021954FEA0EB), ref: 0000021954FED7C3
            • _time64.LIBCMT ref: 0000021954FEA0ED
              • Part of subcall function 0000021954FF5AA0: GetSystemTimeAsFileTime.KERNEL32(?,?,000000FF,0000021954FEA0F2), ref: 0000021954FF5AAE
              • Part of subcall function 0000021954FED5C0: malloc.LIBCMT ref: 0000021954FED5DB
              • Part of subcall function 0000021954FED5C0: GetCurrentThreadId.KERNEL32 ref: 0000021954FED5F9
              • Part of subcall function 0000021954FED5C0: LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000021954FEA100), ref: 0000021954FED611
              • Part of subcall function 0000021954FED5C0: GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000021954FEA100), ref: 0000021954FED624
              • Part of subcall function 0000021954FED5C0: FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000021954FEA100), ref: 0000021954FED6AD
            • SetLastError.KERNEL32 ref: 0000021954FEA118
            • malloc.LIBCMT ref: 0000021954FEA1D6
            • memcpy_s.LIBCMT ref: 0000021954FEA1EB
            • OpenThreadToken.ADVAPI32 ref: 0000021954FEA20A
            • GetCurrentProcess.KERNEL32 ref: 0000021954FEA214
            • OpenProcessToken.ADVAPI32 ref: 0000021954FEA223
              • Part of subcall function 0000021954FEA3F8: LoadLibraryA.KERNEL32(?,?,00000038,0000021954FEA24B), ref: 0000021954FEA414
              • Part of subcall function 0000021954FEA3F8: GetProcAddress.KERNEL32(?,?,00000038,0000021954FEA24B), ref: 0000021954FEA42C
              • Part of subcall function 0000021954FEA3F8: GetCurrentProcessId.KERNEL32(?,?,00000038,0000021954FEA24B), ref: 0000021954FEA447
              • Part of subcall function 0000021954FEA3F8: ProcessIdToSessionId.KERNEL32(?,?,00000038,0000021954FEA24B), ref: 0000021954FEA454
              • Part of subcall function 0000021954FEA3F8: FreeLibrary.KERNEL32(?,?,00000038,0000021954FEA24B), ref: 0000021954FEA472
            • GetProcessWindowStation.USER32 ref: 0000021954FEA251
            • GetUserObjectInformationA.USER32 ref: 0000021954FEA274
              • Part of subcall function 0000021954FF4DF0: _invoke_watson.LIBCMT ref: 0000021954FF4E5A
            • GetCurrentThreadId.KERNEL32 ref: 0000021954FEA296
            • GetThreadDesktop.USER32 ref: 0000021954FEA29E
            • GetUserObjectInformationA.USER32 ref: 0000021954FEA2B9
              • Part of subcall function 0000021954FE6AF8: GetSystemTime.KERNEL32(?,?,?,?,?,?,0000021954FEA132), ref: 0000021954FE6B01
              • Part of subcall function 0000021954FE6AF8: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,0000021954FEA132), ref: 0000021954FE6B11
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: LibraryProcessTime$CurrentThread$AddressLoadProcSystemmalloc$FileFreeInformationObjectOpenTokenUser$DesktopErrorLastSessionStationWindow_getptd_invoke_watson_time64callocmemcpy_s
            • String ID:
            • API String ID: 2316378097-0
            • Opcode ID: bc6a306ad3f3fa8bf5df765bb6dc4ba402a122447e845194bccfbae162e12fc0
            • Instruction ID: 91c3ce077923b88bc4e44815c0e27731225fb6107fd7236c234d47cdfbb4175f
            • Opcode Fuzzy Hash: bc6a306ad3f3fa8bf5df765bb6dc4ba402a122447e845194bccfbae162e12fc0
            • Instruction Fuzzy Hash: D5A16F32605740B7EAD69B2AE56C3DD63A2F76AB81F8040359E4D77752EF39D4B08310
            Function 0000021957DB8520 Relevance: 18.1, APIs: 12, Instructions: 145networkCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$Event$CreateSelectSocketclosesocketconnectgethostbynamehtonsinet_addrmalloc
            • String ID:
            • API String ID: 471021859-0
            • Opcode ID: 8eefdc06b16267bf9782190f80d9d4f1a510efb068c60822308c87f735bcf34d
            • Instruction ID: 5ae7d1352938fd5f60abdcc4596be6c4639ec55974e79fad3c395033c3b1edbc
            • Opcode Fuzzy Hash: 8eefdc06b16267bf9782190f80d9d4f1a510efb068c60822308c87f735bcf34d
            • Instruction Fuzzy Hash: 5C51A133201B40A2E76ADF21E85879D73E2F758B94FC04525DA9D57B90EF3AD690CB40
            Function 0000021954FEA980 Relevance: 18.1, APIs: 12, Instructions: 143fileCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$free$malloc$CryptDestroyFileFreeHeapObjectReadSingleWait_errnocallochtonlmemcpy_s
            • String ID:
            • API String ID: 39760644-0
            • Opcode ID: 25e181bbfddfdd354e3704978ba3f76bc9b83870b6adc313fa7767d88b6726c4
            • Instruction ID: fd554aed358b69f0f1b36f66db6d0ef358e631f090bb8ca572b5a26e02cf0749
            • Opcode Fuzzy Hash: 25e181bbfddfdd354e3704978ba3f76bc9b83870b6adc313fa7767d88b6726c4
            • Instruction Fuzzy Hash: 3651C632B00654A6FBD2DB79886C6DD23A3F76DB89F814026DE0977B46EB34C5968310
            Function 0000021954FF67D4 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
            • String ID:
            • API String ID: 4099253644-0
            • Opcode ID: 67898d25f7b1ca2aee06eb46156bd4e0094a028c2c4eb9eb3ed8696d148c99cc
            • Instruction ID: 00cd8dc1906acdf4232d2fb44d19139c97bd8b9624bbf40d1daaf8ac7856296e
            • Opcode Fuzzy Hash: 67898d25f7b1ca2aee06eb46156bd4e0094a028c2c4eb9eb3ed8696d148c99cc
            • Instruction Fuzzy Hash: BF311A35611A4472FE979B25EC7D3E42262AB76B50FC94224CD2E7B3B2EF2884D59301
            Function 0000021957DDED84 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
            • String ID:
            • API String ID: 4099253644-0
            • Opcode ID: 6099b7468303a389ea0aad945b9403219aeab12ae1aa00998212e3df1ff1f187
            • Instruction ID: fbb7eb6075141e3d126622288e7b1646925899f9311830ae9a41803e1a2fcb9d
            • Opcode Fuzzy Hash: 6099b7468303a389ea0aad945b9403219aeab12ae1aa00998212e3df1ff1f187
            • Instruction Fuzzy Hash: D831EC37201B05A1FE7F9F11E87D3E422A3AB75794FCC011589197A2B5DF3A96C99320
            Function 0000021954FEC5B8 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 186COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$ObjectSingleWaitfree
            • String ID: PACKET RECEIVE
            • API String ID: 3377068553-1195290434
            • Opcode ID: d506d6325161f63a9eb2bf83ffb8907cd45068dbd3772bb8d42674c09ed8662c
            • Instruction ID: 2d32a4efc57d467fb11281761b8304fad91aec6ae99d63ab867df258517f8f36
            • Opcode Fuzzy Hash: d506d6325161f63a9eb2bf83ffb8907cd45068dbd3772bb8d42674c09ed8662c
            • Instruction Fuzzy Hash: 59617532700681A6FBD6DF39942C7EA22A2B76AB8DF845035AD0A77755FF34C995C300
            Function 0000021957DC2C50 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 176COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID:
            • String ID: /s /q:%d /p:0x%08X$\\.\pipe\%08X
            • API String ID: 0-3807318313
            • Opcode ID: 99e9baeb4851419518e76cd5df8cb7c0cc391eb239c0f7dfb298b567f2f89231
            • Instruction ID: ff4ae16247f274f0217a217ed0fb4a173392280a6e4deae6e041508969b2452b
            • Opcode Fuzzy Hash: 99e9baeb4851419518e76cd5df8cb7c0cc391eb239c0f7dfb298b567f2f89231
            • Instruction Fuzzy Hash: 8671C432205B8496EB2A9F21E8687DA77A6F798B84FC44029DE4E57764DF3DD684C300
            Function 0000021957DBD840 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 108libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(?,?,00000000,0000021957DBCB25), ref: 0000021957DBD880
            • GetProcAddress.KERNEL32(?,?,00000000,0000021957DBCB25), ref: 0000021957DBD8B4
            • GetProcAddress.KERNEL32(?,?,00000000,0000021957DBCB25), ref: 0000021957DBD8C7
            • GetProcAddress.KERNEL32(?,?,00000000,0000021957DBCB25), ref: 0000021957DBD8DA
            • CloseHandle.KERNEL32(?,?,00000000,0000021957DBCB25), ref: 0000021957DBD9FA
              • Part of subcall function 0000021957DBDE40: OpenProcess.KERNEL32 ref: 0000021957DBDE94
              • Part of subcall function 0000021957DBDE40: LoadLibraryA.KERNEL32 ref: 0000021957DBDEBD
              • Part of subcall function 0000021957DBDE40: GetProcAddress.KERNEL32 ref: 0000021957DBDEE1
              • Part of subcall function 0000021957DBDE40: FreeLibrary.KERNEL32 ref: 0000021957DBDFD4
              • Part of subcall function 0000021957DBDE40: FreeLibrary.KERNEL32 ref: 0000021957DBDFEA
              • Part of subcall function 0000021957DBDE40: CloseHandle.KERNEL32 ref: 0000021957DBDFF3
              • Part of subcall function 0000021957DBE1D0: OpenProcess.KERNEL32 ref: 0000021957DBE26C
              • Part of subcall function 0000021957DBE1D0: OpenProcessToken.ADVAPI32 ref: 0000021957DBE289
              • Part of subcall function 0000021957DBE1D0: GetTokenInformation.ADVAPI32 ref: 0000021957DBE2B1
              • Part of subcall function 0000021957DBE1D0: malloc.LIBCMT ref: 0000021957DBE2BD
              • Part of subcall function 0000021957DBE1D0: GetTokenInformation.ADVAPI32 ref: 0000021957DBE2EC
              • Part of subcall function 0000021957DBE1D0: LookupAccountSidW.ADVAPI32 ref: 0000021957DBE339
              • Part of subcall function 0000021957DBE1D0: _snwprintf.LIBCMT ref: 0000021957DBE362
              • Part of subcall function 0000021957DBE1D0: free.LIBCMT ref: 0000021957DBE36F
              • Part of subcall function 0000021957DBE1D0: CloseHandle.KERNEL32 ref: 0000021957DBE37E
              • Part of subcall function 0000021957DBD690: LoadLibraryA.KERNEL32 ref: 0000021957DBD6CB
              • Part of subcall function 0000021957DBD690: GetProcAddress.KERNEL32 ref: 0000021957DBD6EC
              • Part of subcall function 0000021957DBD690: OpenProcess.KERNEL32 ref: 0000021957DBD70B
              • Part of subcall function 0000021957DBD690: OpenProcess.KERNEL32 ref: 0000021957DBD723
              • Part of subcall function 0000021957DBD690: CloseHandle.KERNEL32 ref: 0000021957DBD757
              • Part of subcall function 0000021957DBD690: FreeLibrary.KERNEL32 ref: 0000021957DBD765
            • FreeLibrary.KERNEL32(?,?,00000000,0000021957DBCB25), ref: 0000021957DBDA03
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Library$AddressOpenProcProcess$CloseFreeHandle$LoadTokenhtonl$Information$AccountLookup_snwprintffreemalloc
            • String ID: CreateToolhelp32Snapshot$Process32FirstW$Process32NextW$kernel32
            • API String ID: 1256634252-2095122823
            • Opcode ID: 23de0816a5bc3a7d4794d01a0fea485cd7a6a7a5ec75e6cbe26594be051dac0d
            • Instruction ID: 22215bcc2ca60666c1a70f065f20d44fa1d77441b68c51a0d996a60878069435
            • Opcode Fuzzy Hash: 23de0816a5bc3a7d4794d01a0fea485cd7a6a7a5ec75e6cbe26594be051dac0d
            • Instruction Fuzzy Hash: A4419033304790A6EB39DB11E8647DA63A6FBA5790FC44125DE4957B98EF3EC684CB00
            Function 0000021954FEAED8 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 104pipeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Time$HandleSystemwcschr$FileInformationNamedPipeState_errno_invalid_parameter_noinfo_snwprintf_scallocwcsstr
            • String ID: \\%s\pipe\%s$\\.\$pipe
            • API String ID: 588122004-8644039
            • Opcode ID: f1486397e28dda012e9c6025883001e75f6a06449bbfd92b60786bdd0290ddbb
            • Instruction ID: 3c2d521d24e2701ab330dd26c4a5329997f376c14941b5d12e92d692e12291f2
            • Opcode Fuzzy Hash: f1486397e28dda012e9c6025883001e75f6a06449bbfd92b60786bdd0290ddbb
            • Instruction Fuzzy Hash: 70419432201A41B2EBA2DF29E46C7DD63A2F7A9754FC041219F6D77A96EF34C595C300
            Function 0000021957DC39C0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 96memoryCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Heap$Window$DestroyProcess$AllocClassFreeProcUnregisterfree
            • String ID: klwClass
            • API String ID: 3034228609-1480243690
            • Opcode ID: c810d30b0053e459d1b7873ad1769647165b4485f81a0f0c35357397dae83060
            • Instruction ID: 9c047ececc4bbed9b90282f0a0c9cce148e103455a134e87fd2b6d8b14985863
            • Opcode Fuzzy Hash: c810d30b0053e459d1b7873ad1769647165b4485f81a0f0c35357397dae83060
            • Instruction Fuzzy Hash: 5A41D83260474492E76A8F22F86839EB7A2F7A4B94FC44110DD5563BA8CF7ED6C5C700
            Function 0000021957DBF1D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87threadCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLastVirtual$FreeObjectSingleWait$AllocCloseCodeExitHandleMemoryProcessProtectThreadWrite
            • String ID: @
            • API String ID: 992791723-2766056989
            • Opcode ID: 9150e83256754b0288c1f66941511ac6a1a2df8d6f8a492466ccde0c548996b2
            • Instruction ID: 8ed84555da4117649281300874eb17fe5d6fd654c7865c98b8620212e5a1ab6f
            • Opcode Fuzzy Hash: 9150e83256754b0288c1f66941511ac6a1a2df8d6f8a492466ccde0c548996b2
            • Instruction Fuzzy Hash: D231B5B6304B4092F7698B16B85879EA392F758BC4FC44015EE4D67B58DF3ED685CB00
            Function 0000021957DBBA20 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 52libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: HandleModule$AddressProc
            • String ID: CloseHandle$GetProcAddress$NtReadVirtualMemory$OpenProcess$VirtualQueryEx$kernel32.dll$ntdll.dll
            • API String ID: 1883125708-309972381
            • Opcode ID: e896f7c105cae4c332e9881502bcd05d9b005a3e610c4c50814a879add6520bf
            • Instruction ID: 36e11e63b147ea8aac0664bfb827f0eb5b3a75592adb45c3444780a5151bb6b8
            • Opcode Fuzzy Hash: e896f7c105cae4c332e9881502bcd05d9b005a3e610c4c50814a879add6520bf
            • Instruction Fuzzy Hash: F2217772602F49B1FE6FDB14EC7A79423A2BB64740FC44425880D66370EE6AA7D9E700
            Function 0000021954FE995C Relevance: 16.7, APIs: 11, Instructions: 195networkCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: htonl$_errnocalloc$freehtonsmallocrealloc$CreateErrorFreeGuidHeapLast_calloc_impl
            • String ID:
            • API String ID: 1631318353-0
            • Opcode ID: e6558ae7c3c5e47415f8fe55673adb2abb85c068509be7c54753b18bedaa83a0
            • Instruction ID: 46f8624ef1e07d81eb34fefca6b58a9fabbf59a1f62cea5150566786a545caf3
            • Opcode Fuzzy Hash: e6558ae7c3c5e47415f8fe55673adb2abb85c068509be7c54753b18bedaa83a0
            • Instruction Fuzzy Hash: 4F918872300680A7EBAADB26E46C7DE7352E79AB81F8040259F9A67751EF7CD4D0C700
            Function 0000021957DB9320 Relevance: 16.7, APIs: 11, Instructions: 162networksleepCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorEventLastResetSleepaccept
            • String ID:
            • API String ID: 3917514729-0
            • Opcode ID: 1faf7d548db135f30f8dbd96330abd63dc922264340d37a96fd57602eba8dbc3
            • Instruction ID: e426651aa0ed0cfd6070221df47e54a98d2c52ec09f6225af2a76732ce372159
            • Opcode Fuzzy Hash: 1faf7d548db135f30f8dbd96330abd63dc922264340d37a96fd57602eba8dbc3
            • Instruction Fuzzy Hash: F761AD36304B94D2DB2A8F21E45829D33A2F798B95FD04425DF8D537A4DF39D699CB00
            Function 0000021954FF3EF8 Relevance: 16.6, APIs: 11, Instructions: 134memoryCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32 ref: 0000021954FF3F32
            • GetProcessHeap.KERNEL32 ref: 0000021954FF3F3C
              • Part of subcall function 0000021954FF3DAC: GetProcessHeap.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3DBD
              • Part of subcall function 0000021954FF3DAC: HeapAlloc.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3DEA
              • Part of subcall function 0000021954FF3DAC: GetModuleHandleA.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3E07
              • Part of subcall function 0000021954FF3DAC: LoadLibraryA.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3E1C
              • Part of subcall function 0000021954FF3DAC: HeapFree.KERNEL32(?,?,00000000,0000021954FF3BD9,?,?,?,0000021954FE311C), ref: 0000021954FF3ED2
            • HeapAlloc.KERNEL32 ref: 0000021954FF3F69
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Heap$Process$Alloc$CurrentFreeHandleLibraryLoadModule
            • String ID:
            • API String ID: 1690373067-0
            • Opcode ID: 0a1ba319b1a7b834c7b6d1f5b3d68ac98994ab72a3a3fd4d3299d98591a68a6b
            • Instruction ID: 4af453b508114930a5949b8ba0bc9c8b22d9af8f3df884c94d9d0220b6945b40
            • Opcode Fuzzy Hash: 0a1ba319b1a7b834c7b6d1f5b3d68ac98994ab72a3a3fd4d3299d98591a68a6b
            • Instruction Fuzzy Hash: 93517132600B40A6FB568F2A985C3E927A2F759BE8F944215DE6973BD9DF38C4858340
            Function 0000021954FECC08 Relevance: 16.3, APIs: 13, Instructions: 80COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$Free$Global$ErrorHeapLast_errno
            • String ID:
            • API String ID: 3612544453-0
            • Opcode ID: 27af350d4a1db2dd467e73388868bf7722f2c308ebb34d30a494afe1a2f3aad9
            • Instruction ID: 7c187e9f349c85358ee15e228d4fc4f2dc4b6605d4f645fe308250a3eb66dfb5
            • Opcode Fuzzy Hash: 27af350d4a1db2dd467e73388868bf7722f2c308ebb34d30a494afe1a2f3aad9
            • Instruction Fuzzy Hash: 0F31ED362126D062FFDB9E6A807C3ED1362EF7AF48F850525AE2637695DF25C4A09340
            Function 0000021957DC4B60 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 247COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: htonl$free$FreeLocalmalloc
            • String ID: stdcall
            • API String ID: 2516199367-1361542064
            • Opcode ID: bea7fb4ea39fcc26024b44f4ce94e38ba448a43bda7d6b9e984745e6a05570e9
            • Instruction ID: ea779cab3889b9e5f146b2a42d6039de53f5e089bd876b61a3c965cb0a2ad770
            • Opcode Fuzzy Hash: bea7fb4ea39fcc26024b44f4ce94e38ba448a43bda7d6b9e984745e6a05570e9
            • Instruction Fuzzy Hash: F2C15A32605B449AEB65CF65E8543DE77F9F788788F900129EA8D93B58EF39C245CB00
            Function 0000021957DB2BB0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 210COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID:
            • String ID: tcp$udp
            • API String ID: 0-3725065008
            • Opcode ID: 25c0fdbcefe70fdf86b976e8c33839645eaf8859bdfd6e0d7a6cf580e8f01787
            • Instruction ID: aa5e40ddab644cfc6bd37244b4f956f9f00ad6e6c5e83c50f4629365d423512a
            • Opcode Fuzzy Hash: 25c0fdbcefe70fdf86b976e8c33839645eaf8859bdfd6e0d7a6cf580e8f01787
            • Instruction Fuzzy Hash: 1C81FA3320464052EABF8B569028BAE62D2F7A4780FD44115DD4DAF3D0EF3ADAC59B40
            Function 0000021957DB2EB0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 166COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID:
            • String ID: 65535$udp
            • API String ID: 0-1267037602
            • Opcode ID: acb1438b4e8d5aff01d8f7b56b7de9ca4f74055aeed55415531a6caaf8202697
            • Instruction ID: 0c458895a1f7017c8094caaa4a5364e522ba3d2125f7c87906789a7b29047bd0
            • Opcode Fuzzy Hash: acb1438b4e8d5aff01d8f7b56b7de9ca4f74055aeed55415531a6caaf8202697
            • Instruction Fuzzy Hash: CC612733204284A5FA7B8F16A0287EA26D2FB64794FC40511AE4D6B7D4CE3ED6C1DB00
            Function 0000021954FE90E8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 130COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: CloseHandle$callocfree
            • String ID: \\%s\pipe\%s
            • API String ID: 1903275152-540213758
            • Opcode ID: 9cd9162052e26f6431ee792e701debd7ee095cc62cd280a2b833458978022321
            • Instruction ID: 4bbf5de55ca10cde6c4b757f2a27ec33462a003b2432c32f3b92a50ac6a0eb37
            • Opcode Fuzzy Hash: 9cd9162052e26f6431ee792e701debd7ee095cc62cd280a2b833458978022321
            • Instruction Fuzzy Hash: B4519031301B41B2EED6DB59946C7E96392E7AAB91F8442359E6D377D2FF38C4A18300
            Function 0000021957DB2580 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 75libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Free$Global$Library$AddressErrorLastLoadProc
            • String ID: WinHttpGetIEProxyConfigForCurrentUser$Winhttp.dll
            • API String ID: 1134048670-1089090160
            • Opcode ID: b62655657624007ed158abb17983ee91e8963d830f9e97843c7f08449eefcadc
            • Instruction ID: 15c627fca22edbabdfb9a4660920dbd67334e28efbecba8ef27284e8116f3ff9
            • Opcode Fuzzy Hash: b62655657624007ed158abb17983ee91e8963d830f9e97843c7f08449eefcadc
            • Instruction Fuzzy Hash: 26318236304B4492EA2A9B12E9686AD6762F79CFC0FC40025DE4E67B64DF3ED685C700
            Function 0000021957DDDDC0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
            • String ID: eax
            • API String ID: 781512312-2472899377
            • Opcode ID: 43e0ddc1a39075f10fed9611123b3fd7c9fe9f8a0f98d10bbe8a493903928607
            • Instruction ID: 8e977f4b2c1c6963fb65463b1a411bcd7257c71cf08c4e049f580e15023d2d39
            • Opcode Fuzzy Hash: 43e0ddc1a39075f10fed9611123b3fd7c9fe9f8a0f98d10bbe8a493903928607
            • Instruction Fuzzy Hash: BD212CB3604390A2FF7F571195BC3ED6292A7787D0FD84222E695277D5CA29C7C18700
            Function 0000021957DC1E60 Relevance: 15.1, APIs: 10, Instructions: 83COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: CloseErrorHandleLastOpenProcess
            • String ID:
            • API String ID: 3453201768-0
            • Opcode ID: c88a2d332a566c38fc8763af1c0cc0fb9ec571e5a410c477be283ade9e19cd37
            • Instruction ID: aa2caa5980b1f8c4f8762775018d89b85451f7a9fc412efcdea6236f59be077c
            • Opcode Fuzzy Hash: c88a2d332a566c38fc8763af1c0cc0fb9ec571e5a410c477be283ade9e19cd37
            • Instruction Fuzzy Hash: FB319473304B50A2E7299B52AC6879D636AF7A4F90FC44424DE4A637A4DF7ED685C300
            Function 00007FF6CFAF1D90 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 138COMMON
            Download Yara Rule
            APIs
            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,00000000,00000000,00007FF6CFAF1F61,?,?,?,?,?,?,00007FF6CFB26568,00000000,?), ref: 00007FF6CFAF1DE0
            • VirtualQuery.KERNEL32 ref: 00007FF6CFAF1EAB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: QueryVirtual__acrt_iob_func
            • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
            • API String ID: 4109086920-1534286854
            • Opcode ID: 53cb176d487f0fa821975a99a37e187a5eef57d0b2246bc28a3eabd5a170c370
            • Instruction ID: e87a0688d577b4489d8a30a47bb2d746f386556cab91701da15bc5a4aa05f65e
            • Opcode Fuzzy Hash: 53cb176d487f0fa821975a99a37e187a5eef57d0b2246bc28a3eabd5a170c370
            • Instruction Fuzzy Hash: DB510432B08A46C2EA508F51E8446B9B7A0FB89B96F454135DE8D8B395DF3DE446C360
            Function 0000021957DB1A40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112networkCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: free$_errnohtons$AllocErrorHeapLastTable_callnewhmallocrealloc
            • String ID: tcp
            • API String ID: 3667466247-2993443014
            • Opcode ID: 350a432dc607d6fe97a233b51aa856aa0b7f53ac617cf4e6a9af6e9cd637571c
            • Instruction ID: 055d4273779b3ebe358b9ebcad1f8e15f027bbe0cba6e631253d9c289460d660
            • Opcode Fuzzy Hash: 350a432dc607d6fe97a233b51aa856aa0b7f53ac617cf4e6a9af6e9cd637571c
            • Instruction Fuzzy Hash: E641D733200680A6D739DF12E4587ED7BA2F365B84FC04416DE4AA7B95DF3AD685CB00
            Function 000002195517A2D8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 104COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: wcschr$_errno_invalid_parameter_noinfo_snwprintf_scallocwcsstr
            • String ID: \\%s\pipe\%s$\\.\$pipe
            • API String ID: 3737192811-8644039
            • Opcode ID: f3f508b9379f75592d336cf3cb417c82eeb736ffa81706d94fcff994b71945eb
            • Instruction ID: bfb2cbd00fbe6f7ae9b5e9d2b7527d0f2109acd8bf8f4510c2a6957488db3592
            • Opcode Fuzzy Hash: f3f508b9379f75592d336cf3cb417c82eeb736ffa81706d94fcff994b71945eb
            • Instruction Fuzzy Hash: A641C432214A41A2FB21DF25E4687DD7BA2F764794FC442119A5927AE7DF38C986C300
            Function 00007FF6CFAFE2D8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 104COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: wcschr$_errno_invalid_parameter_noinfo_snwprintf_scallocwcsstr
            • String ID: \\%s\pipe\%s$\\.\$pipe
            • API String ID: 3737192811-8644039
            • Opcode ID: f3f508b9379f75592d336cf3cb417c82eeb736ffa81706d94fcff994b71945eb
            • Instruction ID: 238527cd6a5a840f975271c1a0c69d0301222963f18d55a84461c3d32c3e9b38
            • Opcode Fuzzy Hash: f3f508b9379f75592d336cf3cb417c82eeb736ffa81706d94fcff994b71945eb
            • Instruction Fuzzy Hash: F1418072A09A83D1EB60DF61E4801ADB3A0EB85796F908235DA9D87B95DF7CE505C310
            Function 0000021954FED21C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 96networkCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Internet$ErrorLastOption$ConnectCrackFreeHeapOpen_errnofree
            • String ID: h
            • API String ID: 759318922-2439710439
            • Opcode ID: d1b22cddb731f6aa66cb658824653e0bdb2687022162d9d7f648c2a57a72d0ca
            • Instruction ID: 6e1ad468d8fc0abb73f8bd43561ea5f2d62b03d341af12e24182e6b7aefec2c2
            • Opcode Fuzzy Hash: d1b22cddb731f6aa66cb658824653e0bdb2687022162d9d7f648c2a57a72d0ca
            • Instruction Fuzzy Hash: B2419B32604B80A6F796CF65E0683DD33A2F799B49F844125DE0D67B99EF38C594C700
            Function 0000021957DB9B10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92sleepnetworkCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorEventLastResetSleeprecvfrom
            • String ID: 0.0.0.0
            • API String ID: 2877576581-3771769585
            • Opcode ID: efa768874c0d4d9f2bb053d4998c0db2ccbfdfe86ccded465ce0b9423d7e9dfd
            • Instruction ID: 483a1588900bed1b760d9a93487629793e40ff8aeb3fed52dbc06e485792f2a1
            • Opcode Fuzzy Hash: efa768874c0d4d9f2bb053d4998c0db2ccbfdfe86ccded465ce0b9423d7e9dfd
            • Instruction Fuzzy Hash: 20417C33204B85DAD7358F20E8583EEB7A1F799754F900225EA8D57BA8DF39C694CB00
            Function 0000021954FE5D78 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 80memoryinjectionlibraryCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: AllocMemoryProcessVirtualWrite$AddressHandleModuleProc
            • String ID: NtLockVirtualMemory$ntdll
            • API String ID: 1502369038-2974287352
            • Opcode ID: 5b41af0ab3436f71cad1a040cd58f4ebc8c52640e0e38769017a678daed5a973
            • Instruction ID: db1576a20395b7fc853b04c2a08c24945e7a76206c10acfa932499644fb5d505
            • Opcode Fuzzy Hash: 5b41af0ab3436f71cad1a040cd58f4ebc8c52640e0e38769017a678daed5a973
            • Instruction Fuzzy Hash: 4831CD32300A44A3EB5ACF29E4586D9B7A1F75CBA8F804111CFAC23764EF38D4A5C740
            Function 0000021954FEAD88 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 79pipeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0000021954FE9E60: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE9F53), ref: 0000021954FE9E7F
              • Part of subcall function 0000021954FE9E60: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE9F53), ref: 0000021954FE9E91
              • Part of subcall function 0000021954FE9E60: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE9F53), ref: 0000021954FE9E9B
            • CreateNamedPipeW.KERNEL32 ref: 0000021954FEAE00
            • GetLastError.KERNEL32 ref: 0000021954FEAE09
            • CreateNamedPipeW.KERNEL32 ref: 0000021954FEAE60
            • GetLastError.KERNEL32 ref: 0000021954FEAE69
              • Part of subcall function 0000021954FE9CB4: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9D0E
              • Part of subcall function 0000021954FE9CB4: SetEntriesInAclW.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9D62
              • Part of subcall function 0000021954FE9CB4: AllocateAndInitializeSid.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9DAC
              • Part of subcall function 0000021954FE9CB4: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9DBE
              • Part of subcall function 0000021954FE9CB4: InitializeAcl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9DD1
              • Part of subcall function 0000021954FE9CB4: LocalAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9DFB
              • Part of subcall function 0000021954FE9CB4: InitializeSecurityDescriptor.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9E0C
              • Part of subcall function 0000021954FE9CB4: SetSecurityDescriptorDacl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9E21
              • Part of subcall function 0000021954FE9CB4: SetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000021954FE9E35
            • ConnectNamedPipe.KERNEL32 ref: 0000021954FEAE87
            • GetLastError.KERNEL32 ref: 0000021954FEAE91
            • CloseHandle.KERNEL32 ref: 0000021954FEAEB7
              • Part of subcall function 0000021954FE9E60: LookupPrivilegeValueW.ADVAPI32 ref: 0000021954FE9EAC
              • Part of subcall function 0000021954FE9E60: AdjustTokenPrivileges.ADVAPI32 ref: 0000021954FE9EF1
              • Part of subcall function 0000021954FE9E60: CloseHandle.KERNEL32 ref: 0000021954FE9F09
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorInitializeLast$DescriptorNamedPipeSecurity$AllocAllocateCloseCreateHandleLocalProcessToken$AdjustConnectCurrentDaclEntriesLookupOpenPrivilegePrivilegesSaclValue
            • String ID: SeSecurityPrivilege
            • API String ID: 139426882-2333288578
            • Opcode ID: 2ba445c5799b500045d4d5cbce1bf2a178f6b7f7555a775b82e7ea1d6db3ca01
            • Instruction ID: f289807ac750af07a3420bc4eab4e74ce867e48b5801f538acf917efe3153b83
            • Opcode Fuzzy Hash: 2ba445c5799b500045d4d5cbce1bf2a178f6b7f7555a775b82e7ea1d6db3ca01
            • Instruction Fuzzy Hash: A331C631604640A3FBA2DB25E46C3D973A2F7A97B5FC44331EA69636E5EB38C4D48710
            Function 0000021954FE8B58 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 77libraryloaderthreadCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$AddressCreateHandleModuleProcRemoteThread
            • String ID: RtlCreateUserThread$ntdll
            • API String ID: 1699155657-687317052
            • Opcode ID: 2b4135d5c4a3e5147363d03e9af29de1169693ddc81a95301522804e7704ed82
            • Instruction ID: 43944c4cd2beb9ca205fa2db4a400241cafc75b5a1755b3879c7ce937db1faab
            • Opcode Fuzzy Hash: 2b4135d5c4a3e5147363d03e9af29de1169693ddc81a95301522804e7704ed82
            • Instruction Fuzzy Hash: 1C318F31305B40A6E7A2CF25F8AC78973A6F369780F944129DE8D63764DF39C598CB00
            Function 0000021957DC4530 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 70windowregistryCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Message$ClassCreateDispatchRegisterTranslateWindow
            • String ID: P$klwClass
            • API String ID: 2143098044-3097189138
            • Opcode ID: 9907cb6cf03fabedab94f6a3ccf0eddc092eda09c40c8389618aff45ae690957
            • Instruction ID: 1ba840fd5842ab2680485b61778950a5c9c7d5d9f9a7492bb37ca33c31bb859d
            • Opcode Fuzzy Hash: 9907cb6cf03fabedab94f6a3ccf0eddc092eda09c40c8389618aff45ae690957
            • Instruction Fuzzy Hash: C931A333614BC1A2EB398F14F8697DA77A2F7A4344FC04515D69C52A98DF3DD288CB00
            Function 0000021957DBD690 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadOpenProcProcess$CloseHandle
            • String ID: IsWow64Process$kernel32.dll
            • API String ID: 2823223814-3024904723
            • Opcode ID: 3e8d599dc8995abce0c1d6442b998b57aed1a3a62bf16101424454b83374dbda
            • Instruction ID: a893d2ed513cc1c66d8245e4e0e6846f5ff0835077ae1beb9fbb5fc26183fd0b
            • Opcode Fuzzy Hash: 3e8d599dc8995abce0c1d6442b998b57aed1a3a62bf16101424454b83374dbda
            • Instruction Fuzzy Hash: 0721A136305710A2FB3B8B15A868799A3E3BB58794FC40424DE4E16794EF3EDAC5CB10
            Function 0000021957DC3340 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Library$AddressCountErrorFreeLastLoadProcTick
            • String ID: GetLastInputInfo$user32
            • API String ID: 1606095281-2537165897
            • Opcode ID: 872685e3b7a74ab82dd9ceb19e5ff6f08769b19469c83735b67e86de3052d68b
            • Instruction ID: be02c877c513df3a5d6e7dea7d7e633ed948423262152ac55d558c5cefb52f56
            • Opcode Fuzzy Hash: 872685e3b7a74ab82dd9ceb19e5ff6f08769b19469c83735b67e86de3052d68b
            • Instruction Fuzzy Hash: 5421A832205B0092EB2E9B66FC6839D67A2F798B90FC54424DE0A53764DF7ED689C700
            Function 000002195517C008 Relevance: 13.8, APIs: 11, Instructions: 80COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$_errno
            • String ID:
            • API String ID: 2288870239-0
            • Opcode ID: 27af350d4a1db2dd467e73388868bf7722f2c308ebb34d30a494afe1a2f3aad9
            • Instruction ID: 473642a01a4588049723c697ece797be6a67c6420b94c88fc5e3380410535a9b
            • Opcode Fuzzy Hash: 27af350d4a1db2dd467e73388868bf7722f2c308ebb34d30a494afe1a2f3aad9
            • Instruction Fuzzy Hash: 90311036312A40A2FF6ADF69C4783BD3B62FF64F48F480614DA1566597CF29D4C48780
            Function 00007FF6CFB00008 Relevance: 13.8, APIs: 11, Instructions: 80COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$_errno
            • String ID:
            • API String ID: 2288870239-0
            • Opcode ID: 27af350d4a1db2dd467e73388868bf7722f2c308ebb34d30a494afe1a2f3aad9
            • Instruction ID: bf07f7af00c96be3f8d849ae75d894faed30fd978f486b2cc690f05d06f55bd8
            • Opcode Fuzzy Hash: 27af350d4a1db2dd467e73388868bf7722f2c308ebb34d30a494afe1a2f3aad9
            • Instruction Fuzzy Hash: 053154A2B0A6C642FF59DF65C26037D6360FF45F85F144534DA8E86989DFADE440C360
            Function 0000021954FE5284 Relevance: 13.6, APIs: 9, Instructions: 138COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: htonl$_errnomalloc$_callnewhfree$AllocHeap
            • String ID:
            • API String ID: 763486889-0
            • Opcode ID: 804340ecb125133c91d8c338dea4d0a5bd50137239e3b61eb7ef6fc2b1631af5
            • Instruction ID: f5d50bd8e3e2faf28c122849ebf82c12903e5c8937f003628596ef4c5ba18c4a
            • Opcode Fuzzy Hash: 804340ecb125133c91d8c338dea4d0a5bd50137239e3b61eb7ef6fc2b1631af5
            • Instruction Fuzzy Hash: 0B51DE32201650ABEBD2CF69D46C79A73A6F769786FC590349E0967391EB38C8E4C700
            Function 0000021955185BD4 Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$_errno
            • String ID:
            • API String ID: 2288870239-0
            • Opcode ID: 67898d25f7b1ca2aee06eb46156bd4e0094a028c2c4eb9eb3ed8696d148c99cc
            • Instruction ID: c76e1973c74172ab0ee045dedb93876fa29ddf63826026a1d50ae526c06a8ddc
            • Opcode Fuzzy Hash: 67898d25f7b1ca2aee06eb46156bd4e0094a028c2c4eb9eb3ed8696d148c99cc
            • Instruction Fuzzy Hash: 5C31FE31201A4476FE67AB55E87D3E43AA7BB74750FCD0624D92A6AAD7CF28C4C48350
            Function 00007FF6CFB09BD4 Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$_errno
            • String ID:
            • API String ID: 2288870239-0
            • Opcode ID: 67898d25f7b1ca2aee06eb46156bd4e0094a028c2c4eb9eb3ed8696d148c99cc
            • Instruction ID: 07d2c64bc6d728edd6f593df3e56197f48cdda82d37e97729d1a1026a347f92e
            • Opcode Fuzzy Hash: 67898d25f7b1ca2aee06eb46156bd4e0094a028c2c4eb9eb3ed8696d148c99cc
            • Instruction Fuzzy Hash: BE313BA1E09A8741FE549F15EA693B823B1BF57752F184231C99EC66A2DFADF4048330
            Function 00000219551784E8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: callocfree
            • String ID: \\%s\pipe\%s
            • API String ID: 306872129-540213758
            • Opcode ID: 24990b1a9cadf092183762064724301c93a2e87b40edeca835b52b06fc5b65a1
            • Instruction ID: b9ac6ba74b377b1c39a96f4b3d49286d25c2ee36efda8f6a3cbb54773074f754
            • Opcode Fuzzy Hash: 24990b1a9cadf092183762064724301c93a2e87b40edeca835b52b06fc5b65a1
            • Instruction Fuzzy Hash: C751B13131174072FA56EB5995683D97BA2F7A4B90FC44224AE6D277E3EF38D4818344
            Function 00007FF6CFAFC4E8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: callocfree
            • String ID: \\%s\pipe\%s
            • API String ID: 306872129-540213758
            • Opcode ID: 24990b1a9cadf092183762064724301c93a2e87b40edeca835b52b06fc5b65a1
            • Instruction ID: c494547df0f895ce9a79042605948826043c9ab458e62513170013de7c623602
            • Opcode Fuzzy Hash: 24990b1a9cadf092183762064724301c93a2e87b40edeca835b52b06fc5b65a1
            • Instruction Fuzzy Hash: 9051D421B09742A1EA95DF9295402B9A3A0FF85BD1F444235DE9D8B7C1EF7CE541C360
            Function 0000021957DB1F60 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85networkCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: free$_errno$AllocErrorHeapLastTable_callnewhhtonsmallocrealloc
            • String ID: udp
            • API String ID: 2504828188-4243565622
            • Opcode ID: 1271adaf39cd60a9e5d90e72bbadd3e55f71684002feb34fb808af1ef719f01a
            • Instruction ID: 7f716449406e09984322429a163cee528cd8aa05ad94c0e13714edc034da6d95
            • Opcode Fuzzy Hash: 1271adaf39cd60a9e5d90e72bbadd3e55f71684002feb34fb808af1ef719f01a
            • Instruction Fuzzy Hash: 5D31D233200501A1EB3A9F2AD4647ED77A2F7A5B84FC44016DA49AB695DA3BD6C2CB00
            Function 0000021954FEBD88 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 83stringCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Time$Systemstrrchr$ErrorFileHandleInformationLastStartupWcsftime_wcstombs_s_lstrstrstrtoxl
            • String ID: 6$tcp
            • API String ID: 2606056437-2319321990
            • Opcode ID: c29f84eccb799349597ff13357f1deccbea23f3f477c177ec5844892a5359dc1
            • Instruction ID: 961a876d5060936fef7411ac22ff523c7d6980c188545fc9ad00776f37cd587c
            • Opcode Fuzzy Hash: c29f84eccb799349597ff13357f1deccbea23f3f477c177ec5844892a5359dc1
            • Instruction Fuzzy Hash: A331C932204681A6EBA2DF29D05C3DD77A6E369B84FC04021AF4877756EF38C55AC701
            Function 0000021954FED0B4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 49networkCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorInternetLast$CloseHandleHttpOpenOptionRequest
            • String ID: GET$POST
            • API String ID: 4051435859-3192705859
            • Opcode ID: 3b53d79f6caf2898e8fcec900e4a7eee3e9e24605feaf30cf3cd6fb248b0f7d9
            • Instruction ID: 4f93c858d4ce87daac43f32a0aa26b4c3c01f9abb5f1566b40281b1c8e4f05d8
            • Opcode Fuzzy Hash: 3b53d79f6caf2898e8fcec900e4a7eee3e9e24605feaf30cf3cd6fb248b0f7d9
            • Instruction Fuzzy Hash: 94115171314741A3F7568F25E86C3E922A1B759B86F844035CA1A67BA0EF7EC5D48740
            Function 0000021954FEA3F8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: LibraryProcess$AddressCurrentFreeLoadProcSession
            • String ID: ProcessIdToSessionId$kernel32.dll
            • API String ID: 4183634105-3889420803
            • Opcode ID: 789fe46884e185b9a733a209a3bc0a2105eb3e986d8d410a092c18411990d0a0
            • Instruction ID: 7c97ce0a0db13bbd3659c307e0799f993cd2646e8f2d0e06a8248e487dff0979
            • Opcode Fuzzy Hash: 789fe46884e185b9a733a209a3bc0a2105eb3e986d8d410a092c18411990d0a0
            • Instruction Fuzzy Hash: 65014070621B44A3FE87DB28A8BC6D623A2BB69711FC41034994E667B5EF3CC4D8C610
            Function 0000021955176A78 Relevance: 12.2, APIs: 8, Instructions: 156COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: memcpy_s$rand$malloc$_time64
            • String ID:
            • API String ID: 794369768-0
            • Opcode ID: 3f720f3a196a537a5a94d12d6eea8f4777b797b428a2b888108d2a712b5e1200
            • Instruction ID: 5e2cddc4471f74110a8068591e2b8b4ca43281ed63afdd75dc4c863a6b570351
            • Opcode Fuzzy Hash: 3f720f3a196a537a5a94d12d6eea8f4777b797b428a2b888108d2a712b5e1200
            • Instruction Fuzzy Hash: 3661D232300745A7F731DF66E4687DA7BA2F7A9B84F814021CA49A7756EF38D485C740
            Function 00007FF6CFAFAA78 Relevance: 12.2, APIs: 8, Instructions: 156COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: memcpy_s$rand$malloc$_time64
            • String ID:
            • API String ID: 794369768-0
            • Opcode ID: 3f720f3a196a537a5a94d12d6eea8f4777b797b428a2b888108d2a712b5e1200
            • Instruction ID: 6f19b0e4ee4ffba086c13134c07e3921c70a03e7e0347b13f6c8be6d5aa1584f
            • Opcode Fuzzy Hash: 3f720f3a196a537a5a94d12d6eea8f4777b797b428a2b888108d2a712b5e1200
            • Instruction Fuzzy Hash: CA61AC72A0878687E764DFA6E4447EAB7A1FB89B85F418035CA8E87740EF3CE405C750
            Function 0000021957DE03B8 Relevance: 12.1, APIs: 8, Instructions: 114COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: _errno$_write$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty_lseeki64
            • String ID:
            • API String ID: 2111832858-0
            • Opcode ID: f4154552be177fde68ec2205519096973323b61619daf22a9d81d73eea1998f2
            • Instruction ID: a9c8ebec917bba8e3434762cd46bb103a5b42f60e756a3b0a98a0a8536f93161
            • Opcode Fuzzy Hash: f4154552be177fde68ec2205519096973323b61619daf22a9d81d73eea1998f2
            • Instruction Fuzzy Hash: DD41FF73200B0097E73F8F28D0693AC36A2E7A4B50FE54105CE65573CADA3ACAC1C780
            Function 0000021954FEB6D0 Relevance: 12.1, APIs: 8, Instructions: 90networkCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: htonssocket$ErrorLastStartupclosesocketsetsockopt
            • String ID:
            • API String ID: 3271603065-0
            • Opcode ID: a0ce75ec05193dcce8d3107bb2087511a8f3876d5ef773f39d20cbe529c145a6
            • Instruction ID: 64324f989910532a40f26be9b0e3ee461f6e8033e046aff163a59b5dcded9780
            • Opcode Fuzzy Hash: a0ce75ec05193dcce8d3107bb2087511a8f3876d5ef773f39d20cbe529c145a6
            • Instruction Fuzzy Hash: 9F31E832224680A6E396CF35E45C7DA7361F758765F801225EE9963BE5EF3CC499CB00
            Function 0000021954FE5478 Relevance: 12.1, APIs: 8, Instructions: 87COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errno$AllocHeap_callnewhfreemalloc
            • String ID:
            • API String ID: 3198430600-0
            • Opcode ID: db2a4a93983f0f782b0d647c47841603e3d9ba0f290774fa6d91477fda8fe619
            • Instruction ID: dbd70f2cc58f331505326dc3a0f97e6be35d32886adda73e96d5ae6d10270161
            • Opcode Fuzzy Hash: db2a4a93983f0f782b0d647c47841603e3d9ba0f290774fa6d91477fda8fe619
            • Instruction Fuzzy Hash: 9831D671200340ABE7A6DF2AE468299B7A2F7A9795F944124DF4A73771FB38D4C5CB00
            Function 0000021957DDD568 Relevance: 12.1, APIs: 8, Instructions: 87COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::___ascii_memicmp_getptd_noexit
            • String ID:
            • API String ID: 2223695500-0
            • Opcode ID: 967d92f744ad35c2571e6154937c7264a6779ce8e0f09d7ec581fea03d5053be
            • Instruction ID: e8985ce941590239bd5236cdc5824f1437b875833994c986719d5bd4c2b0bac5
            • Opcode Fuzzy Hash: 967d92f744ad35c2571e6154937c7264a6779ce8e0f09d7ec581fea03d5053be
            • Instruction Fuzzy Hash: 87319BF320076462EE3F5B5185683E973A2A376BE8FC40122DE58277C2CA36CBC18740
            Function 0000021957DC4FA0 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 182COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: free$FreeLocal
            • String ID: FormatMessage failed to retrieve the error.$The operation completed successfully.$stdcall
            • API String ID: 3870799717-2326785561
            • Opcode ID: 07ea64e0d1e0cb9f6895819e61c561371384404aa3d444e43b89ffa10ac50286
            • Instruction ID: f507b0e8dee80346bf5861271f6454d808e11c5bf7ea34b932dea429beec386e
            • Opcode Fuzzy Hash: 07ea64e0d1e0cb9f6895819e61c561371384404aa3d444e43b89ffa10ac50286
            • Instruction Fuzzy Hash: F9811C32701B44DAEB2ACF62E8583DD73AAF758B88FD44425DE0A63B54EF39C6558340
            Function 0000021957DDC41C Relevance: 10.7, APIs: 7, Instructions: 166COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfo_read_nolockmemcpy_s
            • String ID:
            • API String ID: 1864104905-0
            • Opcode ID: 43596f59cc1b2589c15c7331ae21ca397d6348975ec5a538ab06f19f47be9372
            • Instruction ID: ca42988032e748f08ad820c54eb8ae32503b24111c6fea3afcf4211494f909e0
            • Opcode Fuzzy Hash: 43596f59cc1b2589c15c7331ae21ca397d6348975ec5a538ab06f19f47be9372
            • Instruction Fuzzy Hash: AF5156337042486AFA3E8B66552C7F96683A364BF4FD84714AE3D63BD4CB36D6D18240
            Function 0000021957DECDBC Relevance: 10.6, APIs: 7, Instructions: 122COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
            • String ID:
            • API String ID: 1573762532-0
            • Opcode ID: 96da9b6e81404f7a8457c3f4488f27b9395ac17dd373711dc371ee7c64921879
            • Instruction ID: 45e8e1822fdadfac29ee48115f3ccdf792f4061ce1f150953dd200e8c26adf23
            • Opcode Fuzzy Hash: 96da9b6e81404f7a8457c3f4488f27b9395ac17dd373711dc371ee7c64921879
            • Instruction Fuzzy Hash: 08412673611298A2EF7B9B1591783F976A2F760B94FCA0011AE9C236C1D73ACBC19300
            Function 0000021957DB76C0 Relevance: 10.6, APIs: 7, Instructions: 109COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: _errno$AddrAllocErrorHeapLastTable_callnewhfreemallocrealloc
            • String ID:
            • API String ID: 3247216186-0
            • Opcode ID: 5f37c7973449d9a96a30b13632a724d34c2a829fb8b66623e0655c139d0ef132
            • Instruction ID: 77fd303b878527257612236ec3b82734e56e1fb6cce48c9481c18d3111ca67ce
            • Opcode Fuzzy Hash: 5f37c7973449d9a96a30b13632a724d34c2a829fb8b66623e0655c139d0ef132
            • Instruction Fuzzy Hash: 2741AF72200B8597EB7A9B12E4183DE2366F794B89FC04025DE4927764DF3DD686CB00
            Function 0000021957DDD1B4 Relevance: 10.6, APIs: 7, Instructions: 107COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
            • String ID:
            • API String ID: 781512312-0
            • Opcode ID: d5328f0ede44545fe3b288ab5c783b11f34c2a2e259d14b63bf88dc9231f6954
            • Instruction ID: e106eb3a57516088c80807e873904b31dbf204e93c85bcb7ce296c0454abc80c
            • Opcode Fuzzy Hash: d5328f0ede44545fe3b288ab5c783b11f34c2a2e259d14b63bf88dc9231f6954
            • Instruction Fuzzy Hash: 2E414BB3A102B092EF7A5B1590683FD77A2E370BA0FD44127AB94276C4E629CBC1C700
            Function 0000021954FEB4D4 Relevance: 10.6, APIs: 7, Instructions: 98networkCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLastStartupclosesocketfreeaddrinfogetaddrinfosocket
            • String ID:
            • API String ID: 1223481362-0
            • Opcode ID: a3f53ff7e81317a57d6317739eef939a9c618b57dcb6fa3561c25e245b54efd6
            • Instruction ID: 5e61f2a9c570805e0a89d5a877fe2bd04da3b88dfdd01cfae84976257446a01f
            • Opcode Fuzzy Hash: a3f53ff7e81317a57d6317739eef939a9c618b57dcb6fa3561c25e245b54efd6
            • Instruction Fuzzy Hash: 1D41C332200780A6E3A6DF2AE85C2DD7362F35CBA5F844125DE1E23BA5EF34C5A5C700
            Function 000002195517B188 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83stringCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: strrchr$Wcsftime_wcstombs_s_lstrstrstrtoxl
            • String ID: 6$tcp
            • API String ID: 74481848-2319321990
            • Opcode ID: ab9136e1c6bba4b0e09d7cf5f2056b4cb98007c59a4e9105b3e96efee55fc3bb
            • Instruction ID: cc99248995416ca375e62c8145688fc9e4290086266e60e8c1c134cb4d9dc177
            • Opcode Fuzzy Hash: ab9136e1c6bba4b0e09d7cf5f2056b4cb98007c59a4e9105b3e96efee55fc3bb
            • Instruction Fuzzy Hash: C831D632214680A2FB21DF25D1683DD7BA6F764BC8FC54111EA8867B97DF38C586C740
            Function 00007FF6CFAFF188 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83stringCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: strrchr$Wcsftime_wcstombs_s_lstrstrstrtoxl
            • String ID: 6$tcp
            • API String ID: 74481848-2319321990
            • Opcode ID: ab9136e1c6bba4b0e09d7cf5f2056b4cb98007c59a4e9105b3e96efee55fc3bb
            • Instruction ID: f12b795f62c18075e23cf7950d29eab425894466170e5e0f7e7b592567fa9d13
            • Opcode Fuzzy Hash: ab9136e1c6bba4b0e09d7cf5f2056b4cb98007c59a4e9105b3e96efee55fc3bb
            • Instruction Fuzzy Hash: 5831D232A18682C5EB609F65D5403AD77A1FB59B85F408232EACCCB795DF3CD606C710
            Function 0000021954FEC840 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON
            Download Yara Rule
            APIs
            • WinHttpOpen.WINHTTP ref: 0000021954FEC87E
            • GetLastError.KERNEL32 ref: 0000021954FEC88D
            • WinHttpCrackUrl.WINHTTP ref: 0000021954FEC904
            • free.LIBCMT ref: 0000021954FEC913
              • Part of subcall function 0000021954FF4158: RtlFreeHeap.NTDLL(?,?,00000000,0000021954FF842A,?,?,?,0000021954FF83A7,?,?,00000000,0000021954FF5139,?,?,000000FF,0000021954FEA0FA), ref: 0000021954FF416E
              • Part of subcall function 0000021954FF4158: _errno.LIBCMT ref: 0000021954FF4178
              • Part of subcall function 0000021954FF4158: GetLastError.KERNEL32(?,?,00000000,0000021954FF842A,?,?,?,0000021954FF83A7,?,?,00000000,0000021954FF5139,?,?,000000FF,0000021954FEA0FA), ref: 0000021954FF4180
            • WinHttpConnect.WINHTTP ref: 0000021954FEC946
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Http$ErrorLast$ConnectCrackFreeHeapOpen_errnofree
            • String ID: h
            • API String ID: 3485364053-2439710439
            • Opcode ID: 0087f1f886ea082aca12578d5cdde666a65c0be6ba395181ff0c112197fba46c
            • Instruction ID: 4e7b2759d16a57497bd98e5a8bee895a26cb04403e7d7dea4251574341aa4c82
            • Opcode Fuzzy Hash: 0087f1f886ea082aca12578d5cdde666a65c0be6ba395181ff0c112197fba46c
            • Instruction Fuzzy Hash: E531AD32614B80A6F792CF29E4587DD33B2F799B48FC44026AE8D67A58EF34C595C740
            Function 0000021957DE8C18 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
            • String ID:
            • API String ID: 3191669884-0
            • Opcode ID: fe5131bd430b0902d76938e2948c228a8a2fbd1b66746ebdc9c5e5f091b6667b
            • Instruction ID: e3f1737c72e5022bb37af72523db13f601b6937d34f75d8ea135af4306ae4f32
            • Opcode Fuzzy Hash: fe5131bd430b0902d76938e2948c228a8a2fbd1b66746ebdc9c5e5f091b6667b
            • Instruction Fuzzy Hash: 88319F732117809AE7779B11D0987ADB6A6F3A9BE0FDA5121EE58137C5CB36CAC1C700
            Function 0000021957DB5A80 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 63COMMON
            Download Yara Rule
            APIs
            • GetFileAttributesExW.KERNEL32(?,?,?,?,?,?,?,?,?,0000021957DB562B), ref: 0000021957DB5A97
            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000021957DB562B), ref: 0000021957DB5AA1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: AttributesErrorFileLast
            • String ID: .bat$.cmd$.com$.exe
            • API String ID: 1799206407-4019086052
            • Opcode ID: 8a10b4ea0747958aa8008d3f281c925cd06f43031981d25a3608e6e3601b166d
            • Instruction ID: b936ba268effcf2293c7e4c0a88b904c7562ed397ba13a082d5fea13f47b24dc
            • Opcode Fuzzy Hash: 8a10b4ea0747958aa8008d3f281c925cd06f43031981d25a3608e6e3601b166d
            • Instruction Fuzzy Hash: 9E21C97330075161FE3EAB27B8783D96397AB65BC4FC841219D1E6A295DF2AD7C0C610
            Function 0000021957DBA8A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61libraryloaderCOMMON
            Download Yara Rule
            APIs
            • malloc.LIBCMT ref: 0000021957DBA8F7
            • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,0000021957DBA2E1), ref: 0000021957DBA910
            • GetProcAddress.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,0000021957DBA2E1), ref: 0000021957DBA920
              • Part of subcall function 0000021957DDC13C: _errno.LIBCMT ref: 0000021957DDC154
              • Part of subcall function 0000021957DDC13C: _invalid_parameter_noinfo.LIBCMT ref: 0000021957DDC160
              • Part of subcall function 0000021957DBF1D0: GetLastError.KERNEL32 ref: 0000021957DBF265
            • free.LIBCMT ref: 0000021957DBA95F
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast_errno$AddressFreeHandleHeapModuleProc_invalid_parameter_noinfofreemalloc
            • String ID: GetProcAddress$kernel32
            • API String ID: 3678262004-2374084194
            • Opcode ID: c4c4b65b49496925eab10c70dcaf36d6d633faa4291d65951484197c363241c3
            • Instruction ID: 66b3bd3147761c8391bea7b8070f44c5945554be9b4f7e04095e6e5d5dc77ea1
            • Opcode Fuzzy Hash: c4c4b65b49496925eab10c70dcaf36d6d633faa4291d65951484197c363241c3
            • Instruction Fuzzy Hash: C021D633600B45A2E729CF12E8546D97362F364BE4FC04615EEA923B95DB39D7C5C700
            Function 0000021954FE8774 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ComputerDirectoryInformationNameSystemVolume_snwprintf_s_vsnwprintf_s_lfreemallocwcschr
            • String ID: %04x-%04x:%s
            • API String ID: 3870722670-4041933335
            • Opcode ID: b338fccbefd3ff4956156b6b46d4acd11d860efc8a531b3e563e32edbd22cff0
            • Instruction ID: dcafa71ad6e61f1b5663fdf1bc26efba4c1ffcb0a20811debaf0b3e8b6ff172a
            • Opcode Fuzzy Hash: b338fccbefd3ff4956156b6b46d4acd11d860efc8a531b3e563e32edbd22cff0
            • Instruction Fuzzy Hash: 8521B172218A81A7E761CB15F4583CEB361F799784FC08026EB8953B59DF3CC589CB40
            Function 0000021957DBA7B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59libraryloaderCOMMON
            Download Yara Rule
            APIs
            • malloc.LIBCMT ref: 0000021957DBA810
            • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,00000000,0000021957DBA194), ref: 0000021957DBA829
            • GetProcAddress.KERNEL32(?,?,?,?,?,?,00000000,0000021957DBA194), ref: 0000021957DBA839
              • Part of subcall function 0000021957DDC13C: _errno.LIBCMT ref: 0000021957DDC154
              • Part of subcall function 0000021957DDC13C: _invalid_parameter_noinfo.LIBCMT ref: 0000021957DDC160
              • Part of subcall function 0000021957DBF1D0: GetLastError.KERNEL32 ref: 0000021957DBF265
            • free.LIBCMT ref: 0000021957DBA874
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast_errno$AddressFreeHandleHeapModuleProc_invalid_parameter_noinfofreemalloc
            • String ID: LoadLibraryA$kernel32
            • API String ID: 3678262004-970291620
            • Opcode ID: d098c3d4a1e97082c9b8fefacbeeaf3927d756d34d4bbe8c9c92aa80f96dae5b
            • Instruction ID: 1f9163b7f03c8e130b6684c60f31338a642033b9b6fc68e1c5d2e7ceb599072f
            • Opcode Fuzzy Hash: d098c3d4a1e97082c9b8fefacbeeaf3927d756d34d4bbe8c9c92aa80f96dae5b
            • Instruction Fuzzy Hash: 28210A33600B4496E725CF16F8643997761F7A5BE0FC04615EEAA17B94DB3DC282CB00
            Function 0000021957DC0650 Relevance: 10.2, APIs: 8, Instructions: 161COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLastfree$callocmalloc
            • String ID:
            • API String ID: 2740727550-0
            • Opcode ID: 7cc166c82a92f760834831699b477e5fc87f76ab678d0db25a07a0f50cd1704e
            • Instruction ID: 0f24b4cefe4540354c4df70c7019caf2f3d003c102e6238d2a6f8035fd4d1e52
            • Opcode Fuzzy Hash: 7cc166c82a92f760834831699b477e5fc87f76ab678d0db25a07a0f50cd1704e
            • Instruction Fuzzy Hash: 2E51E53360168495EE2E9B1198293E967A6EB65FB0FC85320DF69277D4EB39C5C1CB00
            Function 0000021957DC0420 Relevance: 10.2, APIs: 8, Instructions: 158COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLastfree$callocmalloc
            • String ID:
            • API String ID: 2740727550-0
            • Opcode ID: fab4200f5fa5d3208ccbfc4476c78a93857fc093b875c88311a7cb7f218a3438
            • Instruction ID: 79be44484048fd09051155cc4904c5fec2adcd3a393873187f9f5cec6ad18243
            • Opcode Fuzzy Hash: fab4200f5fa5d3208ccbfc4476c78a93857fc093b875c88311a7cb7f218a3438
            • Instruction Fuzzy Hash: CF510A3360564496EE2A9B1198283ED63A6F761BF4FD85314DF39277E0EB3AC5C28700
            Function 0000021955178774 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: free
            • String ID:
            • API String ID: 1294909896-0
            • Opcode ID: 8a51b6e597ae22aad7f9202cde612f91873212cadfab9a35c9ce8d637794b31a
            • Instruction ID: 44fd260fdca907bd8201d1b4e666cd51a9c83b0048c452079ea38d5c3c3ff09c
            • Opcode Fuzzy Hash: 8a51b6e597ae22aad7f9202cde612f91873212cadfab9a35c9ce8d637794b31a
            • Instruction Fuzzy Hash: C881DC72310681A5FB12EB1AE46C7E93B62F7A5B98FC44125DE192B7A7CF38D1C18340
            Function 00007FF6CFAFC774 Relevance: 9.2, APIs: 6, Instructions: 190COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: free
            • String ID:
            • API String ID: 1294909896-0
            • Opcode ID: 8a51b6e597ae22aad7f9202cde612f91873212cadfab9a35c9ce8d637794b31a
            • Instruction ID: 7619bdac3556c52b4bb9cba82edd3758ac1cd4aa1b4088ac313dce3077e15d01
            • Opcode Fuzzy Hash: 8a51b6e597ae22aad7f9202cde612f91873212cadfab9a35c9ce8d637794b31a
            • Instruction Fuzzy Hash: C281EEB1B0868295EB90EF92E4547FDA361EB46BDAF408134DE8D8B782CF7CE5408350
            Function 0000021957DC47D0 Relevance: 9.2, APIs: 6, Instructions: 155keyboardCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: InputSend$MetricsSystem
            • String ID:
            • API String ID: 1046123477-0
            • Opcode ID: 62fef33db822e3c71bc90fc3e6855dd1b0d413b3ae46c329397988660d9f4af8
            • Instruction ID: 004b2a3ec9b8673996fe1a32fb98b5554996e50c15cffd09d41618f926e1885b
            • Opcode Fuzzy Hash: 62fef33db822e3c71bc90fc3e6855dd1b0d413b3ae46c329397988660d9f4af8
            • Instruction Fuzzy Hash: 5C61E333F10A409AF72ACB79D8583EC37B6B768764F908216CE16B3794EB358585CB00
            Function 0000021957DC0EC0 Relevance: 9.2, APIs: 6, Instructions: 150COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorEventLastRead_errno$AllocHeap_callnewhfreemalloc
            • String ID:
            • API String ID: 3766589139-0
            • Opcode ID: 60c5a422187bfeb8d7b19bd9c69b8b1e5137ffba5f575a5122b85316b3366db6
            • Instruction ID: ddde35b60123ccf53a5d520bc48d43c5a478f291cbf47aab040efcb4678e6e6c
            • Opcode Fuzzy Hash: 60c5a422187bfeb8d7b19bd9c69b8b1e5137ffba5f575a5122b85316b3366db6
            • Instruction Fuzzy Hash: B951C136310B9096DB798F12E91879D6762F798FC4F944025DE4A23B60DF3ED699C700
            Function 0000021955179D80 Relevance: 9.1, APIs: 6, Instructions: 143COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$malloc$_errnocallocmemcpy_s
            • String ID:
            • API String ID: 2567572300-0
            • Opcode ID: 7ae3c1eec3aa014f9fee46e9ffe20074aecdbc455b4f2054051ca7440b080a96
            • Instruction ID: 81420d1124364e78e53d95a8cde40b19f530e9bd3e6bab822927d4ec7ef60ded
            • Opcode Fuzzy Hash: 7ae3c1eec3aa014f9fee46e9ffe20074aecdbc455b4f2054051ca7440b080a96
            • Instruction Fuzzy Hash: F551D732720650A6FB22DF69D8687EC3B62B758B88F814415EE1A67B57DF38C5C9C340
            Function 00007FF6CFAFDD80 Relevance: 9.1, APIs: 6, Instructions: 143COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$malloc$_errnocallocmemcpy_s
            • String ID:
            • API String ID: 2567572300-0
            • Opcode ID: 7ae3c1eec3aa014f9fee46e9ffe20074aecdbc455b4f2054051ca7440b080a96
            • Instruction ID: 668a3120e926aab335f7c56989b4ef337a541e40ecacd0a6098a21430acd9cda
            • Opcode Fuzzy Hash: 7ae3c1eec3aa014f9fee46e9ffe20074aecdbc455b4f2054051ca7440b080a96
            • Instruction Fuzzy Hash: C451D362B18656C6FB51DFA1C440AFCA761BF49B89B414035EE8E8BB45DF3CE506C320
            Function 0000021957DC0A20 Relevance: 9.1, APIs: 6, Instructions: 131registryCOMMON
            Download Yara Rule
            APIs
            • RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,0000021957DBF923), ref: 0000021957DC0AAB
            • calloc.LIBCMT ref: 0000021957DC0AD0
              • Part of subcall function 0000021957DDB134: _calloc_impl.LIBCMT ref: 0000021957DDB144
              • Part of subcall function 0000021957DDB134: _errno.LIBCMT ref: 0000021957DDB157
              • Part of subcall function 0000021957DDB134: _errno.LIBCMT ref: 0000021957DDB161
            • RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,0000021957DBF923), ref: 0000021957DC0B01
            • free.LIBCMT ref: 0000021957DC0BD5
              • Part of subcall function 0000021957DC0420: free.LIBCMT ref: 0000021957DC0513
              • Part of subcall function 0000021957DC0420: calloc.LIBCMT ref: 0000021957DC0545
              • Part of subcall function 0000021957DC0420: SetLastError.KERNEL32(00000000,00000000,?,0000021957DC0B60,?,?,?,?,?,?,?,?,0000021957DBF923), ref: 0000021957DC0555
              • Part of subcall function 0000021957DC0420: free.LIBCMT ref: 0000021957DC0601
            • free.LIBCMT ref: 0000021957DC0B86
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • free.LIBCMT ref: 0000021957DC0BFC
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: free$_errno$ErrorLastQueryValuecalloc$FreeHeap_calloc_impl
            • String ID:
            • API String ID: 3084246691-0
            • Opcode ID: fbb38403ca8bea1fb14f6deac3ac9ba9b3bd473a03ce4335cc6720dc1bf27c30
            • Instruction ID: 04aad1447f2258fb68875df057affa2d852413b55f9d784427507c97ae11f376
            • Opcode Fuzzy Hash: fbb38403ca8bea1fb14f6deac3ac9ba9b3bd473a03ce4335cc6720dc1bf27c30
            • Instruction Fuzzy Hash: A651F03620478092EA79CB16A82879E77A6F798FC4FD44025DE4A63B64DE3DC685CB00
            Function 0000021954FE8488 Relevance: 9.1, APIs: 6, Instructions: 116libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • malloc.LIBCMT ref: 0000021954FE84B3
              • Part of subcall function 0000021954FF4198: _FF_MSGBANNER.LIBCMT ref: 0000021954FF41C8
              • Part of subcall function 0000021954FF4198: _NMSG_WRITE.LIBCMT ref: 0000021954FF41D2
              • Part of subcall function 0000021954FF4198: HeapAlloc.KERNEL32(?,?,00000000,0000021954FFB878,?,?,?,0000021954FFBADC,?,?,?,0000021954FFB9DB), ref: 0000021954FF41ED
              • Part of subcall function 0000021954FF4198: _callnewh.LIBCMT ref: 0000021954FF4206
              • Part of subcall function 0000021954FF4198: _errno.LIBCMT ref: 0000021954FF4211
              • Part of subcall function 0000021954FF4198: _errno.LIBCMT ref: 0000021954FF421C
            • GetProcAddress.KERNEL32(00000000,?,00000000,0000021954FEA4CB,?,?,?,?,00000000,0000021954FEA1CD), ref: 0000021954FE8513
            • GetProcAddress.KERNEL32(?,00000000,0000021954FEA4CB,?,?,?,?,00000000,0000021954FEA1CD), ref: 0000021954FE8525
            • GetProcAddress.KERNEL32(?,00000000,0000021954FEA4CB,?,?,?,?,00000000,0000021954FEA1CD), ref: 0000021954FE8537
            • GetProcAddress.KERNEL32(?,00000000,0000021954FEA4CB,?,?,?,?,00000000,0000021954FEA1CD), ref: 0000021954FE8549
            • free.LIBCMT ref: 0000021954FE85B5
              • Part of subcall function 0000021954FF4158: RtlFreeHeap.NTDLL(?,?,00000000,0000021954FF842A,?,?,?,0000021954FF83A7,?,?,00000000,0000021954FF5139,?,?,000000FF,0000021954FEA0FA), ref: 0000021954FF416E
              • Part of subcall function 0000021954FF4158: _errno.LIBCMT ref: 0000021954FF4178
              • Part of subcall function 0000021954FF4158: GetLastError.KERNEL32(?,?,00000000,0000021954FF842A,?,?,?,0000021954FF83A7,?,?,00000000,0000021954FF5139,?,?,000000FF,0000021954FEA0FA), ref: 0000021954FF4180
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: AddressProc$_errno$Heap$AllocErrorFreeLast_callnewhfreehtonlmalloc
            • String ID:
            • API String ID: 1220392353-0
            • Opcode ID: 87b5681de7e02e3ccf77da907b7a9f95f424eac192eda7f5d7495e5e0853afad
            • Instruction ID: 6bdc11c70433ac24d1b843427df2b681359b0aa22b6187067e307577479c57d8
            • Opcode Fuzzy Hash: 87b5681de7e02e3ccf77da907b7a9f95f424eac192eda7f5d7495e5e0853afad
            • Instruction Fuzzy Hash: 0A516C36200B4092EB96EF26E56C39D33A2F7AAF95F844421DE4937759EF34C8A1C740
            Function 0000021957DC0240 Relevance: 9.1, APIs: 6, Instructions: 110registryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: EnumValue_errnofree$InfoQuery_calloc_implcalloc
            • String ID:
            • API String ID: 3915807233-0
            • Opcode ID: c2e8678ad13c9c34de0ded79907d1f61150256eb5cb105fdf89cc4f73e03c08f
            • Instruction ID: 69e54d45c229036f4e9cbda33b2d30cdf0fa11dd8053848f6f679a4913296fc2
            • Opcode Fuzzy Hash: c2e8678ad13c9c34de0ded79907d1f61150256eb5cb105fdf89cc4f73e03c08f
            • Instruction Fuzzy Hash: DB416D33204B8096D7758B12B89479AB7AAF799B80FD44124EF8953B28DF39D194CB04
            Function 0000021957DC12F0 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: free$EnvironmentVariable$malloc
            • String ID:
            • API String ID: 1318801561-0
            • Opcode ID: 0099d542e91dc7cfd0bbdc4aa0730b91d6d773dc4adc303a2c02769d5b0f0135
            • Instruction ID: 9fd783eabc69d3e06149064a0758045dd3092fdb972722cf546098cf3966d06a
            • Opcode Fuzzy Hash: 0099d542e91dc7cfd0bbdc4aa0730b91d6d773dc4adc303a2c02769d5b0f0135
            • Instruction Fuzzy Hash: 8C41057331079491EB2A9B23A8283ED67D2F79AFC4FC84025DE4A67751DE3EC1868700
            Function 0000021957DBA210 Relevance: 9.1, APIs: 6, Instructions: 106libraryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Librarymalloc$CurrentErrorFreeLastLoadProcess
            • String ID:
            • API String ID: 956524601-0
            • Opcode ID: 78443595764cf71a6a2612eff3260e1c65f1e6ce04ae67f538f075f256d1712c
            • Instruction ID: 6fbeaf44e5649a02b1c95f9034711be3cf3d64f30a7c9036b696ce18b9325e4f
            • Opcode Fuzzy Hash: 78443595764cf71a6a2612eff3260e1c65f1e6ce04ae67f538f075f256d1712c
            • Instruction Fuzzy Hash: 8341C632205B01A2FA2A9B52A8283DE66A3F7D9FC0FD44025DD4D6B750DF3DD685C700
            Function 0000021957DB98C0 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 55e00c99fc7984545a363ca45eda5ab151b6f0b65fb2327f403f32a1e8b00bb7
            • Instruction ID: 7f27498e50561de7f64ca5bbc3bc99e1bd95c60326cfeaadfc84e2f65feebb12
            • Opcode Fuzzy Hash: 55e00c99fc7984545a363ca45eda5ab151b6f0b65fb2327f403f32a1e8b00bb7
            • Instruction Fuzzy Hash: 4641B033209B80D6EBB98F21E49C79A73A1F7A8B50F944125DE8D57794DF39CA858B00
            Function 0000021957DC00A0 Relevance: 9.1, APIs: 6, Instructions: 98registryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Enum_errnofree$InfoQuery_calloc_implcalloc
            • String ID:
            • API String ID: 3908565598-0
            • Opcode ID: 8121cdcb8e59f7bb210ec473732ea8c09044ed60cca1c8cc37e24f9b1a1cf373
            • Instruction ID: dc460ecc06ebda0bee903b1fe61ffd658edffa280816b2de590e35e4ada71f14
            • Opcode Fuzzy Hash: 8121cdcb8e59f7bb210ec473732ea8c09044ed60cca1c8cc37e24f9b1a1cf373
            • Instruction Fuzzy Hash: 1E419333305B8096D73A8B12ACA479AB7AAF799BC4FD44024DE8953B55EF39C584CB00
            Function 0000021957DB91C0 Relevance: 9.1, APIs: 6, Instructions: 82networkCOMMON
            Download Yara Rule
            APIs
            • malloc.LIBCMT ref: 0000021957DB91FB
              • Part of subcall function 0000021957DDB1B8: _FF_MSGBANNER.LIBCMT ref: 0000021957DDB1E8
              • Part of subcall function 0000021957DDB1B8: _NMSG_WRITE.LIBCMT ref: 0000021957DDB1F2
              • Part of subcall function 0000021957DDB1B8: HeapAlloc.KERNEL32(?,?,0000000D,0000021957DE81A4,?,?,?,0000021957DE848C,?,?,?,0000021957DE838B,?,?,0000000D,0000021957DE2073), ref: 0000021957DDB20D
              • Part of subcall function 0000021957DDB1B8: _callnewh.LIBCMT ref: 0000021957DDB226
              • Part of subcall function 0000021957DDB1B8: _errno.LIBCMT ref: 0000021957DDB231
              • Part of subcall function 0000021957DDB1B8: _errno.LIBCMT ref: 0000021957DDB23C
            • WSACreateEvent.WS2_32 ref: 0000021957DB922B
            • WSAGetLastError.WS2_32 ref: 0000021957DB923A
            • WSAEventSelect.WS2_32 ref: 0000021957DB9252
            • WSAGetLastError.WS2_32 ref: 0000021957DB925D
            • free.LIBCMT ref: 0000021957DB92F8
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast_errno$EventHeap$AllocCreateFreeSelect_callnewhfreemalloc
            • String ID:
            • API String ID: 472862634-0
            • Opcode ID: 4ecb6ca78aa2929d1b6957395923ec2eac38f0e5b3039f8f6d3be4c843451ecf
            • Instruction ID: 45e1654602a82c3b58caa53f74fbff2f549f41598d0345a0fb74609433066f2f
            • Opcode Fuzzy Hash: 4ecb6ca78aa2929d1b6957395923ec2eac38f0e5b3039f8f6d3be4c843451ecf
            • Instruction Fuzzy Hash: 2F313B32615F80D1EBAA8F25F85839973E5F758B84FD40128EA8D97758EF39C690CB40
            Function 0000021957DBC960 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLastProcess$CloseHandleOpenTerminatehtonl
            • String ID:
            • API String ID: 71079760-0
            • Opcode ID: 2327149fbb8bf8c03abb54bd26250654738e3bc24bb9655b9da45dacd5b3ed14
            • Instruction ID: 445524abdde7186e37d2ba2c063708bf754a009f4b22ba96272545ae883c0f79
            • Opcode Fuzzy Hash: 2327149fbb8bf8c03abb54bd26250654738e3bc24bb9655b9da45dacd5b3ed14
            • Instruction Fuzzy Hash: 09219136300B5492E729CB22A82879AA3E2F798FD4FC54425DE4D97764DF3DD289CB00
            Function 0000021957DDCE64 Relevance: 9.1, APIs: 6, Instructions: 68COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_wopenfile
            • String ID:
            • API String ID: 2917438572-0
            • Opcode ID: ab87cf4cf26684ab18fd8eb68836a6f73ee144447bd4c174f247bd4f7e9c74b1
            • Instruction ID: f2524447a594d6f4353ca11ef66a707bfb048a935cf95d73e4a584d0b2d35763
            • Opcode Fuzzy Hash: ab87cf4cf26684ab18fd8eb68836a6f73ee144447bd4c174f247bd4f7e9c74b1
            • Instruction Fuzzy Hash: E421D4B3311245A6FA3B5F12A8283EAA29377687C0FC54420AD0C67795DB3DC6C25310
            Function 0000021954FE4910 Relevance: 9.1, APIs: 6, Instructions: 65COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: mallocrealloc
            • String ID:
            • API String ID: 948496778-0
            • Opcode ID: e5622c7359cc31bf251803f3cc0d44303e97a4c0d5f131d772b870ab461b4f66
            • Instruction ID: 8998910686aa75058a8a0ee5efa11d69f0a445c4d052990e2381d261797c2c6b
            • Opcode Fuzzy Hash: e5622c7359cc31bf251803f3cc0d44303e97a4c0d5f131d772b870ab461b4f66
            • Instruction Fuzzy Hash: 2F21F172200600A7E75ACF25D4682AC77B2F3A9F95FA50129CF4A33765EF38D891CB40
            Function 0000021957DDE024 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
            • String ID:
            • API String ID: 1547050394-0
            • Opcode ID: bfab6d221abfa4c6b43ac3548ce9de372654226239134a04f91b67a78324eb15
            • Instruction ID: 283a67bb21d1f97edc46f71151a957295d8bd8ffe75db31d470f7b303e71625f
            • Opcode Fuzzy Hash: bfab6d221abfa4c6b43ac3548ce9de372654226239134a04f91b67a78324eb15
            • Instruction Fuzzy Hash: 052108B3214791A6FB7B5B3158283DEB297A7647C0FC84421AE48A7789DB3EC6C14700
            Function 0000021954FE2FD8 Relevance: 9.1, APIs: 6, Instructions: 54sleepthreadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLast$HandleThread$AddressCloseCreateModuleProcRemoteResumeSleep
            • String ID:
            • API String ID: 1748098707-0
            • Opcode ID: bff41812144d81b12958035f075e5951e14a7ce2cfa7235987cb3d033ef86666
            • Instruction ID: 71b3a8df38b73c8625912948bfc5b57bf8b9eb6725ed227c77343d5d8ca7ef70
            • Opcode Fuzzy Hash: bff41812144d81b12958035f075e5951e14a7ce2cfa7235987cb3d033ef86666
            • Instruction Fuzzy Hash: DE11AC30304B40A6F6869B66A42C3D96262A75EBD5F980034DE5D33BA6DF38C8918300
            Function 0000021954FECD3C Relevance: 9.1, APIs: 6, Instructions: 54COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: wcsncpy$wcscpy
            • String ID:
            • API String ID: 58731003-0
            • Opcode ID: aaae6599d52e857aa785821a099fe2076a08916ef0c2a8c36f4594d3131dfffc
            • Instruction ID: 700314deb58e6591126223e4d46ca4736911cc32fd45a44d73c4335e6c80c0e2
            • Opcode Fuzzy Hash: aaae6599d52e857aa785821a099fe2076a08916ef0c2a8c36f4594d3131dfffc
            • Instruction Fuzzy Hash: 3F21AFF6300540A2EBD5DF19C1987C96363F72AFC4F88C0369F08AB689EB36C0A19704
            Function 000002195517C13C Relevance: 9.1, APIs: 6, Instructions: 54COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: wcsncpy$wcscpy
            • String ID:
            • API String ID: 58731003-0
            • Opcode ID: 46294edecc9ce6c89397f12d9552fb3038fdeeaaffdd13825e465cf9bd5a355d
            • Instruction ID: fcd6a0425b54c7d56f00caa20a4360cfdf00518cd7a6899e706bd2028dde1d45
            • Opcode Fuzzy Hash: 46294edecc9ce6c89397f12d9552fb3038fdeeaaffdd13825e465cf9bd5a355d
            • Instruction Fuzzy Hash: 98216AF6310640A1FB55DF19C1987D97BA3F728BC4F988136DF085B69ADB35C4918700
            Function 00007FF6CFB0013C Relevance: 9.1, APIs: 6, Instructions: 54COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: wcsncpy$wcscpy
            • String ID:
            • API String ID: 58731003-0
            • Opcode ID: 46294edecc9ce6c89397f12d9552fb3038fdeeaaffdd13825e465cf9bd5a355d
            • Instruction ID: 307c047bed492c898929cb1d57c524edff4b5ebe2066ed250f64d305a4b957ac
            • Opcode Fuzzy Hash: 46294edecc9ce6c89397f12d9552fb3038fdeeaaffdd13825e465cf9bd5a355d
            • Instruction Fuzzy Hash: 94216DF670468281EB44DF15C2807AAA762FB1AFC1F588035DF4C8B685DF79D4518720
            Function 00007FF6CFAF8DF4 Relevance: 8.8, Strings: 7, Instructions: 91COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: NtClose$NtCreateSection$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryAttributesFile$ntdll
            • API String ID: 0-2731749698
            • Opcode ID: 921737a1885331bb90d0552f19dfc61c4e2cabf09a7e306f68c6e093b898afeb
            • Instruction ID: f34b3a78122f3b71d377b926792260f0440e4da2338d09af32915533fd828e23
            • Opcode Fuzzy Hash: 921737a1885331bb90d0552f19dfc61c4e2cabf09a7e306f68c6e093b898afeb
            • Instruction Fuzzy Hash: 0D41F965A04A5B90DA84DF92E9544E6B379FF4ABC5F888032ED8D87315EE3CD509C320
            Function 0000021957DCBBA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: _wgetenvswscanf
            • String ID: %ld%c$JPEGMEM$x
            • API String ID: 2353447129-3402169052
            • Opcode ID: 5d80d21e52c9033482acb668af8e69ca4e5fa5ab3930518d5fe441afa70c1c05
            • Instruction ID: 40cc3a3a4c394fd5aca37a43719d2479ae74987bf879de32a4a9761cc901a42f
            • Opcode Fuzzy Hash: 5d80d21e52c9033482acb668af8e69ca4e5fa5ab3930518d5fe441afa70c1c05
            • Instruction Fuzzy Hash: 93419D33101B80A5E766CF25E5942CD77AEF754B88FD04126EA8D53768EF39C295C780
            Function 00007FF6CFAF903C Relevance: 8.8, Strings: 7, Instructions: 72COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: NtClose$NtCreateSection$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryAttributesFile$ntdll
            • API String ID: 0-2731749698
            • Opcode ID: 73cea3a372248d0903406f2551891e6cad9e6cfda1c14104b0705a019b8e49cb
            • Instruction ID: d09f8ae1b1024d14844460f491825d70b24b0a5e3ad514ea1768a6439af2aa45
            • Opcode Fuzzy Hash: 73cea3a372248d0903406f2551891e6cad9e6cfda1c14104b0705a019b8e49cb
            • Instruction Fuzzy Hash: 2D310969A04A4795EA44DF42A8190E6B366FF5AFC6F808432DE8D87715EF3CD109C364
            Function 0000021957DB9D10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: ProcessIdToSessionId$kernel32.dll
            • API String ID: 145871493-3889420803
            • Opcode ID: 431cbbf1002acb8a786c5aad748b351014fa7d020752195250e570be6f2a580f
            • Instruction ID: de268215986941d98bf68e031df10c53fe2b4ad5ff470d2d81ce0a62d9a850ce
            • Opcode Fuzzy Hash: 431cbbf1002acb8a786c5aad748b351014fa7d020752195250e570be6f2a580f
            • Instruction Fuzzy Hash: 5D119432315740A2EE6ECB15F8EC69863A2E798790FC81029A90F17364DE39C6C48B00
            Function 0000021957DBD790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: GetNativeSystemInfo$kernel32.dll
            • API String ID: 145871493-192647395
            • Opcode ID: 761107c80f636f060f6096be8e172d9fa942d03839c0cca8188daee07c615332
            • Instruction ID: fb6326588be950bb25fa68477bb33f6b1268cd2a132c206751bb5e958a0eb0c7
            • Opcode Fuzzy Hash: 761107c80f636f060f6096be8e172d9fa942d03839c0cca8188daee07c615332
            • Instruction Fuzzy Hash: FA119A37705B1092EA668F11E8583AC32E6F75CB80FC48535DAAD93340EF3ACA84CB10
            Function 0000021957DB9DC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: WTSGetActiveConsoleSessionId$kernel32.dll
            • API String ID: 145871493-2743965321
            • Opcode ID: 23791eb0a0bc0d377628d6bb69c29b9c793e64a6d41e64be7567502e67fa394e
            • Instruction ID: dc8ade1c35f95eca13bba619c1d2ce625e86c56387c24fe6f9119c35939d6010
            • Opcode Fuzzy Hash: 23791eb0a0bc0d377628d6bb69c29b9c793e64a6d41e64be7567502e67fa394e
            • Instruction Fuzzy Hash: 93F0E132206B45A1FE6F9B59B87D79452926B68740FD80825890D6A360EE3AD6D4C610
            Function 0000021955178D5C Relevance: 7.7, APIs: 5, Instructions: 195COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errnocalloc$freemallocrealloc$_calloc_impl
            • String ID:
            • API String ID: 3106647417-0
            • Opcode ID: c5c6b523e6b0d2e199aefa2af793b68528461c9c1886b9200a157a74fcae1e50
            • Instruction ID: afb399ebaa23c4818504d26c331b2b4f2f9bd3c17ca5978c7f99b3434c9c847a
            • Opcode Fuzzy Hash: c5c6b523e6b0d2e199aefa2af793b68528461c9c1886b9200a157a74fcae1e50
            • Instruction Fuzzy Hash: 0D917332311680A6FB2ADB26E4683DABB62F755B80F804025EF9A57756DF7CD4C5C700
            Function 00007FF6CFAFCD5C Relevance: 7.7, APIs: 5, Instructions: 195COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errnocalloc$freemallocrealloc$_calloc_impl
            • String ID:
            • API String ID: 3106647417-0
            • Opcode ID: c5c6b523e6b0d2e199aefa2af793b68528461c9c1886b9200a157a74fcae1e50
            • Instruction ID: ee67fe6ae3559f4b02cc0640d1784aa2077a9856a06f6e45a9da9ef6012315c3
            • Opcode Fuzzy Hash: c5c6b523e6b0d2e199aefa2af793b68528461c9c1886b9200a157a74fcae1e50
            • Instruction Fuzzy Hash: 0F918072705681DAEB699F62E5506EAB361EB89B82F404035DFDE8B741CF7CE481C710
            Function 0000021954FECE58 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Time_errnomalloc$System_callnewh$AllocFileHeapfree
            • String ID: https
            • API String ID: 1179713992-1056335270
            • Opcode ID: 2fe269e93ddb2ca2b55c2b0f3cfcdc2aa334f8018d184848070053cd7f892424
            • Instruction ID: 193ac3209af7d79f69d53984318c1b53b3d85ffb20aac2ff8741c19127cb5019
            • Opcode Fuzzy Hash: 2fe269e93ddb2ca2b55c2b0f3cfcdc2aa334f8018d184848070053cd7f892424
            • Instruction Fuzzy Hash: 98615B72201B80A6E796DF29E46C2D933EAF76AB44F814125EE8963355FF34C5A1C740
            Function 000002195517C258 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errnomalloc$_callnewh$free
            • String ID: https
            • API String ID: 2522206970-1056335270
            • Opcode ID: 1f0cf9c1532747e10ef9fbd941ea568aa5aa5cdfc8be55dc81435f9bfc85341f
            • Instruction ID: 0a7e9a39ab25b8c22cd315fabcff79119b13b03b37810b1c9c39a4b41eb6e20f
            • Opcode Fuzzy Hash: 1f0cf9c1532747e10ef9fbd941ea568aa5aa5cdfc8be55dc81435f9bfc85341f
            • Instruction Fuzzy Hash: D261AD72211B80A5F716DF29E4686CD3BEAF754B44F85812ADA8C63367EF38C594C780
            Function 00007FF6CFB00258 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errnomalloc$_callnewh$free
            • String ID: https
            • API String ID: 2522206970-1056335270
            • Opcode ID: 1f0cf9c1532747e10ef9fbd941ea568aa5aa5cdfc8be55dc81435f9bfc85341f
            • Instruction ID: c567c7ce991ac027d2be862c2ab4a65ffc8e819ea945ff50bb1285bd4af8b85a
            • Opcode Fuzzy Hash: 1f0cf9c1532747e10ef9fbd941ea568aa5aa5cdfc8be55dc81435f9bfc85341f
            • Instruction Fuzzy Hash: 3361BFB2A09B8285E745DF24E5401AE77E8FB4AB81F508239DACC87355EF7CE415C760
            Function 0000021957DB15C0 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: _errno$AllocErrorHeapLastTable_callnewhfreemallocswprintf
            • String ID:
            • API String ID: 1746394769-0
            • Opcode ID: ef429b14c6c01a103f1495d6273804025ebd1ffe504202591410a43936067dd9
            • Instruction ID: a16e6bde0c05ed31f8cc8250c2870d3585674a1fc2140bbd4df059f4557df14e
            • Opcode Fuzzy Hash: ef429b14c6c01a103f1495d6273804025ebd1ffe504202591410a43936067dd9
            • Instruction Fuzzy Hash: 2251A233211AC1AAE736CF24E854BDA77A9F354758FC04115DA9D5BB98DB39C781CB00
            Function 0000021954FFF45C Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
            • String ID:
            • API String ID: 2998201375-0
            • Opcode ID: 2b97ad4542edcecec1b9961a4e299241babd3c1e16cab5d3fb88c5578214002b
            • Instruction ID: 9f59070ba63b691e48c1cab78a5c5c0f629e0cd9dd3bce23776e29b884b05bc8
            • Opcode Fuzzy Hash: 2b97ad4542edcecec1b9961a4e299241babd3c1e16cab5d3fb88c5578214002b
            • Instruction Fuzzy Hash: B341D4722143C0B7E7A1CF19D1583A977A6F7A5B84F584122EF8877B99EB34C4818714
            Function 0000021957DEC248 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
            • String ID:
            • API String ID: 2998201375-0
            • Opcode ID: ba634d955da18d05121c0098e91ec16440e120bb33a523f7699adb15f85191ae
            • Instruction ID: 7d7e3f265da3aa6dd86c23a1259bbc7a88dcb5842321f29fc2c3f9a1f43725fe
            • Opcode Fuzzy Hash: ba634d955da18d05121c0098e91ec16440e120bb33a523f7699adb15f85191ae
            • Instruction Fuzzy Hash: 6041D33320078496EB778F2591687ADB7A2F765BC0FD94121EF8D67B95CB36CA818700
            Function 0000021957DBAE60 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast_errno$AllocHeapMemoryProcessRead_callnewhfreemalloc
            • String ID:
            • API String ID: 1082828278-0
            • Opcode ID: d38694485ac461b15fcbf91b4f44cac429c233a18bb2087b79a9de5d83eaec78
            • Instruction ID: 9530d5b7f270ca981b901698680eb9caae2efaf0b1ab9d02015715b6d260a0f1
            • Opcode Fuzzy Hash: d38694485ac461b15fcbf91b4f44cac429c233a18bb2087b79a9de5d83eaec78
            • Instruction Fuzzy Hash: D231B776205B4092EA2A9B12AC287E96292F798FC0FD40036EE0D77760DF3DD6859740
            Function 0000021957DB8930 Relevance: 7.6, APIs: 5, Instructions: 79networksleepCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorEventLastResetSleeprecvselect
            • String ID:
            • API String ID: 2565462947-0
            • Opcode ID: 3ed99f6d23c253dc947a07906fda818ffa58c7366da0465dad1567688f5abe90
            • Instruction ID: ceb0bcd43016b3efe92e8b4b892b82fa3480c50fb55468bba934704657449047
            • Opcode Fuzzy Hash: 3ed99f6d23c253dc947a07906fda818ffa58c7366da0465dad1567688f5abe90
            • Instruction Fuzzy Hash: 3331A273304A8091EB359B24F8A87DE63A2FBD9784FC40115DB4D57AA8DF3AC684CB00
            Function 000002195517C9C0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 68COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errnomalloc$_callnewh
            • String ID: NtOpenThread$OpenThread$kernel32.dll$ntdll.dll
            • API String ID: 3696632742-1307226884
            • Opcode ID: ecf0d7916532cc3a20e2d56cf6113623dbfe06cef3a8129e5842b79dccc9ceeb
            • Instruction ID: 15829c5dbbb6dbc4b1337adba0be8c17d0d452e448df40fac881b83397bed782
            • Opcode Fuzzy Hash: ecf0d7916532cc3a20e2d56cf6113623dbfe06cef3a8129e5842b79dccc9ceeb
            • Instruction Fuzzy Hash: EB31CE32611B45A2FB12DF61E8682D83BB2FBA8B84F884025DD5D2775AEF38C5C5C740
            Function 00007FF6CFB009C0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 68COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errnomalloc$_callnewh
            • String ID: NtOpenThread$OpenThread$kernel32.dll$ntdll.dll
            • API String ID: 3696632742-1307226884
            • Opcode ID: ecf0d7916532cc3a20e2d56cf6113623dbfe06cef3a8129e5842b79dccc9ceeb
            • Instruction ID: 6b7a73879aec00566c7a429137ed1660bae5e23017e7f983ba176a0234f22a91
            • Opcode Fuzzy Hash: ecf0d7916532cc3a20e2d56cf6113623dbfe06cef3a8129e5842b79dccc9ceeb
            • Instruction Fuzzy Hash: 02316B62A08B8786EB00DF21E44416973B6FF8AB85F588135D98D83758EF7CE545C760
            Function 0000021954FE6BA8 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: rand$Time$FileSystem_getptd_time64
            • String ID:
            • API String ID: 213278111-0
            • Opcode ID: c02a2d00193ca1d045101fe6381d040752291f79714991232fb694fe7b53040c
            • Instruction ID: d1524c4eeda3e5a8d3b1d2df06b4d3f985a558b2a3dab04e9b0ddf63856bed86
            • Opcode Fuzzy Hash: c02a2d00193ca1d045101fe6381d040752291f79714991232fb694fe7b53040c
            • Instruction Fuzzy Hash: B5112291BA10C667E75D523DCC7A7A849C743E6309F88E1389505EFFDBE82894914740
            Function 0000021955175FA8 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: rand$_getptd_time64
            • String ID:
            • API String ID: 245728536-0
            • Opcode ID: 9b9ed304f153b3d61287f5d1b4351cd8a82c9b7c5a9c438407000f60260f2e30
            • Instruction ID: 443902b591d394fb7e69938c1d1e95f249ba0e07916461df847e053f742588ff
            • Opcode Fuzzy Hash: 9b9ed304f153b3d61287f5d1b4351cd8a82c9b7c5a9c438407000f60260f2e30
            • Instruction Fuzzy Hash: 3E11E291BA11C657E72E523DE83A7A869C753E5709F48D13891019EFDBE868C4914780
            Function 00007FF6CFAF9FA8 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: rand$_getptd_time64
            • String ID:
            • API String ID: 245728536-0
            • Opcode ID: 9b9ed304f153b3d61287f5d1b4351cd8a82c9b7c5a9c438407000f60260f2e30
            • Instruction ID: 8fdc21e143961f81bcf05d03dfbc2c7604f3940aaedfc5c7b7c398258baef24a
            • Opcode Fuzzy Hash: 9b9ed304f153b3d61287f5d1b4351cd8a82c9b7c5a9c438407000f60260f2e30
            • Instruction Fuzzy Hash: 7F11BB81FA10C646E71C5A3D982672886CB47D630AF08D138D549CEFDAED69E5014BA0
            Function 0000021954FE592C Relevance: 7.5, APIs: 5, Instructions: 48memoryinjectionCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Virtual$Protect$CacheFlushInstructionMemoryProcessQueryWrite
            • String ID:
            • API String ID: 834688674-0
            • Opcode ID: 723a15683b0b72df73e50f06d506eee05220acc5b4401fdb6bd474c0e38e8851
            • Instruction ID: c40adf4a713b4a30c5be56c8058f0d08051ec6b8b0325340bbd52adebab8fc64
            • Opcode Fuzzy Hash: 723a15683b0b72df73e50f06d506eee05220acc5b4401fdb6bd474c0e38e8851
            • Instruction Fuzzy Hash: 54115E76214A8092D711CF7AE40898A6B61F349FF0F548326EF79137A8CF39C445C700
            Function 0000021954FEB184 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
            Download Yara Rule
            APIs
            • calloc.LIBCMT ref: 0000021954FEB1AF
              • Part of subcall function 0000021954FF49AC: _calloc_impl.LIBCMT ref: 0000021954FF49BC
              • Part of subcall function 0000021954FF49AC: _errno.LIBCMT ref: 0000021954FF49CF
              • Part of subcall function 0000021954FF49AC: _errno.LIBCMT ref: 0000021954FF49D9
            • GetCurrentProcess.KERNEL32 ref: 0000021954FEB1B7
            • DuplicateHandle.KERNEL32 ref: 0000021954FEB1E0
            • free.LIBCMT ref: 0000021954FEB1ED
              • Part of subcall function 0000021954FF4158: RtlFreeHeap.NTDLL(?,?,00000000,0000021954FF842A,?,?,?,0000021954FF83A7,?,?,00000000,0000021954FF5139,?,?,000000FF,0000021954FEA0FA), ref: 0000021954FF416E
              • Part of subcall function 0000021954FF4158: _errno.LIBCMT ref: 0000021954FF4178
              • Part of subcall function 0000021954FF4158: GetLastError.KERNEL32(?,?,00000000,0000021954FF842A,?,?,?,0000021954FF83A7,?,?,00000000,0000021954FF5139,?,?,000000FF,0000021954FEA0FA), ref: 0000021954FF4180
            • GetLastError.KERNEL32 ref: 0000021954FEB1F2
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errno$ErrorLast$CurrentDuplicateFreeHandleHeapProcess_calloc_implcallocfree
            • String ID:
            • API String ID: 833592512-0
            • Opcode ID: 63720e0954f32601f70cf05ca4e7b7397da999195984297435198950311908da
            • Instruction ID: 494acbf5edb391441f3cce4b6eb36dca66e576039eb04ab553e389c2172af4ca
            • Opcode Fuzzy Hash: 63720e0954f32601f70cf05ca4e7b7397da999195984297435198950311908da
            • Instruction Fuzzy Hash: 4F113972614B84AAE751DF16E41839977A1F399FC1F884025EF8923B55DF78C495CB00
            Function 0000021957DC62FF Relevance: 7.5, APIs: 5, Instructions: 36windowCOMMON
            Download Yara Rule
            APIs
            • SetLastError.KERNEL32 ref: 0000021957DC6314
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: c775bea7c160f29a4468b1534f22f435061b07a6212f56b67e7a7ddb2fa3a830
            • Instruction ID: eefd0842c4c73ba13f8126be8595ea809f70c9e313731d6f6ff937bfd35d2c05
            • Opcode Fuzzy Hash: c775bea7c160f29a4468b1534f22f435061b07a6212f56b67e7a7ddb2fa3a830
            • Instruction Fuzzy Hash: 7E016933204B8092E33A9F50F82438962A1F3987B4F8406228EAA277D4CF39C6D5CB10
            Function 0000021954FE5B94 Relevance: 7.5, APIs: 5, Instructions: 35memoryinjectionCOMMON
            Download Yara Rule
            APIs
            • VirtualQuery.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE5CF9), ref: 0000021954FE5BB2
            • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE5CF9), ref: 0000021954FE5BCD
            • WriteProcessMemory.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE5CF9), ref: 0000021954FE5BF0
            • VirtualProtect.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE5CF9), ref: 0000021954FE5C0D
            • FlushInstructionCache.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000021954FE5CF9), ref: 0000021954FE5C20
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Virtual$Protect$CacheFlushInstructionMemoryProcessQueryWrite
            • String ID:
            • API String ID: 834688674-0
            • Opcode ID: a68e95ab3b4fbd74d68f152731e7052e93fe10d0ba4ab9ccf30a472567a23a8b
            • Instruction ID: ec87d642bcd8a777572a04bdd9a6547bd26a8bb6664ade9550d5ff298af65e47
            • Opcode Fuzzy Hash: a68e95ab3b4fbd74d68f152731e7052e93fe10d0ba4ab9ccf30a472567a23a8b
            • Instruction Fuzzy Hash: B6010075314A8092DB51CF66F4546CAE721F799FE0F845212EEAE13BB9CE7CC1888B00
            Function 0000021957DB4FB0 Relevance: 7.5, APIs: 5, Instructions: 32fileCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: File$Attributes$DeleteErrorLastfree
            • String ID:
            • API String ID: 2038201108-0
            • Opcode ID: bb93fd549bebe17834a9dbe3106f049388967610175537e59a6180ced976e73b
            • Instruction ID: 1ce2f017602bfe421e01d7f790ba6a263e2cf0adcc68c1bc5745ddae394923af
            • Opcode Fuzzy Hash: bb93fd549bebe17834a9dbe3106f049388967610175537e59a6180ced976e73b
            • Instruction Fuzzy Hash: E5F09C33701A0162EA7E57256C3C3BC1293AFACB94FD84124D91E673E0EE39DAC58600
            Function 00007FF6CFAF1F70 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 227memoryCOMMON
            Download Yara Rule
            APIs
            • VirtualProtect.KERNEL32(00007FF6CFB29040,00007FF6CFB29048,00000001,?,?,?,?,00007FFDB240ADA0,00007FF6CFAF1228,?,?,?,00007FF6CFAF13E6), ref: 00007FF6CFAF216D
            Strings
            • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF6CFAF21D4
            • Unknown pseudo relocation bit size %d., xrefs: 00007FF6CFAF22B6
            • Unknown pseudo relocation protocol version %d., xrefs: 00007FF6CFAF22C2
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ProtectVirtual
            • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
            • API String ID: 544645111-1286557213
            • Opcode ID: f60b3602eb14b946cb0ebbe1961f711f127443789c4deeb4ea7999349b8707ec
            • Instruction ID: d93b37c933545ff5929ff511feafb08056a0f06e40c4d333c51a8ab84adf4eee
            • Opcode Fuzzy Hash: f60b3602eb14b946cb0ebbe1961f711f127443789c4deeb4ea7999349b8707ec
            • Instruction Fuzzy Hash: B691C532E09553C7FA949FA4D400279A3A0AF55B66F448231DAADDB7D8DF3CE842C364
            Function 000002195517B9B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: free
            • String ID: PACKET RECEIVE
            • API String ID: 1294909896-1195290434
            • Opcode ID: e03c564ec8e317551a40e7e337c0c1ef4d936a2e192ce5e0380aeb15edd24162
            • Instruction ID: 8bfcc8988f4853eef5517ee9922e225fd88651c842473b9125f4e506a898c567
            • Opcode Fuzzy Hash: e03c564ec8e317551a40e7e337c0c1ef4d936a2e192ce5e0380aeb15edd24162
            • Instruction Fuzzy Hash: C461C432710650A6FB169F39D9687ED3AA2F758B88F844025DD0A677ABFF34C985C300
            Function 00007FF6CFAFF9B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: free
            • String ID: PACKET RECEIVE
            • API String ID: 1294909896-1195290434
            • Opcode ID: e03c564ec8e317551a40e7e337c0c1ef4d936a2e192ce5e0380aeb15edd24162
            • Instruction ID: 3b5d0a6d9d6a18d8ca7c4fd521f758af98c5a8315b20d7cb7bd568149faa8f94
            • Opcode Fuzzy Hash: e03c564ec8e317551a40e7e337c0c1ef4d936a2e192ce5e0380aeb15edd24162
            • Instruction Fuzzy Hash: C0617322B18642C6FF949F61D8146BDA3A1BF49B8AF445135DD8EDB784EF38E905C320
            Function 0000021957DDE030 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: CurrentImageNonwritableUnwind
            • String ID: $csm
            • API String ID: 451473138-717980254
            • Opcode ID: 66dd1b6eaaf32dd76358b78066bb0e3299d05f9990b772e2d343abe034e11bef
            • Instruction ID: 9983ca238b4f88c19fce8d8154b22ddb8b93c938ee32c66a3a114a5a33e40a2e
            • Opcode Fuzzy Hash: 66dd1b6eaaf32dd76358b78066bb0e3299d05f9990b772e2d343abe034e11bef
            • Instruction Fuzzy Hash: 6551C533311640A7DB2ADF15E468BA837A3F364B98FD48160EE0663788DB76DA85C710
            Function 0000021954FEA6A8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: wcsncpy$_errnorealloc$AllocHeap_callnewhmallocwcscpy
            • String ID: 0
            • API String ID: 3922252587-4108050209
            • Opcode ID: 9e3ece2688ce286ba97d21ecd9886176b33f9c8f63d857b75b0c1e6e3d6cb095
            • Instruction ID: c83b5f8244f9d6efa55a431ffef26619755d17879b59900e04c04e95ba997b9b
            • Opcode Fuzzy Hash: 9e3ece2688ce286ba97d21ecd9886176b33f9c8f63d857b75b0c1e6e3d6cb095
            • Instruction Fuzzy Hash: 6941BF3270065066EAD6DF1A946C3AD7363E7AAFD0F858035DE0937B96EE38D4929700
            Function 0000021955179AA8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: wcsncpy$_errnorealloc$_callnewhmallocwcscpy
            • String ID: 0
            • API String ID: 1276237924-4108050209
            • Opcode ID: dd801ab3467efe0ae2ba9ee7ebbca39543dc673f62e49e08c55fb2a2f8e68098
            • Instruction ID: f02717c629b2d126acf02e547f95a02197bad4a649bf3c79911b5e297079851a
            • Opcode Fuzzy Hash: dd801ab3467efe0ae2ba9ee7ebbca39543dc673f62e49e08c55fb2a2f8e68098
            • Instruction Fuzzy Hash: B941C43231065096FA26DB1AD8697ED7B53F795FC0F898025CE0A27B97DE38D586C700
            Function 00007FF6CFAFDAA8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: wcsncpy$_errnorealloc$_callnewhmallocwcscpy
            • String ID: 0
            • API String ID: 1276237924-4108050209
            • Opcode ID: dd801ab3467efe0ae2ba9ee7ebbca39543dc673f62e49e08c55fb2a2f8e68098
            • Instruction ID: dcceeab0a9512d9a2a52fe474536ef0bee71fa454eef268fb99bc2e7f35ba7c3
            • Opcode Fuzzy Hash: dd801ab3467efe0ae2ba9ee7ebbca39543dc673f62e49e08c55fb2a2f8e68098
            • Instruction Fuzzy Hash: 3141E062B0869286EA59DF56D84467DB751FB8AFC1F448031DE8D8BB86CF3CE402C350
            Function 0000021957DB7390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: DriveDrivesLogicalType_vswprintf_s_lswprintf
            • String ID: %c:
            • API String ID: 1363219177-1226554575
            • Opcode ID: e5e4c91702222a3a6c1844373b8d7404f6d95416266111063232c35b1b9cc12d
            • Instruction ID: 01b5b38c12d46c337893f27d466e0187ed80169e45d35b354f806f7828938944
            • Opcode Fuzzy Hash: e5e4c91702222a3a6c1844373b8d7404f6d95416266111063232c35b1b9cc12d
            • Instruction Fuzzy Hash: CE113433204780A7D325DB92F8549DEBB61F394BB0FC48422EE4813B64EA79C2D9CB40
            Function 0000021954FEA83C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48sleeppipeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ErrorLastNamedObjectPeekPipeSingleSleepWait
            • String ID:
            • API String ID: 52212926-3916222277
            • Opcode ID: c8936b66e6862c84a1132b373bb5f8c8b524ddf85758e738b0f19c4f6e7ea982
            • Instruction ID: 439cd0c2ccdbbee33c06795ac2ec1ef681bd2f5ad1be4e180b77d5df2912dac6
            • Opcode Fuzzy Hash: c8936b66e6862c84a1132b373bb5f8c8b524ddf85758e738b0f19c4f6e7ea982
            • Instruction Fuzzy Hash: A511BF36A00B4092E7A28B29E0AC39A77A1E79DB55F984135DF4C23765DF38C8D6C700
            Function 0000021957DDE248 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • _callnewh.LIBCMT ref: 0000021957DDE256
            • malloc.LIBCMT ref: 0000021957DDE262
              • Part of subcall function 0000021957DDB1B8: _FF_MSGBANNER.LIBCMT ref: 0000021957DDB1E8
              • Part of subcall function 0000021957DDB1B8: _NMSG_WRITE.LIBCMT ref: 0000021957DDB1F2
              • Part of subcall function 0000021957DDB1B8: HeapAlloc.KERNEL32(?,?,0000000D,0000021957DE81A4,?,?,?,0000021957DE848C,?,?,?,0000021957DE838B,?,?,0000000D,0000021957DE2073), ref: 0000021957DDB20D
              • Part of subcall function 0000021957DDB1B8: _callnewh.LIBCMT ref: 0000021957DDB226
              • Part of subcall function 0000021957DDB1B8: _errno.LIBCMT ref: 0000021957DDB231
              • Part of subcall function 0000021957DDB1B8: _errno.LIBCMT ref: 0000021957DDB23C
            • _CxxThrowException.LIBCMT ref: 0000021957DDE2AB
              • Part of subcall function 0000021957DE71C0: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000021957DDE2B0), ref: 0000021957DE722E
              • Part of subcall function 0000021957DE71C0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000021957DDE2B0), ref: 0000021957DE726D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Exception_callnewh_errno$AllocFileHeaderHeapRaiseThrowmalloc
            • String ID: bad allocation
            • API String ID: 1214304046-2104205924
            • Opcode ID: 7201779b2692146b1d125ca64e7d8b4f368bd3f1822e0bfc3ad81c5acbe8883a
            • Instruction ID: 66a823d6fe597a96407deb1889a5626ea249abc17a7bd9ad1751c356903ff7c4
            • Opcode Fuzzy Hash: 7201779b2692146b1d125ca64e7d8b4f368bd3f1822e0bfc3ad81c5acbe8883a
            • Instruction Fuzzy Hash: 3B01C833705745A0EF7E9B91B5683D86366A7A4784FC44024DE4C27BA6EE3AC3C4C700
            Function 0000021957DDC1A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: _errno$_invalid_parameter_noinfo
            • String ID: getaddrinfo
            • API String ID: 2819658684-300660673
            • Opcode ID: e6c644ec8d210446fa7204516c446dfba3ce95612a45ea4641db517dec9d1263
            • Instruction ID: 71845256be0ad409834e2dde2a31ebfea82b480ba1f2b7d26199adef675c2b2e
            • Opcode Fuzzy Hash: e6c644ec8d210446fa7204516c446dfba3ce95612a45ea4641db517dec9d1263
            • Instruction Fuzzy Hash: B7018FB36452986DFA7F0774067C3E869579B36384FE84551CD59362D2E01B0B8A9221
            Function 0000021954FE9880 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(?,?,?,?,00000000,0000021954FE9DF3), ref: 0000021954FE98B9
            • GetProcAddress.KERNEL32(?,?,?,?,00000000,0000021954FE9DF3), ref: 0000021954FE98CE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: AddMandatoryAce$advapi32.dll
            • API String ID: 2574300362-673174713
            • Opcode ID: a234033b5c7c7d7721a12536b7b9e128ab63cbd21b780d004e8afdd7c798d4e8
            • Instruction ID: cf9fa743876f43bde22db2221a574b9d50054a6907cc205011f02a9bbc5938ac
            • Opcode Fuzzy Hash: a234033b5c7c7d7721a12536b7b9e128ab63cbd21b780d004e8afdd7c798d4e8
            • Instruction Fuzzy Hash: 8C016131215B40A3FB52CB15F878396B3A2B7A9B90FD44425EE8C63B65DF38C594CB00
            Function 0000021957DBEED0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: IsWow64Process$kernel32.dll
            • API String ID: 1646373207-3024904723
            • Opcode ID: bc0f3b6687f9453eaa16beb7b1b2c4fbb38f16e6236b662d49b719d0fceef7cc
            • Instruction ID: 0e65fa35de720c86ab1f1bfe15994e201a27d432d6c655a75e1d72d9d8a7dda5
            • Opcode Fuzzy Hash: bc0f3b6687f9453eaa16beb7b1b2c4fbb38f16e6236b662d49b719d0fceef7cc
            • Instruction Fuzzy Hash: DEF08132315B40A1EE5A8B05F8A969963A1F7AC780FC41025B95E97364EF39D6C4CB00
            Function 0000021954FF3AF8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: AddressHandleModuleProc
            • String ID: RtlGetVersion$ntdll.dll
            • API String ID: 1646373207-1489217083
            • Opcode ID: dba08136e3a850c41bc3a0ae5effa72ccef709e51a2d759cee455d36573b4c8d
            • Instruction ID: 493318759639abfe693a6e92ee5f8730981042ec86cd9167101e0ee5542cdc5f
            • Opcode Fuzzy Hash: dba08136e3a850c41bc3a0ae5effa72ccef709e51a2d759cee455d36573b4c8d
            • Instruction Fuzzy Hash: 6D01A231614501B3EB66CB29F46D3D923A2A7AD744FC00121D70D621A5EE38C5888B04
            Function 0000021957DC3CFD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29keyboardCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: NameTextVirtual_errno_invalid_parameter_noinfo_snwprintf
            • String ID: <%ls>
            • API String ID: 2821865448-2980182092
            • Opcode ID: d60e6110aa90533d8e984dfe294e5d802f70c553d4df60715aaa634208b56f31
            • Instruction ID: 971aaff61c5bd9cf517a7ffd27bbae142834b6dc1324ad2f53d862344a109cb9
            • Opcode Fuzzy Hash: d60e6110aa90533d8e984dfe294e5d802f70c553d4df60715aaa634208b56f31
            • Instruction Fuzzy Hash: A3016D36300B08A2E72ACB11E428BD82366F798B80FC50026DD09A3368DF3AD685D340
            Function 0000021957DC4247 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29keyboardCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: NameTextVirtual_errno_invalid_parameter_noinfo_snwprintf
            • String ID: <%ls>
            • API String ID: 2821865448-2980182092
            • Opcode ID: 19e08feba95926d72416e3d7379062d8b7ffb0fe6a69b62438704e92d66700b2
            • Instruction ID: 1992cc9825081d758d8ed8403c5ec5f81337eaa2dc915ad94cb9034c97b9226c
            • Opcode Fuzzy Hash: 19e08feba95926d72416e3d7379062d8b7ffb0fe6a69b62438704e92d66700b2
            • Instruction Fuzzy Hash: 0CF0C832300505A6E73ACB54E8297E81353F7D4750FC004218A0EA22B4DE39D6CAD700
            Function 0000021957DBA990 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,00000057,0000021957DBA36A), ref: 0000021957DBA9CA
            • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000057,0000021957DBA36A), ref: 0000021957DBA9DA
              • Part of subcall function 0000021957DBF1D0: GetLastError.KERNEL32 ref: 0000021957DBF265
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: AddressErrorHandleLastModuleProc
            • String ID: FreeLibrary$kernel32
            • API String ID: 4275029093-3113479021
            • Opcode ID: 740ae4845440bb487eae6c4df16be45dec4738c5e7659b2675c76db94d588ce6
            • Instruction ID: 76acc0fedc1ef7ab2081459ade973fca043f9203d675ff2db8350760730013c2
            • Opcode Fuzzy Hash: 740ae4845440bb487eae6c4df16be45dec4738c5e7659b2675c76db94d588ce6
            • Instruction Fuzzy Hash: 1501DF33208B85A6EB25CF11F95879AB772F3A5784FC40501EA8917A28DB3DC284CB00
            Function 0000021957DC3C98 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: _snwprintf$_errno_invalid_parameter_noinfo
            • String ID: <LAlt>$<RAlt>
            • API String ID: 3682513478-2751853527
            • Opcode ID: b6a0cd0784e44109d04bd5ebecfa7e16d4de449bc9c42a8f8e80f7b4024f87a6
            • Instruction ID: 4633d35ed43d656e075bf5fb5e01f8a5fdd8872c932dbc5c00808605dea26857
            • Opcode Fuzzy Hash: b6a0cd0784e44109d04bd5ebecfa7e16d4de449bc9c42a8f8e80f7b4024f87a6
            • Instruction Fuzzy Hash: 8EF03A36200B44B0EA3ADB45D4297D9236AF768B90FD545239D1EA33A4CF26CBC9D340
            Function 0000021957DC41E2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: _snwprintf$_errno_invalid_parameter_noinfo
            • String ID: <LAlt>$<RAlt>
            • API String ID: 3682513478-2751853527
            • Opcode ID: 1420f979ee66de8d242118254d399a101f1ca75d3214ed95abf86f7230e74c44
            • Instruction ID: dba48129f7163325c048be51b8af94a5ec9cba73bf199503a12f1d52d670f2fe
            • Opcode Fuzzy Hash: 1420f979ee66de8d242118254d399a101f1ca75d3214ed95abf86f7230e74c44
            • Instruction Fuzzy Hash: 7DF03033204750B1F63BDF48E4793E85366A7A4B50FC10423990DA22A5DE3AD7CAD240
            Function 0000021954FED7A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: SetThreadErrorMode$kernel32.dll
            • API String ID: 2574300362-2080226504
            • Opcode ID: 2e999b430a7ff7c99c268ed42c55c8f91780a889294b3581f3c33e0021a919a5
            • Instruction ID: 403689f4bedbe12c382bba1b5f1727c1d00dd3022db0ed5d9a7496efa49c0232
            • Opcode Fuzzy Hash: 2e999b430a7ff7c99c268ed42c55c8f91780a889294b3581f3c33e0021a919a5
            • Instruction Fuzzy Hash: 2CD06735656641B3FE4BDB65EC692D42362ABAA711FC88425840E22671EF2895DAC700
            Function 00007FF6CFB05CE4 Relevance: 6.3, Strings: 5, Instructions: 93COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: empty distance tree with lengths$incomplete distance tree$incomplete literal/length tree$oversubscribed distance tree$oversubscribed literal/length tree
            • API String ID: 0-2211540454
            • Opcode ID: 4e2e72b6b60a29caabc8a22b6b3f6784a8a9b0a32f0a362f9efb92dc70d29752
            • Instruction ID: 78cb567a1fa5e0cd0bce9a39d1bbe191be6516b190db85ba435004adea98fa57
            • Opcode Fuzzy Hash: 4e2e72b6b60a29caabc8a22b6b3f6784a8a9b0a32f0a362f9efb92dc70d29752
            • Instruction Fuzzy Hash: 01419271A18B8281EB20DF25AA4856973A5FB46795F644332EEEDC37A4EF7CD441C310
            Function 0000021955171334 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 281COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: free
            • String ID: @$SeDebugPrivilege
            • API String ID: 1294909896-3223528420
            • Opcode ID: 23216d7dc9d9bb7185eb783ef61c10f3e1c46da9a1b2c3763caab6a19a5dd595
            • Instruction ID: edbadd19850c06cb5dd1c212988b272b5624fb4deedb937a29be5dfd4b91e158
            • Opcode Fuzzy Hash: 23216d7dc9d9bb7185eb783ef61c10f3e1c46da9a1b2c3763caab6a19a5dd595
            • Instruction Fuzzy Hash: 33C1B1767116009AFB11CFAAE4687DD3BB2FB58B88F844115EE0A67B5ADF38C541C704
            Function 00007FF6CFAF5334 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 281COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: free
            • String ID: @$SeDebugPrivilege
            • API String ID: 1294909896-3223528420
            • Opcode ID: 23216d7dc9d9bb7185eb783ef61c10f3e1c46da9a1b2c3763caab6a19a5dd595
            • Instruction ID: 868310fa1c3409d26400912f2a54036512d345bd4e997e155462f9c004d9028d
            • Opcode Fuzzy Hash: 23216d7dc9d9bb7185eb783ef61c10f3e1c46da9a1b2c3763caab6a19a5dd595
            • Instruction Fuzzy Hash: B2C16D72B09642CAEB50CFA6E4406ADB3B1FB88B89B444535DE8D9BB58DF3CE501C714
            Function 0000021957DBCEF0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 217COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: malloc$_snprintf
            • String ID: %s %s
            • API String ID: 4147802357-2939940506
            • Opcode ID: d2ed39a3e9ec7a6d063647c1d438342ce204c75dabad0e4ff580f03266707591
            • Instruction ID: 8d4e1a62fae7bf21bb1ddadf7a2b38e148a9b1e1cddee21ed21e112685632e61
            • Opcode Fuzzy Hash: d2ed39a3e9ec7a6d063647c1d438342ce204c75dabad0e4ff580f03266707591
            • Instruction Fuzzy Hash: 2B815C33205B9491F77A8B2594283E967D2F3A9B84FC88124DF9E5B3C5DE3EC1858710
            Function 0000021957DB5B90 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 207COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: free
            • String ID: *.*$iehistory$mapi
            • API String ID: 1294909896-3549654276
            • Opcode ID: fea3ffd2c81ef5414e77fd2f8e429eb9414b75bdc89a7c3f483cf34a272f76af
            • Instruction ID: 6903dcd38eb36101b7396df113b030613b6e3c9ae3f0618651046e12961f4e0e
            • Opcode Fuzzy Hash: fea3ffd2c81ef5414e77fd2f8e429eb9414b75bdc89a7c3f483cf34a272f76af
            • Instruction Fuzzy Hash: 4A918D32600B44A9EB69DF61D4642EC33B2F764B88FC04526DE4E67B98EF36C695C700
            Function 000002195517B55C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 155COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: calloc
            • String ID: GET$POST
            • API String ID: 2635317215-3192705859
            • Opcode ID: e3530a0a9bc2de643bb558101611f562ff7ec95c7328bd52194f3f7189cd8f35
            • Instruction ID: 2241f2a76b8374d21b34095450a65b53c833c2a7cf764caddf86749133612046
            • Opcode Fuzzy Hash: e3530a0a9bc2de643bb558101611f562ff7ec95c7328bd52194f3f7189cd8f35
            • Instruction Fuzzy Hash: 69616E76211B40AAFB56DF65D5683DC3BE2F758B88F804029EA4967B5AEB34C584C340
            Function 00007FF6CFAFF55C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 155COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: calloc
            • String ID: GET$POST
            • API String ID: 2635317215-3192705859
            • Opcode ID: e3530a0a9bc2de643bb558101611f562ff7ec95c7328bd52194f3f7189cd8f35
            • Instruction ID: 647a3a465f4f618bd581b3b888d26080fbe926b02d28f70159b1c630239b0cfd
            • Opcode Fuzzy Hash: e3530a0a9bc2de643bb558101611f562ff7ec95c7328bd52194f3f7189cd8f35
            • Instruction Fuzzy Hash: 19616C76A09B42CAEB94CFA1D4502ACB3B5FB49B89F004136EE8D8BB48DF38D555C350
            Function 00000219551768BC Relevance: 6.1, APIs: 4, Instructions: 126COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errno$_calloc_implcalloc
            • String ID:
            • API String ID: 2131746273-0
            • Opcode ID: a72ed84a436fd8fdb25e73302378f7ef63adb497467cf23c2a7ecd677728d2df
            • Instruction ID: 9f8de3e26fef838389e2565420c7258d568880b964b17c96c573f671bb2d4233
            • Opcode Fuzzy Hash: a72ed84a436fd8fdb25e73302378f7ef63adb497467cf23c2a7ecd677728d2df
            • Instruction Fuzzy Hash: C451C232300641ABFB21CF65D968BED3BB2FB54B48FC440259E1967A66EF34D489C740
            Function 00007FF6CFAFA8BC Relevance: 6.1, APIs: 4, Instructions: 126COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errno$_calloc_implcalloc
            • String ID:
            • API String ID: 2131746273-0
            • Opcode ID: a72ed84a436fd8fdb25e73302378f7ef63adb497467cf23c2a7ecd677728d2df
            • Instruction ID: 4129af6b46435f3560b9c3f92c68bfbc14c12d6aa87b72807df672105df9f5b7
            • Opcode Fuzzy Hash: a72ed84a436fd8fdb25e73302378f7ef63adb497467cf23c2a7ecd677728d2df
            • Instruction Fuzzy Hash: CE519F32A046429BE754DFA5D9806B973B1FF89B89B408035DA8DC7A50EF38E559C720
            Function 0000021954FE41F8 Relevance: 6.1, APIs: 4, Instructions: 120COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$htonlmalloc
            • String ID:
            • API String ID: 568810363-0
            • Opcode ID: 890db832e78e5f2de6d50834150a08002f2c551a82fa1ad0de0624690ad3b38c
            • Instruction ID: 3876ae2c5772b98bf10148328b35427ed8caaf183ec0c183c747e9a062dec975
            • Opcode Fuzzy Hash: 890db832e78e5f2de6d50834150a08002f2c551a82fa1ad0de0624690ad3b38c
            • Instruction Fuzzy Hash: 02412C3160474056EAE29A1AE42C3DDA392F7AAFC5F844039DD5933B55EF38C8A1B344
            Function 0000021957DBD3B0 Relevance: 6.1, APIs: 4, Instructions: 120COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: htonl$Library$AddressFreeLoadProc
            • String ID:
            • API String ID: 3905280739-0
            • Opcode ID: 5376ae11cea6828386bf6c6c694d69a1967ccfa447d82b8256f49537b36393fc
            • Instruction ID: 7a0385e6e80a4950f3e942fae0029101307affbf2bfaf428b9a5b85fae579f19
            • Opcode Fuzzy Hash: 5376ae11cea6828386bf6c6c694d69a1967ccfa447d82b8256f49537b36393fc
            • Instruction Fuzzy Hash: 15515A73601B94DEE719CF65D8983DC3BB2F744B98F804029DE0967B98DB388589C744
            Function 0000021957DBEC80 Relevance: 6.1, APIs: 4, Instructions: 107threadinjectionCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ContextThread$ErrorLasthtonl
            • String ID:
            • API String ID: 3697063647-0
            • Opcode ID: f1e057b5457ac034bcc96b9c0015a5307798a7a2cafb2329922f03120cbd5177
            • Instruction ID: 9bbea79d457113eb3df93d73da92893bc8d6bf9c1861a21d5464a386c5259e2d
            • Opcode Fuzzy Hash: f1e057b5457ac034bcc96b9c0015a5307798a7a2cafb2329922f03120cbd5177
            • Instruction Fuzzy Hash: 3D419032304B8592EB25CB52E8187AA63A2F799FC4FC44025DE4D97754EF39C689CB40
            Function 0000021957DB23B0 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: _errnohtonl$AddressHandleModuleProc_calloc_implcallocfree
            • String ID:
            • API String ID: 3702241348-0
            • Opcode ID: 1ca300289a2fba0e4c7def60b9fdab5d438626132dd4516567297473086f444b
            • Instruction ID: d3e250c98bf794b711a3f5a22f6190c9b2ca4f56c8ab46627e3c44bad91e47e4
            • Opcode Fuzzy Hash: 1ca300289a2fba0e4c7def60b9fdab5d438626132dd4516567297473086f444b
            • Instruction Fuzzy Hash: 90517973A00A40DEE725CF20E4983DD37A2E354368F804215DBAA67BD8DB39C699CB40
            Function 0000021955174878 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errno$_callnewhfreemalloc
            • String ID:
            • API String ID: 3099215566-0
            • Opcode ID: 1715452ac9d59a28947f6120a9b831c2eb4cf44146119f1240c618386cc96717
            • Instruction ID: bef1978bbf8017106a5884a0ea54fc2ef0baa210106ce16e2a6ba75595f5e555
            • Opcode Fuzzy Hash: 1715452ac9d59a28947f6120a9b831c2eb4cf44146119f1240c618386cc96717
            • Instruction Fuzzy Hash: 9F310B712003409BFB26DF1AE464299BBA2F758790F844124DF5B23B72DB38D4C1CB00
            Function 00007FF6CFAF8878 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errno$_callnewhfreemalloc
            • String ID:
            • API String ID: 3099215566-0
            • Opcode ID: 1715452ac9d59a28947f6120a9b831c2eb4cf44146119f1240c618386cc96717
            • Instruction ID: 549a3c36d536d3245b57a578a3f8d0585cd4cfce1b079d4db6b806520c6352c0
            • Opcode Fuzzy Hash: 1715452ac9d59a28947f6120a9b831c2eb4cf44146119f1240c618386cc96717
            • Instruction Fuzzy Hash: 3431AE76A087428BE668DF26E480569F7A1FF89792B148134DE8F97B61DF3CE441CB10
            Function 0000021955000234 Relevance: 6.1, APIs: 4, Instructions: 84COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: _amsg_exit_flush_lock_mtinitlocknum
            • String ID:
            • API String ID: 595854648-0
            • Opcode ID: 56129ed23025e733c2b0fa4e3f1f76a7ba5e138df47810ea0997d9d3a0c8d19f
            • Instruction ID: 811d69e6f2223a28c6490cae3bb22eff072d0c98ab2dbbc8b0f4d226d1dad2cd
            • Opcode Fuzzy Hash: 56129ed23025e733c2b0fa4e3f1f76a7ba5e138df47810ea0997d9d3a0c8d19f
            • Instruction Fuzzy Hash: CC31E43120064463FAA79B75947C3AE6783A7B5794FD416149E5E732F3EA34E4C18300
            Function 0000021957DBD260 Relevance: 6.1, APIs: 4, Instructions: 83sleepfilepipeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorFileLastNamedPeekPipeReadSleep
            • String ID:
            • API String ID: 3382443847-0
            • Opcode ID: 8c315ad115e6e2a5c2e546bc0396f830cd7a585a7b6ee8681872a26c01584d20
            • Instruction ID: 4790bb0671c00a93ef1426db7149bd74d2df9cbffedca16fbb705e70a2e9f5a5
            • Opcode Fuzzy Hash: 8c315ad115e6e2a5c2e546bc0396f830cd7a585a7b6ee8681872a26c01584d20
            • Instruction Fuzzy Hash: D931C333304B8196E7358B51A868B9A63A2F788B80FD441249F4D67B54DF3EC685CB04
            Function 0000021957DC61E0 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 0009b332f9c4375e5867cde13646a856c5028eddceddb7f9fedc4e52a6db573f
            • Instruction ID: 0849ff0f3a16091c81dc5fe462fe21805489d2ddafe1b64f037b97008c67bdf6
            • Opcode Fuzzy Hash: 0009b332f9c4375e5867cde13646a856c5028eddceddb7f9fedc4e52a6db573f
            • Instruction Fuzzy Hash: 06418237205F84C6D7A58F29E88038E73A9F388B98F544126DE8D57B28DF39C594CB50
            Function 0000021957DC60E2 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 8a97fdd36363a956979e504a2964a120993c384a54dd9af2397c8cc512a2edb4
            • Instruction ID: 46b76d0427d414126cdd8029c50a9f11a76d26d73de08aba05b9937565d27f76
            • Opcode Fuzzy Hash: 8a97fdd36363a956979e504a2964a120993c384a54dd9af2397c8cc512a2edb4
            • Instruction Fuzzy Hash: 55419237205F84C6D7A58F29E48038E73A9F388B98F544126DE8D53B28DF39C594CB50
            Function 0000021954FE47C0 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: htonl$freemalloc
            • String ID:
            • API String ID: 1249573706-0
            • Opcode ID: ae372f8731ea0a1412ff2b5a7b34d5c8172db378fd0397a5600818ef50433c68
            • Instruction ID: 1936f21d16d70953b2f964ebf39121d0dbc838c0300c89969a3a216382dbe770
            • Opcode Fuzzy Hash: ae372f8731ea0a1412ff2b5a7b34d5c8172db378fd0397a5600818ef50433c68
            • Instruction Fuzzy Hash: 2A213533700790A3EA81DF56E85C59DB7A1F7AAF88F864029DE5833751EB38D982C700
            Function 0000021957DC5FF3 Relevance: 6.1, APIs: 4, Instructions: 76windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 961bbe4bce6e952cc6e391b3a676fb57778e96f548e80af83dd4086fcafc54eb
            • Instruction ID: 1706cdd4fa1048212af3ad13b938d13afcd558639a7fd0cdfd08a35e0ec669ce
            • Opcode Fuzzy Hash: 961bbe4bce6e952cc6e391b3a676fb57778e96f548e80af83dd4086fcafc54eb
            • Instruction Fuzzy Hash: DF418237205F84C6D7A58F29E49038E73A5F388B98F544126DE8D53B28DF39C594CB50
            Function 0000021957DC5F13 Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: b36d027b8fb8e75f22546ac74bd9ba6890e66ba9b25597f78ba2785b586e5f16
            • Instruction ID: c4cfd7810f6a461ed20cbf76b1c12e3ec5822f969be7baa35b678b8e6b5e18c8
            • Opcode Fuzzy Hash: b36d027b8fb8e75f22546ac74bd9ba6890e66ba9b25597f78ba2785b586e5f16
            • Instruction Fuzzy Hash: BD319237205F84C6D7A58F29E49038E73A5F388B98F544126DE8D53B28DF39C594CB50
            Function 0000021957DC5D80 Relevance: 6.1, APIs: 4, Instructions: 70windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 8a3b29018c50c804570f4a0c5c4354fbcbd1b0bf9dea142a7a3db6586bd301ad
            • Instruction ID: 507e057d4ff8e0875c5c7338732c6c17df9e2530b2c22f91a7191441105efb6a
            • Opcode Fuzzy Hash: 8a3b29018c50c804570f4a0c5c4354fbcbd1b0bf9dea142a7a3db6586bd301ad
            • Instruction Fuzzy Hash: 2C319137205F84C6D7A58F69E89038DB3A9F388B98F504126DE8D53B68EF39C594CB50
            Function 0000021957DBE680 Relevance: 6.1, APIs: 4, Instructions: 69threadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$CloseHandleNextThread32
            • String ID:
            • API String ID: 3034546079-0
            • Opcode ID: bdb0b287e609f6417a68aa905ea501fc981ad916c0905da0cc8fc65d9565ffc9
            • Instruction ID: 494b8df6e31d5215bc84f739733795fa9974aaa912ecafc3a4f561821121cf0d
            • Opcode Fuzzy Hash: bdb0b287e609f6417a68aa905ea501fc981ad916c0905da0cc8fc65d9565ffc9
            • Instruction Fuzzy Hash: B1219136300B4096EB3A9B12A8683AD63A2F798BC4FC44125DE8DA7755DF3DD6858B00
            Function 0000021957DC5CCD Relevance: 6.1, APIs: 4, Instructions: 68windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 38357cf04a0ef8a3a7e7e53a56753e7b1b7ec872128b417f68417ee6f4d0fcb0
            • Instruction ID: e5033f10f2d9d6df18043786dd23e5f400e3541407187fd1b0eb9aa3bb391cdc
            • Opcode Fuzzy Hash: 38357cf04a0ef8a3a7e7e53a56753e7b1b7ec872128b417f68417ee6f4d0fcb0
            • Instruction Fuzzy Hash: 6B31A137205F84C6D7A58F69E89038DB3A9F388B98F504126DE8D53B68EF39C594CB50
            Function 0000021957DC5C29 Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 0911b0b7292fdcb34a377d1bd49c82e9dd2fdfc4310280cf6df4f845eafb63a5
            • Instruction ID: cfc71427ba2ab5973fe3af9f9a70f37ef1c9f3621cbfc2c4c2a869596a87a243
            • Opcode Fuzzy Hash: 0911b0b7292fdcb34a377d1bd49c82e9dd2fdfc4310280cf6df4f845eafb63a5
            • Instruction Fuzzy Hash: C231B137205F84C6D7A58F69E89034DB3A9F388BA8F504126DE8D53B68EF39C594CB50
            Function 0000021957DC5B94 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 309f65d7430a7ede92f901402b21ba5af7c81315e832f93af3e38bbe622ad181
            • Instruction ID: 6a019785da6827cdc6efaade90efb82b557ac83e665e76a87c3313244d05ba61
            • Opcode Fuzzy Hash: 309f65d7430a7ede92f901402b21ba5af7c81315e832f93af3e38bbe622ad181
            • Instruction Fuzzy Hash: 3131C137205F84C6D7A58F69E49034DB3A9F388BA8F500126DE8D53B68DF39C590CB50
            Function 0000021957DC5B0E Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: dc708c3cbdea6408244af85538070493aa0562a1572f08c9971bc3dd54a89141
            • Instruction ID: 1aecf903d15fc364ebe6a0e5ff664a214801af73b7410e025043529a365e25d3
            • Opcode Fuzzy Hash: dc708c3cbdea6408244af85538070493aa0562a1572f08c9971bc3dd54a89141
            • Instruction Fuzzy Hash: 5131DF37205F84C6D7658F69E89034EB3A9F388BA8F500126DE8D53B68DF39C5A0CB50
            Function 0000021957DF0AE4 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
            • String ID:
            • API String ID: 4151157258-0
            • Opcode ID: 7338ea17ce454eff4acabff97928cf59981a2a61ccf9a962e5fad15c88d376b7
            • Instruction ID: 2838004d01ef40c99f0639967af324dc3fd5b509d73b96ffc7f579b1aa6b9ccb
            • Opcode Fuzzy Hash: 7338ea17ce454eff4acabff97928cf59981a2a61ccf9a962e5fad15c88d376b7
            • Instruction Fuzzy Hash: 30212B736041A461F77B171190783FDBED3E360BE8FDC8521EA86176D5C929C6C28750
            Function 0000021957DB87E0 Relevance: 6.1, APIs: 4, Instructions: 62networksleepCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLastSleepselectsend
            • String ID:
            • API String ID: 3306477828-0
            • Opcode ID: 195dae3499627d5d2615331834b2e4ac1efc8f98cf453e1fa0a44a51ff30c0fc
            • Instruction ID: 2bbf63d70a55c6ccce0c57fa41325bdb70b6f9eb7afcfc5824746959d756dd0b
            • Opcode Fuzzy Hash: 195dae3499627d5d2615331834b2e4ac1efc8f98cf453e1fa0a44a51ff30c0fc
            • Instruction Fuzzy Hash: 9F21803760878097EB758B61F49878E77A1F7A8B80FC04525DA4D97B94DB39C584CB80
            Function 0000021957DC34E0 Relevance: 6.1, APIs: 4, Instructions: 60keyboardthreadCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: AsyncCreateStateThreadcallocfree
            • String ID:
            • API String ID: 1391261026-0
            • Opcode ID: 495287767a28ce4fcc34aebe9beda894f2b1e57bbd65a3bb8122750e4deaab66
            • Instruction ID: 1e71e16a7b944a57ebc4846e3e599d680844706ae0c3c64ab61bb3abd164e25f
            • Opcode Fuzzy Hash: 495287767a28ce4fcc34aebe9beda894f2b1e57bbd65a3bb8122750e4deaab66
            • Instruction Fuzzy Hash: 5421CF32205B40A1EB2A8B01F8683E977A7F7A4B84FD44025DA49677A4CF7EC2C98700
            Function 0000021957DC5A91 Relevance: 6.1, APIs: 4, Instructions: 60windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: b2ddb2a55761a7184e9ff3c0d017a9ac8849a919296267582e3478d2b3d4def7
            • Instruction ID: d2c9390e0cbaf8b9b58d7f5b4a15de5058a434cd9f41b7ebb558967b24a6e6c1
            • Opcode Fuzzy Hash: b2ddb2a55761a7184e9ff3c0d017a9ac8849a919296267582e3478d2b3d4def7
            • Instruction Fuzzy Hash: A021DF37205F84C6D7658F69E89034EB3A9F398BA8F500526DE8D53B68DF39C5A0CB50
            Function 0000021957DC5A1D Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 33a84863805bc81b9b0408db7cebee3f005f619c1172d9fde868f810e1f85b0c
            • Instruction ID: 3d218cffe0eb3db123d3f5bd6e355355d216cb4a65a3e362efd35e922bc6292c
            • Opcode Fuzzy Hash: 33a84863805bc81b9b0408db7cebee3f005f619c1172d9fde868f810e1f85b0c
            • Instruction Fuzzy Hash: 5221E237205F8486D7658F69E49034DB3A9F398BA8F400526DE8D53B68DF39C590CB50
            Function 0000021957DC59B2 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 349bdd3f50389616e92bd2c08e0cdf0634db3be0a7ebab32d17da571212a1ce7
            • Instruction ID: 436664c01d18bd11db2bae9558d49ccdd0d48b8fde4123ee35f60854cd0e0d2e
            • Opcode Fuzzy Hash: 349bdd3f50389616e92bd2c08e0cdf0634db3be0a7ebab32d17da571212a1ce7
            • Instruction Fuzzy Hash: 1E21D237205F8496D7658F69E49038DB3A5F398BA8F400526DE8D53B68DF39C590CB50
            Function 0000021957DC58F7 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 0a6a8bfb016ddb5100a1b97563f6eef0e2e33b98b581fe8923d373f1b6f87599
            • Instruction ID: f46952c54324c4b5295ffdd69ed12499a17b2310c3731847a23e004374d368b1
            • Opcode Fuzzy Hash: 0a6a8bfb016ddb5100a1b97563f6eef0e2e33b98b581fe8923d373f1b6f87599
            • Instruction Fuzzy Hash: 79210237205B4492D7658F69E49038D73A5F398BA8F800526DE8E63758DF3AC590CB10
            Function 0000021957DC58A7 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 3993060bfaec437ef013831575294a20ba9a1c70d569c19865d6232c5b062449
            • Instruction ID: 55c152ce931b0df9dc1602eb8a8bbd4fb07cb33c56533d3fb21714158589c192
            • Opcode Fuzzy Hash: 3993060bfaec437ef013831575294a20ba9a1c70d569c19865d6232c5b062449
            • Instruction Fuzzy Hash: D0210337205B44D2D7698F65F49438D73A5F398BA8F800526DE8E63758DF3AC590CB50
            Function 0000021954FE8A24 Relevance: 6.0, APIs: 4, Instructions: 49fileCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: File$CloseCreateErrorHandleLastWrite
            • String ID:
            • API String ID: 1150274393-0
            • Opcode ID: 6d332d1446c4457966db020eb90d98baa06a5d7fed5449010b14590eca11470d
            • Instruction ID: 1b550cc8579dbd802789a1c86c6829533d0ede949be847ff07d02a7a2a1c8aed
            • Opcode Fuzzy Hash: 6d332d1446c4457966db020eb90d98baa06a5d7fed5449010b14590eca11470d
            • Instruction Fuzzy Hash: 4911CA32300710ABF3919F29B85C79977A1FB98FB1F9502349F59637A4DB38C4959A00
            Function 0000021954FE55B0 Relevance: 6.0, APIs: 4, Instructions: 48memorylibrarystringCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: Virtual$AllocFreeLibraryLoadstrrchr
            • String ID:
            • API String ID: 294874469-0
            • Opcode ID: 0a8248418b0fb82568be733efd65981628dc366826d85887c960024f1dbd189b
            • Instruction ID: 0ec0f92e3230a2dc640b2af92c461f0378fb66662c92e2107c53e17bbbf44e62
            • Opcode Fuzzy Hash: 0a8248418b0fb82568be733efd65981628dc366826d85887c960024f1dbd189b
            • Instruction Fuzzy Hash: 65115731304E40A2FA92DB65EDBC3D92792ABAEB84FC450358D4DA7363DE39D4D18301
            Function 0000021954FED984 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide$callocfree
            • String ID:
            • API String ID: 1064854850-0
            • Opcode ID: 7f966f235de9c8707614e90fb4d25b5412c27decaa5d894a373b56f98d2f001d
            • Instruction ID: 3dbe12ed19fd0c04ef6e3c32a81e315f1e82d45d2e2da8fc2b5c48809f24be05
            • Opcode Fuzzy Hash: 7f966f235de9c8707614e90fb4d25b5412c27decaa5d894a373b56f98d2f001d
            • Instruction Fuzzy Hash: EA110D32614B4152F7A1CB6AF46C3666691E7D9BE5F440334AE5927FD5EF7CC0504700
            Function 0000021957DC5822 Relevance: 6.0, APIs: 4, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: e2a5b0a1b0f177d656a391257f3bd8a57cb364452c41723051d1ab9fbde3394a
            • Instruction ID: a5c4ac138eb9393c938b669ec6916b44b8aa4f8c38be054452d37a01a4d6bede
            • Opcode Fuzzy Hash: e2a5b0a1b0f177d656a391257f3bd8a57cb364452c41723051d1ab9fbde3394a
            • Instruction Fuzzy Hash: C6114337205B4092D76A8F65F45438D73A5F398BA8F800526DE8E63758DF39C290CB10
            Function 0000021957DC57ED Relevance: 6.0, APIs: 4, Instructions: 44windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 4c0dbb69e24aba06c9b039905cb7a48dc22b7943efc4f16171a3aa6cb89b3caa
            • Instruction ID: 96828cd79c6adf68312e93888167964b56b7cf41fae26265938f610f588547cd
            • Opcode Fuzzy Hash: 4c0dbb69e24aba06c9b039905cb7a48dc22b7943efc4f16171a3aa6cb89b3caa
            • Instruction Fuzzy Hash: 26113337205B4092D77A8F65F46438D73A5F398BA8F804526DE8E63758DF3AC290CB20
            Function 0000021957DB82A0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: htonl
            • String ID:
            • API String ID: 2009864989-0
            • Opcode ID: d3701299def67f108eab0a1b0c0fa29e0921c0725975789eb59b51bbe1ea2457
            • Instruction ID: a875f62ee58026e5f4372286533e3b5bf42f9e110db5a8eedb49afc3201287fd
            • Opcode Fuzzy Hash: d3701299def67f108eab0a1b0c0fa29e0921c0725975789eb59b51bbe1ea2457
            • Instruction Fuzzy Hash: F3015273900A81D7E76D9FB1985818C36E2E718B34F98C714C6348A3D4E63885D1CB10
            Function 0000021957DC57C1 Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 0b3b0b6edd1eb765dac6bbbb9f0f71c63e4f8541b5c99dc6ec278c2a549a3e7f
            • Instruction ID: 040100866b43135d77278b826656cffa67b767fb76b037b42f28e31927938f8d
            • Opcode Fuzzy Hash: 0b3b0b6edd1eb765dac6bbbb9f0f71c63e4f8541b5c99dc6ec278c2a549a3e7f
            • Instruction Fuzzy Hash: 4D115737204B4092D73A8F65F46438D63A5F398BA8F804526CE8E23754DF3AC290CB20
            Function 0000021957DC579E Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: d4c3539fe945f12075fc300d9733b8c0f148e58661b8f175862ab6abd1f1fc37
            • Instruction ID: bdc26b8279101933ac64be6e6af51f8cfdd483ba8b0fd54d0fc139c83e651b90
            • Opcode Fuzzy Hash: d4c3539fe945f12075fc300d9733b8c0f148e58661b8f175862ab6abd1f1fc37
            • Instruction Fuzzy Hash: 21015737204B4092E73A9F65F42439D63A5F398BA8F804426CE8A23794DF3AC294C720
            Function 0000021957DC5784 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 0119f77a87d170831058f5772bf9f175683dfdbca7c34f84749e0f6c7f6df86a
            • Instruction ID: 665a14c0cfebed7eb3dcfcbd698054b0fa9e41cef3af18eb0b29053b7abbcce5
            • Opcode Fuzzy Hash: 0119f77a87d170831058f5772bf9f175683dfdbca7c34f84749e0f6c7f6df86a
            • Instruction Fuzzy Hash: F2017C37204B40D2E73A9F65F42479D63A5F3A8BA8F844426CE4A23794DF3AC6D5C760
            Function 0000021954FEBFB0 Relevance: 6.0, APIs: 4, Instructions: 37networkCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errno$DuplicateErrorLastSocket_calloc_implcallocfree
            • String ID:
            • API String ID: 3321659797-0
            • Opcode ID: 40b64a1e334d0a5843f6c44a3cdb12d3cff1bb165a2866399e38696418b02686
            • Instruction ID: a3e91d6b5d96755b5adbb2de79d5e16a2d7bf300aac1114dff53e10b2a945a61
            • Opcode Fuzzy Hash: 40b64a1e334d0a5843f6c44a3cdb12d3cff1bb165a2866399e38696418b02686
            • Instruction Fuzzy Hash: 0E017532304B80A3E781DF19E4582D9B362F799F85F944431EF49A7755EF38C4908740
            Function 0000021957DC576E Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: a8b14fb963145ea40e1fd42abefed3bbbc89b424a5189abefb5c4cb15c71f065
            • Instruction ID: 39ace713e4d161b4f860031522fe237dbaf19649c39c1a22c69d09807896e990
            • Opcode Fuzzy Hash: a8b14fb963145ea40e1fd42abefed3bbbc89b424a5189abefb5c4cb15c71f065
            • Instruction Fuzzy Hash: B5017C33204B40D2E73A9F54F42439D63A5F3987A8F844426CE4A23794DF3AC2D5C720
            Function 0000021957DC575C Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: fe5c8032e67dd4a70e54b145465bdb6484c70183efaf3ea2038e0ecd72095597
            • Instruction ID: 8b1f01ad11aefac479d3d923e1fc240a3c7d3d89fda106db348d79341cd7402d
            • Opcode Fuzzy Hash: fe5c8032e67dd4a70e54b145465bdb6484c70183efaf3ea2038e0ecd72095597
            • Instruction Fuzzy Hash: 01018B33204B40E2E73A9F54F42439D63A6F3A87A8F844422CE4A23794DF3AC2D5C720
            Function 0000021957DB5560 Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: free$CopyErrorFileLast
            • String ID:
            • API String ID: 2361750919-0
            • Opcode ID: 04fbc118ca90ef58a51ad2ca16f3affecb5bf2b2bbf92221e2e7f711c352e541
            • Instruction ID: d1f06142931680a5b3e4031212519c228e2fa33b94c154874136b0abbbf58b2b
            • Opcode Fuzzy Hash: 04fbc118ca90ef58a51ad2ca16f3affecb5bf2b2bbf92221e2e7f711c352e541
            • Instruction Fuzzy Hash: E8F0363230175092EA6A5B17AC6839D5293E798FD1FC84034ED0E67765DE29D5818700
            Function 0000021957DC574E Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: 5fdec89fd246f587448c05ba6ba590c57cffa6f8c99be0b2f6a6872c82137fff
            • Instruction ID: c7342dd3781de5910d00f0d8b0b851e60e1629d59768e496389d1cbbabfb75b3
            • Opcode Fuzzy Hash: 5fdec89fd246f587448c05ba6ba590c57cffa6f8c99be0b2f6a6872c82137fff
            • Instruction Fuzzy Hash: EE016D33204B40E3E73A9F54F42479D62A5F3A87A9FC44426CE4A63790DF3AC2D58721
            Function 0000021957DB54D0 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: free$ErrorFileLastMove
            • String ID:
            • API String ID: 2579794736-0
            • Opcode ID: abf2676fa037cc76b0f01ed62609b33c54d6df798fd6a384b41ea07f934a3459
            • Instruction ID: 168affbe17920da767c3c58eba2e1bf5478dfe975924a5f32d06ebe78a6cf69b
            • Opcode Fuzzy Hash: abf2676fa037cc76b0f01ed62609b33c54d6df798fd6a384b41ea07f934a3459
            • Instruction Fuzzy Hash: 29F04432301B4092EA6A9B13AC6839D5293F798FD1FC84034EE0E67764DF29CA828700
            Function 0000021957DC3060 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: LibraryStationWindow$AddressCloseCurrentDesktopsEnumFreeLoadOpenProcProcess
            • String ID:
            • API String ID: 688010510-0
            • Opcode ID: 33c82d07f4aa94bef77636cf45cd36c744fb05f72995f4954fd37c9335c6a5e1
            • Instruction ID: 7e8b1cd83130ee8567fcf0c704663251c094780ee7d4bbfd5cff121f7187edf6
            • Opcode Fuzzy Hash: 33c82d07f4aa94bef77636cf45cd36c744fb05f72995f4954fd37c9335c6a5e1
            • Instruction Fuzzy Hash: 81017172614B8092EB259B21F81868AB7A5F79CB80F844525E9CD53B58DF3DD285CB00
            Function 0000021957DC5743 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32 ref: 0000021957DC632A
            • FormatMessageA.KERNEL32 ref: 0000021957DC6363
            • free.LIBCMT ref: 0000021957DC6385
              • Part of subcall function 0000021957DDB178: RtlFreeHeap.NTDLL(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB18E
              • Part of subcall function 0000021957DDB178: _errno.LIBCMT ref: 0000021957DDB198
              • Part of subcall function 0000021957DDB178: GetLastError.KERNEL32(?,?,00000000,0000021957DE21D2,?,?,0000000D,0000021957DDFDA9,?,?,?,?,0000021957DDB256,?,?,0000000D), ref: 0000021957DDB1A0
            • SetLastError.KERNEL32 ref: 0000021957DC638D
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$FormatFreeHeapMessage_errnofree
            • String ID:
            • API String ID: 1334669472-0
            • Opcode ID: d6450621c5df6ea222984b67e4fff5be3be6f50341360181a62432c63a3db4aa
            • Instruction ID: 23248f151a7512c3df29c1dc60d736bba120a0f4a9fd7694dd77da6135fd5a27
            • Opcode Fuzzy Hash: d6450621c5df6ea222984b67e4fff5be3be6f50341360181a62432c63a3db4aa
            • Instruction Fuzzy Hash: D6018133204B40E3E33A9F54F42479D62A5F3A83A5FC44426CE4A23790DF3AC2D58720
            Function 0000021957DBD1F0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: CloseHandle$ProcessTerminatefree
            • String ID:
            • API String ID: 2486429917-0
            • Opcode ID: ed920a9aa6ed4640d6534cd29f22e35118faf3dd4b66bdcd5d9089d7583f7748
            • Instruction ID: 585fab9fa12442cd4128244e1e267a211bb3b352b6678689b45b58c326e3372f
            • Opcode Fuzzy Hash: ed920a9aa6ed4640d6534cd29f22e35118faf3dd4b66bdcd5d9089d7583f7748
            • Instruction Fuzzy Hash: 8DF0123230064091EB6DDB22E9A87A92362EBA5FC4FC84421DE5957755CF39C5D48700
            Function 0000021955177B74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: _snwprintf_s_vsnwprintf_s_lfreemallocwcschr
            • String ID: %04x-%04x:%s
            • API String ID: 560100814-4041933335
            • Opcode ID: b338fccbefd3ff4956156b6b46d4acd11d860efc8a531b3e563e32edbd22cff0
            • Instruction ID: 1a9a67489964ce9a1cde6065f4cb21d9b271af3ea9611159f19a5bb93343d69b
            • Opcode Fuzzy Hash: b338fccbefd3ff4956156b6b46d4acd11d860efc8a531b3e563e32edbd22cff0
            • Instruction Fuzzy Hash: 54219F72218A81A2EB20DF14F4543DEB771F798784F804126EB8997B59DF3CC589CB40
            Function 00007FF6CFAFBB74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: _snwprintf_s_vsnwprintf_s_lfreemallocwcschr
            • String ID: %04x-%04x:%s
            • API String ID: 560100814-4041933335
            • Opcode ID: b338fccbefd3ff4956156b6b46d4acd11d860efc8a531b3e563e32edbd22cff0
            • Instruction ID: 6ea6b948bf080cb27bee01c0318fbf32697684546ae6569e7278d7b2fca2ef5a
            • Opcode Fuzzy Hash: b338fccbefd3ff4956156b6b46d4acd11d860efc8a531b3e563e32edbd22cff0
            • Instruction Fuzzy Hash: E6216BB2618A8282E760DF50E4402AEB371FB89785F808136EBCD87A58DF3CD549CB50
            Function 0000021957DC3420 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$AddressEnvironmentExpandFindProcResourceStrings
            • String ID: enable_keyboard_input
            • API String ID: 2475682762-3233768151
            • Opcode ID: fbd8193898ecd806aed7b6cc7ec08c8a7b46eef102ea42e383cbff00a7b09e42
            • Instruction ID: 9446bd5f3e877784199d39af5cda6a35978ccc735271ac5818e9f027e2e46e48
            • Opcode Fuzzy Hash: fbd8193898ecd806aed7b6cc7ec08c8a7b46eef102ea42e383cbff00a7b09e42
            • Instruction Fuzzy Hash: 93118632305B40A1EA2EDB52FC683A923A6F798FC0FD84425DE09A7764DE3DD6858301
            Function 0000021957DC4710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45libraryloaderCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: ErrorLast$AddressEnvironmentExpandFindProcResourceStrings
            • String ID: enable_mouse_input
            • API String ID: 2475682762-3380222899
            • Opcode ID: e4b39d26d9e3154d9fbeb473b1af57b0199762d8d4ebd8829e46fc8908c717b7
            • Instruction ID: cc69e7b3f8605ab4ad48f5e52a695ca4cd2cfe43ab8085907d552f6581ec9cc0
            • Opcode Fuzzy Hash: e4b39d26d9e3154d9fbeb473b1af57b0199762d8d4ebd8829e46fc8908c717b7
            • Instruction Fuzzy Hash: 76118632301B4091EA2E9B52E8693A927A6F798FC0FD98425DE4963764DF3DD6858340
            Function 00007FF6CFAF1C80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: __acrt_iob_func
            • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
            • API String ID: 711238415-3474627141
            • Opcode ID: 9ec9a556a902d98af3390a507ec8541118e4aa21f1c82731b139f6564ab1c0ed
            • Instruction ID: 6133547343bae178da8a99a1bbf6cd85a09bee5455e994142a3ec0596689e906
            • Opcode Fuzzy Hash: 9ec9a556a902d98af3390a507ec8541118e4aa21f1c82731b139f6564ab1c0ed
            • Instruction Fuzzy Hash: 87018262908E85C2D6568F5CD8011EAB375FF5A75BF245321EACC6A221DF29E543C700
            Function 00007FF6CFAF1D60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
            Download Yara Rule
            APIs
            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CFAF1CD8
              • Part of subcall function 00007FF6CFAF2BB0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF6CFAF2D43,?,?,00007FF6CFB29040,00007FF6CFAF1341), ref: 00007FF6CFAF2BD8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: __acrt_iob_func__stdio_common_vfprintf
            • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
            • API String ID: 2168557111-4273532761
            • Opcode ID: 01069b4676a129e05d068e90eadb434e362a0ebc964021587c884500ba059737
            • Instruction ID: 3ab4164d5c19a2decd01b8270344001ea3c830e123d838c00856d99470660c15
            • Opcode Fuzzy Hash: 01069b4676a129e05d068e90eadb434e362a0ebc964021587c884500ba059737
            • Instruction Fuzzy Hash: 2AF06222818E9482D2418F18E8000BBB371FF4E78AF245325EFCD6A525DF29D6438710
            Function 00007FF6CFAF1D50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
            Download Yara Rule
            APIs
            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CFAF1CD8
              • Part of subcall function 00007FF6CFAF2BB0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF6CFAF2D43,?,?,00007FF6CFB29040,00007FF6CFAF1341), ref: 00007FF6CFAF2BD8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: __acrt_iob_func__stdio_common_vfprintf
            • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
            • API String ID: 2168557111-2187435201
            • Opcode ID: 6254d73716532f8dcee5f78eb379d763646bb1f21cb7a8effdfd2b7ea7e1ee22
            • Instruction ID: c2ca57fa909d266902c056ade390023eb248349c9b867d2daeeaeec004df740b
            • Opcode Fuzzy Hash: 6254d73716532f8dcee5f78eb379d763646bb1f21cb7a8effdfd2b7ea7e1ee22
            • Instruction Fuzzy Hash: F3F06222918E84C2D2418F18E8000BBB371FF4E78AF245325EFCD7A165DF29E6438710
            Function 00007FF6CFAF1D40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
            Download Yara Rule
            APIs
            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CFAF1CD8
              • Part of subcall function 00007FF6CFAF2BB0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF6CFAF2D43,?,?,00007FF6CFB29040,00007FF6CFAF1341), ref: 00007FF6CFAF2BD8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: __acrt_iob_func__stdio_common_vfprintf
            • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
            • API String ID: 2168557111-4064033741
            • Opcode ID: 1ce0803ee7eab606e81e78eefaa7d34457fc8279f129f9b5fb27725d4211bc1d
            • Instruction ID: 7ce32004c91a447c369fe219cb5455beb82ada45f9e5e7564825df7970e2a9ed
            • Opcode Fuzzy Hash: 1ce0803ee7eab606e81e78eefaa7d34457fc8279f129f9b5fb27725d4211bc1d
            • Instruction Fuzzy Hash: 3CF04F22818E8882D2418F18E8001ABA371FF4E78AF645325EBC96A165DF29D6438710
            Function 00007FF6CFAF1D30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
            Download Yara Rule
            APIs
            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CFAF1CD8
              • Part of subcall function 00007FF6CFAF2BB0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF6CFAF2D43,?,?,00007FF6CFB29040,00007FF6CFAF1341), ref: 00007FF6CFAF2BD8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: __acrt_iob_func__stdio_common_vfprintf
            • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
            • API String ID: 2168557111-4283191376
            • Opcode ID: 8c28d51093af53b62e1fc9fd7cfe2745504cb53a7335f5dc4b4bd7c8b2f25f65
            • Instruction ID: 2c52aea89559dc46e743747ca9a22ebf050cf2a28d0cf8bc328ddfd4204b6fa1
            • Opcode Fuzzy Hash: 8c28d51093af53b62e1fc9fd7cfe2745504cb53a7335f5dc4b4bd7c8b2f25f65
            • Instruction Fuzzy Hash: 55F06222818E84C2D2418F18E8001BBB371FF4E78AF245326EFCD6A165DF29D643D710
            Function 00007FF6CFAF1D20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
            Download Yara Rule
            APIs
            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CFAF1CD8
              • Part of subcall function 00007FF6CFAF2BB0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF6CFAF2D43,?,?,00007FF6CFB29040,00007FF6CFAF1341), ref: 00007FF6CFAF2BD8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: __acrt_iob_func__stdio_common_vfprintf
            • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
            • API String ID: 2168557111-2713391170
            • Opcode ID: 267471c44255c0dfd1c2115b4f8845c0500feb17f3f424f21d531695850d0cde
            • Instruction ID: 7235339090fc606cb8d4ddaf432984787b0fc4586fceb9e8673165774ed5e55e
            • Opcode Fuzzy Hash: 267471c44255c0dfd1c2115b4f8845c0500feb17f3f424f21d531695850d0cde
            • Instruction Fuzzy Hash: 57F06222818E88C2D2418F18E8001BBB371FF5E78AF245325EFCD6A165DF29D6438710
            Function 00007FF6CFAF1CB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6CFAF1CD8
              • Part of subcall function 00007FF6CFAF2BB0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,00007FF6CFAF2D43,?,?,00007FF6CFB29040,00007FF6CFAF1341), ref: 00007FF6CFAF2BD8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426132115.00007FF6CFAF1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF0000, based on PE: true
            • Associated: 00000000.00000002.3426093901.00007FF6CFAF0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426344685.00007FF6CFB2D000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: __acrt_iob_func__stdio_common_vfprintf
            • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
            • API String ID: 2168557111-2468659920
            • Opcode ID: 79f4f680b976fa941c1ff49a4713427b82519ac18356db6ef44320d3450e7d2c
            • Instruction ID: 10fa2ab47fd954a5506971e32570c7baaf9e53be914ca964775d5c56c3f46b0f
            • Opcode Fuzzy Hash: 79f4f680b976fa941c1ff49a4713427b82519ac18356db6ef44320d3450e7d2c
            • Instruction Fuzzy Hash: 2CF01212914E9482D2429F18E8001ABB375FF5E78AF545326EFC96A525DF29D5438710
            Function 0000021955174684 Relevance: 5.1, APIs: 4, Instructions: 138COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errnomalloc$_callnewhfree
            • String ID:
            • API String ID: 2090933125-0
            • Opcode ID: ed84b8493de32bac47a7f475e9bb278b814d039c947005eb9d2e60b03103ef87
            • Instruction ID: e6320b9b208c763910e0ab262cf8c82229d9c52469442aacefab6207f5e0f3be
            • Opcode Fuzzy Hash: ed84b8493de32bac47a7f475e9bb278b814d039c947005eb9d2e60b03103ef87
            • Instruction Fuzzy Hash: B851F172611784A7FB52DF58D46C7AD7BA6F724740F858024CE09673A6DB78C8C4C700
            Function 00007FF6CFAF8684 Relevance: 5.1, APIs: 4, Instructions: 138COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: _errnomalloc$_callnewhfree
            • String ID:
            • API String ID: 2090933125-0
            • Opcode ID: ed84b8493de32bac47a7f475e9bb278b814d039c947005eb9d2e60b03103ef87
            • Instruction ID: d800d990df85f8c9d1596a6d45c35c646d948bc0c25bef764e1a12723d63f9bc
            • Opcode Fuzzy Hash: ed84b8493de32bac47a7f475e9bb278b814d039c947005eb9d2e60b03103ef87
            • Instruction Fuzzy Hash: 9E51AB72A19642C7EB98CF65D5447B9B7A4FB44795F068434CE8D8B281EF3CE844CB60
            Function 00007FF6CFB071AC Relevance: 5.1, Strings: 4, Instructions: 77COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID:
            • String ID: NtQueryInformationProcess$NtQueryObject$ZwSetIoCompletion$ntdll.dll
            • API String ID: 0-420758874
            • Opcode ID: ca1af204c64362ec079a1a4c0929eea6c168c130040c0dc6d62809e0d194fbe6
            • Instruction ID: b7d057397078bf7057a305710545b2a21e40ffdebe61f6f6799286dfb7fc820d
            • Opcode Fuzzy Hash: ca1af204c64362ec079a1a4c0929eea6c168c130040c0dc6d62809e0d194fbe6
            • Instruction Fuzzy Hash: 89313760A09B4781FE459F11E99823467B6AF5BB82F648034DC8EC3764EF7DE445C320
            Function 0000021957DB50B0 Relevance: 5.1, APIs: 4, Instructions: 68COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425643320.0000021957DB1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021957DB0000, based on PE: true
            • Associated: 00000000.00000002.3425625384.0000021957DB0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425816481.0000021957DF2000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425937258.0000021957E03000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E0D000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E19000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3425972988.0000021957E1C000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21957db0000_final.jbxd
            Similarity
            • API ID: free$EnvironmentErrorExpandLastStrings
            • String ID:
            • API String ID: 3442589191-0
            • Opcode ID: e61bddf0fbaf0db68676cc269bd23f61a58827fc189b4291af7285189f520680
            • Instruction ID: 78b86bb648d9014edb3ca0d71f67660460169f45a78f749d89ccd8f50f084054
            • Opcode Fuzzy Hash: e61bddf0fbaf0db68676cc269bd23f61a58827fc189b4291af7285189f520680
            • Instruction Fuzzy Hash: AE21A83720578095EA7ADB16A42439D73A1F7A9BC4FC80025DF8D67755EF2EC6808B14
            Function 0000021954FE44FC Relevance: 5.0, APIs: 4, Instructions: 45COMMON
            Download Yara Rule
            APIs
            • free.LIBCMT ref: 0000021954FE4550
            • free.LIBCMT ref: 0000021954FE4558
            • free.LIBCMT ref: 0000021954FE452A
              • Part of subcall function 0000021954FF4158: RtlFreeHeap.NTDLL(?,?,00000000,0000021954FF842A,?,?,?,0000021954FF83A7,?,?,00000000,0000021954FF5139,?,?,000000FF,0000021954FEA0FA), ref: 0000021954FF416E
              • Part of subcall function 0000021954FF4158: _errno.LIBCMT ref: 0000021954FF4178
              • Part of subcall function 0000021954FF4158: GetLastError.KERNEL32(?,?,00000000,0000021954FF842A,?,?,?,0000021954FF83A7,?,?,00000000,0000021954FF5139,?,?,000000FF,0000021954FEA0FA), ref: 0000021954FF4180
            • free.LIBCMT ref: 0000021954FE4588
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$ErrorFreeHeapLast_errno
            • String ID:
            • API String ID: 1012874770-0
            • Opcode ID: 58eb744e31357a70e17cebc9daecc1ec3f48ed90dafc24d1588b8ec24bc8d8c5
            • Instruction ID: 2bd6c44eb23fa274d85d3e0e75feaa812398abe9fb1878a11a7a2ac95bbdb07c
            • Opcode Fuzzy Hash: 58eb744e31357a70e17cebc9daecc1ec3f48ed90dafc24d1588b8ec24bc8d8c5
            • Instruction Fuzzy Hash: E401333131154062EED7EF2AD47D2FC1362AFAAF84F8450355E2E3B656EE24C4E15700
            Function 00000219551738FC Relevance: 5.0, APIs: 4, Instructions: 45COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$_errno
            • String ID:
            • API String ID: 2288870239-0
            • Opcode ID: ec69363483a77515a15a343108ad3511284fbe0945d8dd64a1cb965b501ff3ce
            • Instruction ID: f023b5dd4fe749d78daeab910ccad45b23165864018b745d9d6317b2fa0cc329
            • Opcode Fuzzy Hash: ec69363483a77515a15a343108ad3511284fbe0945d8dd64a1cb965b501ff3ce
            • Instruction Fuzzy Hash: C401123132554062FE66EB2AD4752FC3A63BF94F84F885521EE5E6B6A7CE24C8D18700
            Function 00007FF6CFAF78FC Relevance: 5.0, APIs: 4, Instructions: 45COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$_errno
            • String ID:
            • API String ID: 2288870239-0
            • Opcode ID: ec69363483a77515a15a343108ad3511284fbe0945d8dd64a1cb965b501ff3ce
            • Instruction ID: 3edb5f17e29f36c89a483b783c6eabd7690b1a83131247a1a43b795da826b8ae
            • Opcode Fuzzy Hash: ec69363483a77515a15a343108ad3511284fbe0945d8dd64a1cb965b501ff3ce
            • Instruction Fuzzy Hash: D401A165B1A18281FE98EFA6D5A00BCA761EF89F85B144030DE9D8FA47CF2CE8518710
            Function 0000021954FED8E8 Relevance: 5.0, APIs: 4, Instructions: 43COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: ByteCharMultiWide$callocfree
            • String ID:
            • API String ID: 1064854850-0
            • Opcode ID: 6f996f6c020e37df0a597e960e109f8f43cd1a56e26e2f72bbf35fa4bc2f0ba9
            • Instruction ID: 6e84b791c24c9017dd9c7300a8bd056ad716abb283b048ec0bb52629f48a78e7
            • Opcode Fuzzy Hash: 6f996f6c020e37df0a597e960e109f8f43cd1a56e26e2f72bbf35fa4bc2f0ba9
            • Instruction Fuzzy Hash: 32012631300B4252F7B29B6EA42C3A96692A79ABD1F944334AF5867FD5EB38C4514700
            Function 0000021954FEAC58 Relevance: 5.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
            • free.LIBCMT ref: 0000021954FEAC73
              • Part of subcall function 0000021954FF4158: RtlFreeHeap.NTDLL(?,?,00000000,0000021954FF842A,?,?,?,0000021954FF83A7,?,?,00000000,0000021954FF5139,?,?,000000FF,0000021954FEA0FA), ref: 0000021954FF416E
              • Part of subcall function 0000021954FF4158: _errno.LIBCMT ref: 0000021954FF4178
              • Part of subcall function 0000021954FF4158: GetLastError.KERNEL32(?,?,00000000,0000021954FF842A,?,?,?,0000021954FF83A7,?,?,00000000,0000021954FF5139,?,?,000000FF,0000021954FEA0FA), ref: 0000021954FF4180
            • free.LIBCMT ref: 0000021954FEAC8E
            • free.LIBCMT ref: 0000021954FEACA4
            • free.LIBCMT ref: 0000021954FEACB1
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$ErrorFreeHeapLast_errno
            • String ID:
            • API String ID: 1012874770-0
            • Opcode ID: bf4b34fe9fc4693e17b8513b56265d9b96bd7a8786b2768e31451d503792884e
            • Instruction ID: 05536beeb286f0e26d647357085ee88fa6888627c6bec2ac6c201b93636e52ec
            • Opcode Fuzzy Hash: bf4b34fe9fc4693e17b8513b56265d9b96bd7a8786b2768e31451d503792884e
            • Instruction Fuzzy Hash: F6F04432A1254473FFD79E6E807C3BC13529BB9F05F8505209E1A37791EB25C8A08320
            Function 0000021954FE97FC Relevance: 5.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: CloseHandlefree
            • String ID:
            • API String ID: 3486141430-0
            • Opcode ID: f0ead06ac29b2ead9d8884f8ca0791d306ce580f02aa477a766b202bd1108efd
            • Instruction ID: ea171dec3ab498d66fba14ff44b9a26edbb3487a75ffa99e857fe8256b25fcdc
            • Opcode Fuzzy Hash: f0ead06ac29b2ead9d8884f8ca0791d306ce580f02aa477a766b202bd1108efd
            • Instruction Fuzzy Hash: B8011231602940AAFFDBDF75807D7E42251AB79B35FC803349E3A2B1E5DB2485E6C251
            Function 000002195517A058 Relevance: 5.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3425049585.0000021955170000.00000010.00001000.00020000.00000000.sdmp, Offset: 0000021955170000, based on PE: true
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21955170000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$_errno
            • String ID:
            • API String ID: 2288870239-0
            • Opcode ID: bf4b34fe9fc4693e17b8513b56265d9b96bd7a8786b2768e31451d503792884e
            • Instruction ID: 7805ce4ab43430d753f4440d25a5cb3f31b8317bf5a7a92b1dded92b1de4d8d5
            • Opcode Fuzzy Hash: bf4b34fe9fc4693e17b8513b56265d9b96bd7a8786b2768e31451d503792884e
            • Instruction Fuzzy Hash: A9F01232712648A1FF27AE69C4793BD3B52BB64F45F880914DD196AAD3CB29C8848311
            Function 00007FF6CFAFE058 Relevance: 5.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.3426172833.00007FF6CFAF4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00007FF6CFAF4000, based on PE: true
            • Associated: 00000000.00000002.3426297103.00007FF6CFB26000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.3426324957.00007FF6CFB2A000.00000004.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_7ff6cfaf0000_final.jbxd
            Yara matches
            Similarity
            • API ID: free$_errno
            • String ID:
            • API String ID: 2288870239-0
            • Opcode ID: bf4b34fe9fc4693e17b8513b56265d9b96bd7a8786b2768e31451d503792884e
            • Instruction ID: a61092842455d43ecae8f746e751cef1165505224f8f46056faec9188fcc5bc2
            • Opcode Fuzzy Hash: bf4b34fe9fc4693e17b8513b56265d9b96bd7a8786b2768e31451d503792884e
            • Instruction Fuzzy Hash: 86F01262A46649C1FF55AEA580A13BD5750EF45F46F140534DD8D8F785CF6DE8418330
            Function 0000021954FE96BC Relevance: 5.0, APIs: 4, Instructions: 28COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0000021954FED490: WaitForSingleObject.KERNEL32(?,?,?,?,0000021954FE5F17,?,?,00000000,0000021954FE5EE7,?,?,000000FF,0000021954FE86A7,?,?,00000000), ref: 0000021954FED49F
            • CloseHandle.KERNEL32 ref: 0000021954FE96E1
            • CloseHandle.KERNEL32 ref: 0000021954FE96EB
            • CloseHandle.KERNEL32 ref: 0000021954FE96F5
            • free.LIBCMT ref: 0000021954FE9707
              • Part of subcall function 0000021954FF4158: RtlFreeHeap.NTDLL(?,?,00000000,0000021954FF842A,?,?,?,0000021954FF83A7,?,?,00000000,0000021954FF5139,?,?,000000FF,0000021954FEA0FA), ref: 0000021954FF416E
              • Part of subcall function 0000021954FF4158: _errno.LIBCMT ref: 0000021954FF4178
              • Part of subcall function 0000021954FF4158: GetLastError.KERNEL32(?,?,00000000,0000021954FF842A,?,?,?,0000021954FF83A7,?,?,00000000,0000021954FF5139,?,?,000000FF,0000021954FEA0FA), ref: 0000021954FF4180
            Memory Dump Source
            • Source File: 00000000.00000002.3424579843.0000021954FE1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000021954FE0000, based on PE: true
            • Associated: 00000000.00000002.3424536913.0000021954FE0000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424610773.0000021955003000.00000002.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.000002195500D000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424633009.0000021955013000.00000004.00001000.00020000.00000000.sdmpDownload File
            • Associated: 00000000.00000002.3424693718.0000021955016000.00000002.00001000.00020000.00000000.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_21954fe0000_final.jbxd
            Yara matches
            Similarity
            • API ID: CloseHandle$ErrorFreeHeapLastObjectSingleWait_errnofree
            • String ID:
            • API String ID: 4048778503-0
            • Opcode ID: 87ea381ba6e4e823224ac75663981cbfbb2d838c99f1b2f31da1c3ce9e7e7624
            • Instruction ID: c37dba9d44a3d939e97dd9265027a5e9cf8b2138891fd1a2ee473271eca1e2ca
            • Opcode Fuzzy Hash: 87ea381ba6e4e823224ac75663981cbfbb2d838c99f1b2f31da1c3ce9e7e7624
            • Instruction Fuzzy Hash: 58F0CD76211941A5EBD6DF26C4B93E92322EBADF99F8800318E1E6B365DF24C4D5C350