Edit tour

Windows Analysis Report
1735021454574.exe

Overview

General Information

Sample name:	1735021454574.exe
Analysis ID:	1583250
MD5:	561a88261d6c906c397723d0a484f366
SHA1:	96201e0ce8a4433b9d22ae77ecc16435d34a6216
SHA256:	9780d0a48df19bace1a2c6724a094db2d43bdd8925c93b30778653a70f04893e
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Connects to many ports of the same IP (likely port scanning)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Self deletion via cmd or bat file

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Internet Provider seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

1735021454574.exe (PID: 5256 cmdline: "C:\Users\user\Desktop\1735021454574.exe" MD5: 561A88261D6C906C397723D0A484F366)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cmd.exe (PID: 7028 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\ZP76TkMV.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 1612 cmdline: ping -n 2 127.1 MD5: 2F46799D79D22AC72C241EC0322B011D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: explorer.exe PID: 4004	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0x14609b:$s2: ~ Shell I 0x3192ec:$s2: ~ Shell I

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 1735021454574.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 1735021454574.exe

Joe Sandbox ML: detected

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: apex_rep.listw.top
Source: C:\Windows\explorer.exe	Network Connect: 120.78.149.238 12368	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: apex_down.listw.top

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 120.78.149.238 ports 1,2,3,6,8,12368

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 2 127.1

Source: global traffic	TCP traffic: 192.168.2.6:49710 -> 120.78.149.238:12368
Source: global traffic	UDP traffic: 192.168.2.6:52507 -> 120.79.66.71:8081

Source: Joe Sandbox View	ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd
Source: Joe Sandbox View	ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd

Source: unknown	UDP traffic detected without corresponding DNS query: 114.114.114.114
Source: unknown	UDP traffic detected without corresponding DNS query: 223.5.5.5
Source: unknown	UDP traffic detected without corresponding DNS query: 114.114.114.114
Source: unknown	UDP traffic detected without corresponding DNS query: 223.5.5.5

Source: C:\Windows\explorer.exe

Code function: 1_2_00000001800033F0 socket,setsockopt,sendto,SleepEx,setsockopt,recvfrom,

1_2_00000001800033F0

Source: global traffic	DNS traffic detected: DNS query: apex_down.listw.top
Source: global traffic	DNS traffic detected: DNS query: apex_rep.listw.top

Source: explorer.exe, 00000001.00000002.3393916498.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3393916498.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000001.00000002.3393916498.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3393916498.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000001.00000002.3393916498.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3393916498.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000001.00000002.3393916498.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3393916498.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000001.00000002.3393916498.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000001.00000000.2152174541.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.2149575447.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.3392832890.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000001.00000002.3394302751.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153910424.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2979265872.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000001.00000000.2157386098.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3397461382.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000001.00000002.3393916498.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000001.00000002.3393916498.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000001.00000002.3393916498.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000001.00000002.3393916498.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000001.00000002.3393916498.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000001.00000002.3393916498.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000001.00000003.3094610682.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3397816522.000000000C072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3368014122.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3316943409.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2981313458.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3075092379.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2157386098.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000001.00000003.3094610682.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3397816522.000000000C072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3368014122.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3316943409.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2981313458.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3075092379.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2157386098.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000001.00000000.2157386098.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3397461382.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000001.00000002.3394302751.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153910424.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2979265872.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000001.00000003.3094610682.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3397816522.000000000C072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3368014122.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3316943409.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2981313458.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3075092379.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2157386098.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR

Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls

Source: C:\Users\user\Desktop\1735021454574.exe

Code function: 0_2_0000000140002260 GetModuleHandleA,GetLastError,GetProcAddress,GetLastError,GetProcAddress,GetLastError,NtQueryInformationProcess,

0_2_0000000140002260

Source: C:\Users\user\Desktop\1735021454574.exe	Code function: 0_2_00000001400018F0	0_2_00000001400018F0
Source: C:\Users\user\Desktop\1735021454574.exe	Code function: 0_2_000000014000A418	0_2_000000014000A418
Source: C:\Users\user\Desktop\1735021454574.exe	Code function: 0_2_0000000140008220	0_2_0000000140008220
Source: C:\Users\user\Desktop\1735021454574.exe	Code function: 0_2_0000000140002710	0_2_0000000140002710
Source: C:\Users\user\Desktop\1735021454574.exe	Code function: 0_2_0000000140008F38	0_2_0000000140008F38
Source: C:\Users\user\Desktop\1735021454574.exe	Code function: 0_2_0000000140004B44	0_2_0000000140004B44
Source: C:\Users\user\Desktop\1735021454574.exe	Code function: 0_2_0000000140005DDC	0_2_0000000140005DDC
Source: C:\Windows\explorer.exe	Code function: 1_2_0868E804	1_2_0868E804
Source: C:\Windows\explorer.exe	Code function: 1_2_0868AFD4	1_2_0868AFD4
Source: C:\Windows\explorer.exe	Code function: 1_2_0000000180001000	1_2_0000000180001000
Source: C:\Windows\explorer.exe	Code function: 1_2_0000000180001ED0	1_2_0000000180001ED0
Source: C:\Windows\explorer.exe	Code function: 1_2_0000000180015028	1_2_0000000180015028
Source: C:\Windows\explorer.exe	Code function: 1_2_000000018000E89C	1_2_000000018000E89C
Source: C:\Windows\explorer.exe	Code function: 1_2_00000001800110D0	1_2_00000001800110D0
Source: C:\Windows\explorer.exe	Code function: 1_2_000000018000A900	1_2_000000018000A900
Source: C:\Windows\explorer.exe	Code function: 1_2_0000000180010188	1_2_0000000180010188
Source: C:\Windows\explorer.exe	Code function: 1_2_000000018001823C	1_2_000000018001823C
Source: C:\Windows\explorer.exe	Code function: 1_2_00000001800096B0	1_2_00000001800096B0
Source: C:\Windows\explorer.exe	Code function: 1_2_0000000180014310	1_2_0000000180014310

Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR

Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/2@4/3

Source: C:\Users\user\Desktop\1735021454574.exe

Code function: 0_2_0000000140003740 CreateToolhelp32Snapshot,GetLastError,Process32First,ProcessIdToSessionId,Process32Next,

0_2_0000000140003740

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5360:120:WilError_03
Source: C:\Users\user\Desktop\1735021454574.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C10811B2-10C9-4d62-9E16-FBC7EB569DD4}

Source: C:\Users\user\Desktop\1735021454574.exe

File created: C:\Users\user\AppData\Local\Temp\ZP76TkMV.bat

Jump to behavior

Source: C:\Users\user\Desktop\1735021454574.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\ZP76TkMV.bat""

Source: 1735021454574.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1735021454574.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1735021454574.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\1735021454574.exe "C:\Users\user\Desktop\1735021454574.exe"
Source: C:\Users\user\Desktop\1735021454574.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\ZP76TkMV.bat""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 2 127.1
Source: C:\Users\user\Desktop\1735021454574.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\ZP76TkMV.bat""	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 2 127.1	Jump to behavior

Source: C:\Users\user\Desktop\1735021454574.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: workfoldersshell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\InProcServer32

Jump to behavior

Source: 1735021454574.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: C:\Users\user\Desktop\1735021454574.exe

Code function: 0_2_00000001400099B0 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00000001400099B0

Source: C:\Windows\explorer.exe	Code function: 1_2_08659446 push rbx; ret	1_2_08659447
Source: C:\Windows\explorer.exe	Code function: 1_2_0866EC4D push rax; retf	1_2_0866EC53
Source: C:\Windows\explorer.exe	Code function: 1_2_0866F0E6 push 00000051h; iretd	1_2_0866F0F6
Source: C:\Windows\explorer.exe	Code function: 1_2_08669CB2 push rbp; retf	1_2_08669CB3
Source: C:\Windows\explorer.exe	Code function: 1_2_0866F110 push 00000051h; iretd	1_2_0866F0F6
Source: C:\Windows\explorer.exe	Code function: 1_2_08669DFF push rdi; iretd	1_2_08669E00
Source: C:\Windows\explorer.exe	Code function: 1_2_0866A28F push rdi; ret	1_2_0866A297
Source: C:\Windows\explorer.exe	Code function: 1_2_086697BF pushfq ; ret	1_2_086697C4
Source: C:\Windows\explorer.exe	Code function: 1_2_086AD44A push ebp; iretd	1_2_086AD44B
Source: C:\Windows\explorer.exe	Code function: 1_2_086AEA37 push 8D48C2CDh; iretd	1_2_086AEA3F
Source: C:\Windows\explorer.exe	Code function: 1_2_086AE6F0 push ds; ret	1_2_086AE6F2
Source: C:\Windows\explorer.exe	Code function: 1_2_086AAEDB push cs; iretd	1_2_086AAF72
Source: C:\Windows\explorer.exe	Code function: 1_2_086AB115 push es; iretd	1_2_086AB11C
Source: C:\Windows\explorer.exe	Code function: 1_2_086AB1DC push esi; retf	1_2_086AB1EA
Source: C:\Windows\explorer.exe	Code function: 1_2_086AB988 push edi; retf	1_2_086AB993
Source: C:\Windows\explorer.exe	Code function: 1_2_000000018003F9FF push edi; iretd	1_2_000000018003FA00
Source: C:\Windows\explorer.exe	Code function: 1_2_00000001800415FC push eax; iretd	1_2_0000000180041609
Source: C:\Windows\explorer.exe	Code function: 1_2_0000000180041245 push ebp; retf	1_2_0000000180041262
Source: C:\Windows\explorer.exe	Code function: 1_2_0000000180041C4D pushfd ; ret	1_2_0000000180041C4E
Source: C:\Windows\explorer.exe	Code function: 1_2_000000018004484D push eax; retf	1_2_0000000180044853
Source: C:\Windows\explorer.exe	Code function: 1_2_000000018003FE8E push edi; ret	1_2_000000018003FE97
Source: C:\Windows\explorer.exe	Code function: 1_2_000000018003F8B2 push ebp; retf	1_2_000000018003F8B3
Source: C:\Windows\explorer.exe	Code function: 1_2_000000018003F3BF pushfd ; ret	1_2_000000018003F3C4
Source: C:\Windows\explorer.exe	Code function: 1_2_00000001800415D9 push eax; iretd	1_2_0000000180041609

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd or bat file

Source: C:\Users\user\Desktop\1735021454574.exe

File created: C:\Users\user\AppData\Local\Temp\ZP76TkMV.bat

Jump to dropped file

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 2 127.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 2 127.1			Jump to behavior

Source: C:\Windows\explorer.exe

Code function: malloc,GetAdaptersInfo,malloc,swscanf,swscanf,

1_2_00000001800072A0

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 866			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 885			Jump to behavior

Source: C:\Users\user\Desktop\1735021454574.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_0-5411
Source: C:\Windows\explorer.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_1-13454

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: explorer.exe, 00000001.00000002.3393916498.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000001.00000002.3394302751.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000001.00000002.3393916498.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000001.00000002.3394302751.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000001.00000000.2153130121.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000001.00000000.2149116519.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.2149116519.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000001.00000002.3393916498.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000001.00000002.3394302751.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 00000001.00000000.2149116519.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000001.00000000.2149116519.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000002.3394302751.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000

Source: C:\Users\user\Desktop\1735021454574.exe	API call chain: ExitProcess graph end node			graph_0-5412
Source: C:\Windows\explorer.exe	API call chain: ExitProcess graph end node			graph_1-13455

Source: C:\Users\user\Desktop\1735021454574.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1735021454574.exe

Code function: 0_2_000000014000456C RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_000000014000456C

Source: C:\Users\user\Desktop\1735021454574.exe

0_2_00000001400099B0

Source: C:\Users\user\Desktop\1735021454574.exe	Code function: 0_2_000000014000B30C RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_000000014000B30C
Source: C:\Users\user\Desktop\1735021454574.exe	Code function: 0_2_000000014000456C RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_000000014000456C
Source: C:\Users\user\Desktop\1735021454574.exe	Code function: 0_2_0000000140009170 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0000000140009170
Source: C:\Users\user\Desktop\1735021454574.exe	Code function: 0_2_00000001400059DC SetUnhandledExceptionFilter,	0_2_00000001400059DC
Source: C:\Windows\explorer.exe	Code function: 1_2_086878E4 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_086878E4
Source: C:\Windows\explorer.exe	Code function: 1_2_0868E3F0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0868E3F0

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: apex_rep.listw.top
Source: C:\Windows\explorer.exe	Network Connect: 120.78.149.238 12368	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: apex_down.listw.top

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\1735021454574.exe

Memory allocated: C:\Windows\explorer.exe base: 8650000 protect: page read and write

Jump to behavior

Changes memory attributes in foreign processes to executable or writable

Source: C:\Users\user\Desktop\1735021454574.exe	Memory protected: C:\Windows\explorer.exe base: 8651000 protect: page execute read	Jump to behavior
Source: C:\Users\user\Desktop\1735021454574.exe	Memory protected: C:\Windows\explorer.exe base: 8650000 protect: page readonly	Jump to behavior
Source: C:\Users\user\Desktop\1735021454574.exe	Memory protected: C:\Windows\explorer.exe base: 8655000 protect: page readonly	Jump to behavior
Source: C:\Users\user\Desktop\1735021454574.exe	Memory protected: C:\Windows\explorer.exe base: 7FF6094DE728 protect: page read and write	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\Desktop\1735021454574.exe	Memory written: PID: 4004 base: 8650000 value: 00			Jump to behavior
Source: C:\Users\user\Desktop\1735021454574.exe	Memory written: PID: 4004 base: 7FF6094DE728 value: 00			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\1735021454574.exe	Memory written: C:\Windows\explorer.exe base: 8650000			Jump to behavior
Source: C:\Users\user\Desktop\1735021454574.exe	Memory written: C:\Windows\explorer.exe base: 7FF6094DE728			Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 2 127.1

Jump to behavior

Source: C:\Users\user\Desktop\1735021454574.exe

Code function: 0_2_0000000140003830 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreateMutexExW,GetLastError,GetCurrentThread,WaitForSingleObject,CloseHandle,

0_2_0000000140003830

Source: explorer.exe, 00000001.00000002.3390838691.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.2149465351.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000001.00000002.3391913904.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3390838691.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.2149465351.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000002.3390838691.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.2149465351.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000002.3390530988.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2149116519.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000001.00000002.3390838691.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.2149465351.00000000013A1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.2153910424.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2979265872.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3394302751.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Source: C:\Users\user\Desktop\1735021454574.exe	Code function: GetLocaleInfoA,		0_2_000000014000B3F8
Source: C:\Windows\explorer.exe	Code function: GetLocaleInfoA,		1_2_08691180

Source: C:\Users\user\Desktop\1735021454574.exe

Code function: 0_2_0000000140006D94 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0000000140006D94

Source: C:\Windows\explorer.exe	Code function: 1_2_00000001800041E0 GlobalAlloc,socket,setsockopt,bind,listen,		1_2_00000001800041E0
Source: C:\Windows\explorer.exe	Code function: 1_2_0000000180003B40 socket,setsockopt,setsockopt,bind,setsockopt,recvfrom,		1_2_0000000180003B40

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Native API	1 Scripting	512 Process Injection	512 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Obfuscated Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File Deletion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	11 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	12 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1735021454574.exe	42%	ReversingLabs	Win32.Ransomware.Generic
1735021454574.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://excel.office.com-	0%	Avira URL Cloud	safe
https://powerpoint.office.comEMd	0%	Avira URL Cloud	safe
https://word.office.comM	0%	Avira URL Cloud	safe
https://outlook.come	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
apex_rep.listw.top	120.79.66.71	true	true		unknown
apex_down.listw.top	120.78.149.238	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000001.00000002.3393916498.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/I	explorer.exe, 00000001.00000002.3393916498.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000001.00000002.3393916498.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://excel.office.com-	explorer.exe, 00000001.00000003.3094610682.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3397816522.000000000C072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3368014122.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3316943409.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2981313458.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3075092379.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2157386098.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.comM	explorer.exe, 00000001.00000003.3094610682.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3397816522.000000000C072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3368014122.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3316943409.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2981313458.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3075092379.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2157386098.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000001.00000000.2152174541.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.2149575447.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.3392832890.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.comEMd	explorer.exe, 00000001.00000000.2157386098.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3397461382.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://android.notify.windows.com/iOS	explorer.exe, 00000001.00000000.2157386098.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3397461382.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	false		high
https://outlook.come	explorer.exe, 00000001.00000003.3094610682.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3397816522.000000000C072000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3368014122.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3316943409.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2981313458.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3075092379.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2157386098.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000001.00000002.3394302751.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153910424.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2979265872.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/	explorer.exe, 00000001.00000002.3393916498.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153130121.000000000962B000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/e	explorer.exe, 00000001.00000002.3394302751.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.2153910424.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2979265872.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark	explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com:443/en-us/feed	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei	explorer.exe, 00000001.00000000.2151376060.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3392061508.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
120.79.66.71	apex_rep.listw.top	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true
120.78.149.238	apex_down.listw.top	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583250
Start date and time:	2025-01-02 09:28:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1735021454574.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/2@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 43 Number of non-executed functions: 71
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 1735021454574.exe

Simulations

Behavior and APIs

Time	Type	Description
03:29:02	API Interceptor	583x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	armv4l.elf	Get hash	malicious	Unknown	Browse	59.82.127.195
	armv6l.elf	Get hash	malicious	Unknown	Browse	39.106.221.219
	DF2.exe	Get hash	malicious	Unknown	Browse	59.110.52.4
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	121.198.26.154
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	47.103.186.206
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	8.130.21.60
	0000000000000000.exe	Get hash	malicious	Nitol	Browse	39.103.20.97
	0000000000000000.exe	Get hash	malicious	Unknown	Browse	39.103.20.97
	kwari.mpsl.elf	Get hash	malicious	Unknown	Browse	42.120.21.89
	botx.sh4.elf	Get hash	malicious	Mirai	Browse	47.124.9.123
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	armv4l.elf	Get hash	malicious	Unknown	Browse	59.82.127.195
	armv6l.elf	Get hash	malicious	Unknown	Browse	39.106.221.219
	DF2.exe	Get hash	malicious	Unknown	Browse	59.110.52.4
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	121.198.26.154
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	47.103.186.206
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	8.130.21.60
	0000000000000000.exe	Get hash	malicious	Nitol	Browse	39.103.20.97
	0000000000000000.exe	Get hash	malicious	Unknown	Browse	39.103.20.97
	kwari.mpsl.elf	Get hash	malicious	Unknown	Browse	42.120.21.89
	botx.sh4.elf	Get hash	malicious	Mirai	Browse	47.124.9.123

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\ZP76TkMV.bat

Download File

Process:	C:\Users\user\Desktop\1735021454574.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	293
Entropy (8bit):	5.20155858545543
Encrypted:	false
SSDEEP:	6:hmRQdzF27zLN2RUxiYMDw9FQLqIJmdUN2RUxi2HN723fCn:wu9U2yleqI2yjtaqn
MD5:	C27FBC8ACAB5695C70254E24735F8D65
SHA1:	DA5CEB780E4D216CC03CE079B40754984E00641D
SHA-256:	529E28D032C38E7FBDBB5A759919076418C8A683D5A9EA201D289FF965A94F93
SHA-512:	4DCA0CF2A95D91BCE1D569F9FCA01F0A1C711FB156A6BE463A2126245AF1D105445FF99EF28B0895611F618FC5C088EAD176D00DB5845C1697EC49BB86FCDEE4
Malicious:	true
Reputation:	low
Preview:	@echo off..set cnt=2..set num=0..:r1..set /a num=%num%+1..del /f /q "C:\Users\user\Desktop\1735021454574.exe"..if %cnt%==%num% goto e1..ping -n 2 127.1>nul..if exist "C:\Users\user\Desktop\1735021454574.exe" goto r1..:e1..del /f /q "C:\Users\user\AppData\Local\Temp\ZP76TkMV.bat"..

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	331
Entropy (8bit):	4.92149009030101
Encrypted:	false
SSDEEP:	6:PzLSLzMRfmWxHLThx2LThx0sW26VY7FwAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeT0sBSAFSkIrxMVlmJHaVzvv
MD5:	2E512EE24AAB186D09E9A1F9B72A0569
SHA1:	C5BA2E0C0338FFEE13ED1FB6DA0CC9C000824B0B
SHA-256:	DB41050CA723A06D95B73FFBE40B32DE941F5EE474F129B2B33E91C67B72674F
SHA-512:	6B4487A088155E34FE5C642E1C3D46F63CB2DDD9E4092809CE6F3BEEFDEF0D1F8AA67F8E733EDE70B07F467ED5BB6F07104EEA4C1E7AC7E1A502A772F56F7DE9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.190912647066544
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1735021454574.exe
File size:	227'840 bytes
MD5:	561a88261d6c906c397723d0a484f366
SHA1:	96201e0ce8a4433b9d22ae77ecc16435d34a6216
SHA256:	9780d0a48df19bace1a2c6724a094db2d43bdd8925c93b30778653a70f04893e
SHA512:	31ce8034681f18d57a156fbecad34d920f2633de00e414c306c1f68887b17f83ce21a6bdc1e74df437a07759641721441cdb108d0e96a9ccaa1b02345bb69124
SSDEEP:	6144:zChBzIASWddnj1Yqdq+GO66EZFW6Z15bgxGE:z6ZeudBx5GXR35U
TLSH:	8624CF13E3A580FBC863C13CC9A26666F5B1B41A837487CFA7904E662F237D1793A351
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................O..........t...................Rich....................PE..d.....=g..........#................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400041f4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x673D83C7 [Wed Nov 20 06:37:59 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	f8566657430f6381ba14c7ca1e40f06c

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F6F3850664Ch
dec eax
add esp, 28h
jmp 00007F6F385038C7h
int3
int3
dec eax
jmp dword ptr [00007F51h]
int3
xor ecx, ecx
dec eax
jmp dword ptr [00007F47h]
int3
int3
int3
dec eax
jmp dword ptr [00007F45h]
int3
dec eax
sub esp, 28h
mov ecx, dword ptr [00032436h]
cmp ecx, FFFFFFFFh
je 00007F6F38503ABFh
call dword ptr [00007F47h]
or dword ptr [00032424h], FFFFFFFFh
dec eax
add esp, 28h
jmp 00007F6F38506740h
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ebx
push edi
dec eax
sub esp, 20h
dec eax
mov edi, edx
dec eax
mov ebx, ecx
dec eax
lea eax, dword ptr [00008A3Dh]
dec eax
mov dword ptr [ecx+000000A0h], eax
mov dword ptr [ecx+1Ch], 00000001h
mov dword ptr [ecx+000000C8h], 00000001h
mov byte ptr [ecx+00000174h], 00000043h
mov byte ptr [ecx+000001F7h], 00000043h
dec eax
lea eax, dword ptr [00032C60h]
dec eax
mov dword ptr [ecx+000000B8h], eax
mov ecx, 0000000Dh
call 00007F6F3850686Ch
nop
dec eax
mov eax, dword ptr [ebx+000000B8h]
lock add dword ptr [eax], 01h
mov ecx, 0000000Dh
call 00007F6F38506756h
mov ecx, 0000000Ch

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[ASM] VS2008 SP1 build 30729
[IMP] VS2005 build 50727
[C++] VS2008 SP1 build 30729
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xe404	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x3a000	0xa44	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x320	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xade9	0xae00	708f78b5cd9639b4135400a06da5303c	False	0.5815822557471264	data	6.333185574110238	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x2ea4	0x3000	1288c21a7e31d842404c68f524718900	False	0.3961588541666667	data	5.302044784760474	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xf000	0x2ac20	0x28c00	e6c71238e76489d139e3667f7bc8f1dc	False	0.8114575345092024	data	7.418193968942779	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x3a000	0xa44	0xc00	e236b8cd83b468044cdc9cbc64e678d3	False	0.4176432291666667	data	4.054398581850391	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

GlobalAlloc, LoadLibraryA, WideCharToMultiByte, MultiByteToWideChar, GetExitCodeProcess, WaitForSingleObject, CreateProcessA, VirtualAllocEx, GetTempPathA, GetModuleFileNameA, GetTickCount, ReadProcessMemory, Thread32Next, Thread32First, CreateToolhelp32Snapshot, OpenThread, VirtualProtectEx, WriteProcessMemory, VirtualFreeEx, IsWow64Process, Process32Next, ProcessIdToSessionId, Process32First, GetCurrentThread, CreateMutexW, GlobalFree, SetFileAttributesA, WriteFile, SetEndOfFile, FlushFileBuffers, CreateFileA, SetFilePointerEx, GetLastError, GetNativeSystemInfo, OpenProcess, CloseHandle, GetModuleHandleA, GetProcAddress, GetCurrentProcess, GetCommandLineA, GetStartupInfoA, EncodePointer, DecodePointer, FlsGetValue, FlsSetValue, FlsFree, SetLastError, GetCurrentThreadId, FlsAlloc, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetModuleHandleW, Sleep, ExitProcess, GetStdHandle, RtlUnwindEx, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, HeapSetInformation, HeapCreate, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapFree, SetFilePointer, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, GetLocaleInfoA, GetStringTypeA, GetStringTypeW, LCMapStringA, LCMapStringW, HeapAlloc, HeapReAlloc, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, HeapSize

ADVAPI32.dll

InitializeSecurityDescriptor, SetSecurityDescriptorDacl

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:29:06.578483105 CET	49710	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:06.583300114 CET	12368	49710	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:06.583398104 CET	49710	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:06.583453894 CET	49710	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:06.588238955 CET	12368	49710	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:07.547590017 CET	12368	49710	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:07.547683001 CET	12368	49710	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:07.547878981 CET	49710	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:07.547911882 CET	49710	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:07.552694082 CET	12368	49710	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:09.557245016 CET	49722	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:09.562067986 CET	12368	49722	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:09.562167883 CET	49722	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:09.562247038 CET	49722	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:09.567018986 CET	12368	49722	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:10.548669100 CET	12368	49722	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:10.548804045 CET	12368	49722	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:10.548857927 CET	49722	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:10.548950911 CET	49722	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:10.553744078 CET	12368	49722	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:12.620131969 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:12.625195980 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:12.626418114 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:12.626514912 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:12.631242990 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.583947897 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.583973885 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.583986998 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.583997965 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.584014893 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.584022045 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:13.584032059 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.584043026 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.584054947 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.584058046 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:13.584067106 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.584073067 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.584074974 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:13.584105968 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:13.588924885 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.588937998 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.588948965 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.588994980 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:13.853876114 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.853903055 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.853914976 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854008913 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:13.854027033 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854038954 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854057074 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854070902 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854074001 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:13.854084015 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854094982 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854104996 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:13.854114056 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854125977 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854136944 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854140043 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:13.854144096 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854152918 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:13.854154110 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854165077 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854182005 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854192019 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854192972 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:13.854197979 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854204893 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854211092 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854216099 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854222059 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854232073 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.854257107 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:13.859194994 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:13.859251022 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.100822926 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.100841999 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.100949049 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.100950956 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.100979090 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.100990057 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.101010084 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.101031065 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.101042032 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.101062059 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.101762056 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.101773977 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.101787090 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.101797104 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.101798058 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.101815939 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.102427006 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.102438927 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.102449894 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.102461100 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.102463007 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.102471113 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.102480888 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.102511883 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.103353024 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.103364944 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.103377104 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.103388071 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.103399992 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.103408098 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.103441000 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.104099989 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.104140997 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.104165077 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.104176044 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.104187012 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.104198933 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.104212999 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.104231119 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.104986906 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.104998112 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.105010033 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.105026007 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.105036020 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.105036974 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.105055094 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.105931044 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.105951071 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.105961084 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.105966091 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.105972052 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.105982065 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.105998039 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.106029987 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.196167946 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.196185112 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.196196079 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.196234941 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.196296930 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.196305990 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.196330070 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.196389914 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.196423054 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.196486950 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.196963072 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.196974993 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.196988106 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.197001934 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.197019100 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.197030067 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.197041988 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.197083950 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.197170973 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.197235107 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.197264910 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.359234095 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.359258890 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.359344006 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.359345913 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.359389067 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.359401941 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.359414101 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.359425068 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.359448910 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.359455109 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.359721899 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.359755993 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.359762907 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.359775066 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.359786034 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.359810114 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.359827995 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.359859943 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.360124111 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360223055 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360234976 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360245943 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360255957 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.360256910 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360268116 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360275984 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.360279083 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360321045 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.360862970 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360882044 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360893011 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360901117 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.360903978 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360913992 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360924006 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360937119 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360940933 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.360946894 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360960960 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360970974 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.360971928 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.360991955 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.361879110 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.361896038 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.361908913 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.361917973 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.361928940 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.361931086 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.361942053 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.361944914 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.361953974 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.361964941 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.361974955 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.361974955 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.361987114 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.361998081 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.362019062 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.362740040 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.362783909 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.362799883 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.362809896 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.362823963 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.362834930 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.362848043 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.362859011 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.362868071 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.362869024 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.362879992 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.362893105 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.362904072 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.362906933 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.362922907 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.363732100 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.363753080 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.363763094 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.363771915 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.363786936 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.363857031 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.363867998 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.363878965 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.363888979 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.363900900 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.363910913 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.363912106 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.363923073 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.363945007 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.364820004 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.364836931 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.364847898 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.364851952 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.364857912 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.364869118 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.364876032 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.364881039 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.364892960 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.364902973 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.364916086 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.364922047 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.364927053 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.364948034 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.365858078 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.365874052 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.365885973 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.365890980 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.365896940 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.365907907 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.365917921 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.365928888 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.365931034 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.365938902 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.365951061 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.365956068 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.365963936 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.365976095 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.378496885 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.445899963 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.445913076 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.445923090 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.445981979 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.446052074 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.446099043 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.446158886 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.446170092 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.446177006 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.446192980 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.446202993 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.446204901 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.446214914 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.446224928 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.446254969 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.446276903 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.446367025 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.446377993 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.446388006 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.446398973 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.446402073 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.446409941 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.446420908 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.446420908 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.446451902 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.617803097 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.617888927 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.617899895 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.617912054 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.617924929 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.617937088 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.617935896 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.617949963 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.617963076 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.617964983 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.618002892 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.618109941 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618150949 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618164062 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618175983 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618185043 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618185997 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.618211031 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.618396997 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618408918 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618422031 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618432045 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.618432999 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618446112 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618463039 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.618494987 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.618697882 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618715048 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618726969 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618736982 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618747950 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618747950 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.618758917 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618768930 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.618772030 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618782043 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618793964 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618796110 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.618804932 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618815899 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.618818045 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.618838072 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.619246006 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619257927 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619277000 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619287968 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619291067 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.619301081 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619309902 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.619317055 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619340897 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.619389057 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619426012 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.619499922 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619513035 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619524002 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619534969 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619544029 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.619546890 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619558096 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619568110 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.619570971 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619590998 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.619827986 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.619860888 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.626935005 CET	49744	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.631792068 CET	12368	49744	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.707705975 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.712814093 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:14.712908983 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.712996006 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:14.717845917 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.682276964 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.682317972 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.682329893 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.682336092 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.682347059 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.682365894 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.682377100 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.682388067 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.682398081 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.682408094 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.682465076 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:15.682545900 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:15.687424898 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.687441111 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.687453032 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.687540054 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:15.940529108 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.940547943 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.940561056 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.940573931 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.940668106 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:15.940756083 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.940768003 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.940781116 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.940785885 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:15.940792084 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.940886021 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:15.941237926 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.941297054 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.941308022 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.941319942 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.941330910 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.941369057 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:15.941369057 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:15.942241907 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.942255020 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.942266941 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.942276001 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.942286968 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.942317963 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:15.942317963 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:15.942354918 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:15.943103075 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.943118095 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.943135977 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.943145990 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.943157911 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.943161964 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:15.943191051 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:15.945602894 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:15.945667982 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.198208094 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198223114 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198234081 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198329926 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198349953 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198352098 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.198363066 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198373079 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.198374987 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198411942 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.198556900 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198609114 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198649883 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.198666096 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198704004 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.198721886 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198767900 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198807955 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.198847055 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198858976 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198865891 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198872089 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198878050 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.198913097 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.199413061 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.199425936 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.199438095 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.199448109 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.199455976 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.199460030 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.199486971 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.199516058 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.199887991 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.199904919 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.199915886 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.199927092 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.199938059 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.199943066 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.199949980 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.199960947 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.199963093 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.199975014 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.199985981 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.199990988 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.199995995 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.200009108 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.200010061 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.200035095 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.200675964 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.200689077 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.200704098 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.200710058 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.200721025 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.200743914 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.200757027 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.200776100 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.200797081 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.200809002 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.200820923 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.200830936 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.200835943 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.200844049 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.200865984 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.200892925 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.201637030 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.201647997 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.201667070 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.201685905 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.203284025 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.206374884 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.287595987 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.342823982 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.456217051 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456245899 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456257105 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456268072 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456279039 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456290007 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456368923 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456378937 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.456393957 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456406116 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456409931 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.456455946 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.456484079 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456496000 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456506014 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456516027 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456527948 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456542969 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.456562996 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.456594944 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.456762075 CET	12368	49755	120.78.149.238	192.168.2.6
Jan 2, 2025 09:29:16.456799030 CET	49755	12368	192.168.2.6	120.78.149.238
Jan 2, 2025 09:29:16.461433887 CET	12368	49755	120.78.149.238	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:29:06.109770060 CET	52503	53	192.168.2.6	114.114.114.114
Jan 2, 2025 09:29:06.233855009 CET	52504	53	192.168.2.6	223.5.5.5
Jan 2, 2025 09:29:06.317641973 CET	53	52504	223.5.5.5	192.168.2.6
Jan 2, 2025 09:29:06.335233927 CET	53	52503	114.114.114.114	192.168.2.6
Jan 2, 2025 09:29:06.343422890 CET	52505	53	192.168.2.6	114.114.114.114
Jan 2, 2025 09:29:06.468281031 CET	52506	53	192.168.2.6	223.5.5.5
Jan 2, 2025 09:29:06.554301023 CET	53	52506	223.5.5.5	192.168.2.6
Jan 2, 2025 09:29:06.568803072 CET	53	52505	114.114.114.114	192.168.2.6
Jan 2, 2025 09:29:06.577665091 CET	52507	8081	192.168.2.6	120.79.66.71
Jan 2, 2025 09:29:06.578160048 CET	52508	8081	192.168.2.6	120.79.66.71
Jan 2, 2025 09:29:06.578304052 CET	52509	8081	192.168.2.6	120.79.66.71
Jan 2, 2025 09:29:16.476805925 CET	62981	8081	192.168.2.6	120.79.66.71
Jan 2, 2025 09:29:16.480376005 CET	62982	8081	192.168.2.6	120.79.66.71
Jan 2, 2025 09:29:16.518047094 CET	62983	8081	192.168.2.6	120.79.66.71
Jan 2, 2025 09:29:16.518238068 CET	62984	8081	192.168.2.6	120.79.66.71

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 2, 2025 09:29:06.335305929 CET	192.168.2.6	114.114.114.114	a4de	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 09:29:06.109770060 CET	192.168.2.6	114.114.114.114	0x4a09	Standard query (0)	apex_down.listw.top	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:29:06.233855009 CET	192.168.2.6	223.5.5.5	0x4a09	Standard query (0)	apex_down.listw.top	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:29:06.343422890 CET	192.168.2.6	114.114.114.114	0x4a09	Standard query (0)	apex_rep.listw.top	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:29:06.468281031 CET	192.168.2.6	223.5.5.5	0x4a09	Standard query (0)	apex_rep.listw.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 09:29:06.317641973 CET	223.5.5.5	192.168.2.6	0x4a09	No error (0)	apex_down.listw.top	120.78.149.238	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:29:06.335233927 CET	114.114.114.114	192.168.2.6	0x4a09	No error (0)	apex_down.listw.top	120.78.149.238	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:29:06.554301023 CET	223.5.5.5	192.168.2.6	0x4a09	No error (0)	apex_rep.listw.top	120.79.66.71	A (IP address)	IN (0x0001)	false
Jan 2, 2025 09:29:06.568803072 CET	114.114.114.114	192.168.2.6	0x4a09	No error (0)	apex_rep.listw.top	120.79.66.71	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:29:01
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\1735021454574.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\1735021454574.exe"
Imagebase:	0x140000000
File size:	227'840 bytes
MD5 hash:	561A88261D6C906C397723D0A484F366
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:29:01
Start date:	02/01/2025
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	03:29:04
Start date:	02/01/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\ZP76TkMV.bat""
Imagebase:	0x7ff602080000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:29:04
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:29:05
Start date:	02/01/2025
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 2 127.1
Imagebase:	0x7ff6986f0000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26%
Total number of Nodes:	1337
Total number of Limit Nodes:	50

Executed Functions

Function 00000001400018F0 Relevance: 53.0, APIs: 35, Instructions: 504
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32 ref: 0000000140001958
ReadProcessMemory.KERNELBASE ref: 000000014000198E
GetLastError.KERNEL32 ref: 0000000140001998
GlobalFree.KERNEL32 ref: 0000000140002114

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: Global$AllocErrorFreeLastMemoryProcessRead
String ID:
API String ID: 880132777-0
Opcode ID: e3b8513d77d3e064aeb048b915a17d23cd5dc3dc9ced802016e47662d4b719bc
Instruction ID: 5b8d6f292d32b47b0dc033eca4e293d4dbe89354321a4122699c0ddb99020d3d
Opcode Fuzzy Hash: e3b8513d77d3e064aeb048b915a17d23cd5dc3dc9ced802016e47662d4b719bc
Instruction Fuzzy Hash: 8F3259B2619B8182EA62DF52B4447DAB7A4FB8DBC4F444125FF8A43BA9DF38C445C740

Function 0000000140003160 Relevance: 40.6, APIs: 22, Strings: 1, Instructions: 319
memorysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32 ref: 0000000140003185
IsWow64Process.KERNEL32 ref: 00000001400031C3
GlobalAlloc.KERNELBASE ref: 000000014000325B
GlobalFree.KERNEL32 ref: 00000001400033C7

Strings

TranslateMessage, xrefs: 0000000140003333, 000000014000340E

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: Global$AllocFreeObjectProcessSingleWaitWow64
String ID: TranslateMessage
API String ID: 1285448613-1574555156
Opcode ID: b841879be43e50d66bb224894e4c1356849f29788031f2846d79fd9ca5ae7eb5
Instruction ID: 7174fe85d50acdaac7ebb6ef4fc703fd64b259ce32da63d26d972c31c026e7c1
Opcode Fuzzy Hash: b841879be43e50d66bb224894e4c1356849f29788031f2846d79fd9ca5ae7eb5
Instruction Fuzzy Hash: 81D11CB2219B8186E762DB13B54479AB7A8F78DBC4F404125BF8A47BA9DF3CC544CB00

Function 0000000140002260 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 000000014000229D
GetLastError.KERNEL32 ref: 00000001400022AB
GetProcAddress.KERNEL32 ref: 00000001400022C2
GetLastError.KERNEL32 ref: 00000001400022D0

Strings

NtQueryInformationProcess, xrefs: 00000001400022D8
RtlNtStatusToDosError, xrefs: 00000001400022B3
ntdll.dll, xrefs: 0000000140002279

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: ErrorLast$AddressHandleModuleProc
String ID: NtQueryInformationProcess$RtlNtStatusToDosError$ntdll.dll
API String ID: 1762409328-513407355
Opcode ID: 5149749498f2dce902f1c34ca5229fe6b1970cf0fb8f2d4bac61122ba6365c95
Instruction ID: cd2a3950a3659bf530bc54333ab6332fd89062f5493819bed32ec8037b801953
Opcode Fuzzy Hash: 5149749498f2dce902f1c34ca5229fe6b1970cf0fb8f2d4bac61122ba6365c95
Instruction Fuzzy Hash: AA2125B132AB4085EB56DB16B844B9C73A5B74CBC0F594139EB9D83764EF38CA558700

Function 0000000140003830 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeSecurityDescriptor.ADVAPI32 ref: 000000014000384A
SetSecurityDescriptorDacl.ADVAPI32 ref: 000000014000385F
CreateMutexExW.KERNELBASE ref: 000000014000388D
GetLastError.KERNEL32 ref: 0000000140003896
CloseHandle.KERNEL32 ref: 00000001400038E8

Part of subcall function 0000000140003740: CreateToolhelp32Snapshot.KERNEL32 ref: 000000014000376A
Part of subcall function 0000000140003740: GetLastError.KERNEL32 ref: 0000000140003778

GetCurrentThread.KERNEL32 ref: 00000001400038B1
WaitForSingleObject.KERNEL32 ref: 00000001400038BF

Part of subcall function 0000000140003740: ProcessIdToSessionId.KERNELBASE ref: 00000001400037D8
Part of subcall function 0000000140003740: Process32Next.KERNEL32 ref: 00000001400037EF

Strings

{C10811B2-10C9-4d62-9E16-FBC7EB569DD4}, xrefs: 000000014000386A

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: CreateDescriptorErrorLastSecurity$CloseCurrentDaclHandleInitializeMutexNextObjectProcessProcess32SessionSingleSnapshotThreadToolhelp32Wait
String ID: {C10811B2-10C9-4d62-9E16-FBC7EB569DD4}
API String ID: 285606942-888163077
Opcode ID: dd4009fd458aba5dca69b0312a42940688917f5221cde77a963d658099a9cc82
Instruction ID: 4299be9f1f3fbda4284126c42162f4657a4ed364a8083925df42765a6c30eefe
Opcode Fuzzy Hash: dd4009fd458aba5dca69b0312a42940688917f5221cde77a963d658099a9cc82
Instruction Fuzzy Hash: 15219DB1224A4182FB52EB26F804BDA63A4FB8D788F548024F70A476B5EF3DC449CB40

Function 0000000140003740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 000000014000376A
GetLastError.KERNEL32 ref: 0000000140003778
ProcessIdToSessionId.KERNELBASE ref: 00000001400037D8
Process32Next.KERNEL32 ref: 00000001400037EF

Strings

explorer.exe, xrefs: 00000001400037B0

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: CreateErrorLastNextProcessProcess32SessionSnapshotToolhelp32
String ID: explorer.exe
API String ID: 1033712966-3187896405
Opcode ID: 2e169a929fc2d2e009f530b01c7f8142b94bd2eda747f8ba25c0d8239db225c7
Instruction ID: 33c71a43016fddc915274e0a6c88ac49dedbbb02ad0916507a264ae314eb1e10
Opcode Fuzzy Hash: 2e169a929fc2d2e009f530b01c7f8142b94bd2eda747f8ba25c0d8239db225c7
Instruction Fuzzy Hash: BE2142B170868086EB72DF16F8413DAA295F78C7D8F844325B79D476E9DB38C544CB00

Function 00000001400015F0 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 141
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0000000140001638

Part of subcall function 0000000140003B0C: _getptd.LIBCMT ref: 0000000140003B14

rand.LIBCMT ref: 0000000140001645

Part of subcall function 0000000140003B24: _getptd.LIBCMT ref: 0000000140003B28

Part of subcall function 0000000140001370: rand.LIBCMT ref: 0000000140001440

GlobalAlloc.KERNEL32 ref: 000000014000167E
GetModuleFileNameA.KERNELBASE ref: 00000001400016C0
GetTempPathA.KERNELBASE ref: 00000001400016D0
GlobalFree.KERNEL32 ref: 0000000140001857

Strings

gfff, xrefs: 0000000140001652
if %cnt%==%num% goto e1ping -n 2 127.1>nul, xrefs: 000000014000178D
@echo off, xrefs: 000000014000170B
:e1del /f /q "%s", xrefs: 00000001400017CB
.bat, xrefs: 00000001400016F8
set cnt=%u, xrefs: 000000014000173B
if exist "%s" goto r1, xrefs: 00000001400017A7
set num=0:r1set /a num=%num%+1, xrefs: 0000000140001756
"%s", xrefs: 0000000140001811
del /f /q "%s", xrefs: 0000000140001770

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: Global_getptdrand$AllocCountFileFreeModuleNamePathTempTick
String ID: "%s"$.bat$:e1del /f /q "%s"$@echo off$del /f /q "%s"$gfff$if %cnt%==%num% goto e1ping -n 2 127.1>nul$if exist "%s" goto r1$set cnt=%u$set num=0:r1set /a num=%num%+1
API String ID: 354991171-3703372875
Opcode ID: eee4d7ca2a32e14d08948c02aa48e857aa9d5f9e8ef851e839f3359dadce8009
Instruction ID: b6c1ad529da0dd87c8ede0c7be3bd254542353f21f2d4b17b3b05bf17b333e96
Opcode Fuzzy Hash: eee4d7ca2a32e14d08948c02aa48e857aa9d5f9e8ef851e839f3359dadce8009
Instruction Fuzzy Hash: 4F518FB131568185EB22EF26F8517D96365F7897C8F845026BB4E4BBAADF78C205C700

Function 0000000140001170 Relevance: 25.6, APIs: 17, Instructions: 118
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNELBASE ref: 00000001400011C0
CreateFileA.KERNELBASE ref: 00000001400011EA
CreateFileA.KERNELBASE ref: 000000014000121D
GetLastError.KERNEL32 ref: 000000014000123A
SetFilePointerEx.KERNEL32 ref: 000000014000126D
GetLastError.KERNEL32 ref: 0000000140001277
CloseHandle.KERNEL32 ref: 0000000140001282
SetFilePointerEx.KERNELBASE ref: 0000000140001298
GetLastError.KERNEL32 ref: 00000001400012A2
CloseHandle.KERNEL32 ref: 00000001400012AD
WriteFile.KERNELBASE ref: 00000001400012CA
GetLastError.KERNEL32 ref: 00000001400012D4
CloseHandle.KERNEL32 ref: 00000001400012DF
CloseHandle.KERNEL32 ref: 00000001400012FB
SetEndOfFile.KERNELBASE ref: 0000000140001314
FlushFileBuffers.KERNEL32 ref: 000000014000131D
CloseHandle.KERNELBASE ref: 0000000140001326

Part of subcall function 0000000140001000: GetModuleHandleA.KERNEL32 ref: 0000000140001015
Part of subcall function 0000000140001000: GetProcAddress.KERNEL32 ref: 0000000140001032
Part of subcall function 0000000140001000: GetCurrentProcess.KERNEL32 ref: 0000000140001048
Part of subcall function 0000000140001000: GetProcAddress.KERNEL32 ref: 0000000140001069

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: File$Handle$Close$ErrorLast$AddressCreatePointerProc$AttributesBuffersCurrentFlushModuleProcessWrite
String ID:
API String ID: 1685627637-0
Opcode ID: c6f06c55810ae676b242f0391958e7d96c1ddbd1831598c62583220653be55d7
Instruction ID: bc2adb5c83cad6cf6b328863d0be11b741e8eec7635037984136a93185dd692a
Opcode Fuzzy Hash: c6f06c55810ae676b242f0391958e7d96c1ddbd1831598c62583220653be55d7
Instruction Fuzzy Hash: 18413DB161568087E762DF63B954BEA7295B78DBE4F044225FFA643BF5CF38C4488600

Function 0000000140001470 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92
processsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE ref: 0000000140001525
GetLastError.KERNEL32 ref: 000000014000152F
CloseHandle.KERNEL32 ref: 000000014000153F
WaitForSingleObject.KERNEL32 ref: 000000014000156F
GetExitCodeProcess.KERNEL32 ref: 000000014000158D
GetLastError.KERNEL32 ref: 0000000140001597
CloseHandle.KERNEL32 ref: 00000001400015C3

Strings

h, xrefs: 00000001400014AE
, xrefs: 0000000140001518

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: CloseErrorHandleLastProcess$CodeCreateExitObjectSingleWait
String ID: $h
API String ID: 3196704372-1972213566
Opcode ID: e6b51890dc114c2b89d13f2e69252f4d912c5b222b4ea4394b7fa6e8da15a4a5
Instruction ID: 8859876685ca2badcadd4aaf4b8bdc0f5709351d06a8d1345d8bddfaf805c54f
Opcode Fuzzy Hash: e6b51890dc114c2b89d13f2e69252f4d912c5b222b4ea4394b7fa6e8da15a4a5
Instruction Fuzzy Hash: 41411BB2214A80C6E762DF16F8407CAB7A4F7C8BD8F144125EB8947B68DF78C454CB40

Function 0000000140006834 Relevance: 15.1, APIs: 10, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000014000413C), ref: 0000000140006863
GetLastError.KERNEL32(?,?,?,?,?,?,?,000000014000413C), ref: 000000014000687D
GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000014000413C), ref: 00000001400068A3
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000014000413C), ref: 00000001400068F8
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,000000014000413C), ref: 0000000140006934
free.LIBCMT ref: 0000000140006942
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,000000014000413C), ref: 000000014000694D
GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,?,000000014000413C), ref: 0000000140006965
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,000000014000413C), ref: 00000001400069A6
FreeEnvironmentStringsA.KERNEL32(?,?,?,?,?,?,?,000000014000413C), ref: 00000001400069C2

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
String ID:
API String ID: 994105223-0
Opcode ID: a45ebe0291e735118433d79ffa4501a3f33e74e4a86f275abaf88588a9a04c7a
Instruction ID: 939949a212f292ece65122cbe4d063cb36a4dcf17b2de409e7152f0680b642df
Opcode Fuzzy Hash: a45ebe0291e735118433d79ffa4501a3f33e74e4a86f275abaf88588a9a04c7a
Instruction Fuzzy Hash: 6441BEB260539082FA66DB23B5587A977A6B74CBD0F188514EF4A27BB5CF38D495C300

Function 0000000140005BB0 Relevance: 13.6, APIs: 9, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_lock.LIBCMT ref: 0000000140005BD9
DecodePointer.KERNEL32 ref: 0000000140005C0C
DecodePointer.KERNEL32 ref: 0000000140005C29
DecodePointer.KERNEL32 ref: 0000000140005C68
DecodePointer.KERNEL32 ref: 0000000140005C81
DecodePointer.KERNEL32 ref: 0000000140005C90
_initterm.LIBCMT ref: 0000000140005CCF
_initterm.LIBCMT ref: 0000000140005CE2
ExitProcess.KERNEL32 ref: 0000000140005D1B

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: DecodePointer$_initterm$ExitProcess_lock
String ID:
API String ID: 2551688548-0
Opcode ID: 2e2d85d98de262d786742f13c3a61dd02443fc06b479274f9426870222821cf0
Instruction ID: a7c215c06efc56645062d57f0c9971c0f0cfcc1f76108284ec0c264d9ead9588
Opcode Fuzzy Hash: 2e2d85d98de262d786742f13c3a61dd02443fc06b479274f9426870222821cf0
Instruction Fuzzy Hash: 3B419CB1226B8185FA53EB13F880BDA6294B78D7C4F444029BB4E47BB6EF38C491C704

Function 0000000140004018 Relevance: 12.1, APIs: 8, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoA.KERNEL32 ref: 000000014000402F
_FF_MSGBANNER.LIBCMT ref: 00000001400040CE
_FF_MSGBANNER.LIBCMT ref: 00000001400040F8
_RTC_Initialize.LIBCMT ref: 0000000140004111
GetCommandLineA.KERNEL32 ref: 000000014000412A
__setargv.LIBCMT ref: 0000000140004143
_cinit.LIBCMT ref: 000000014000416B
_wincmdln.LIBCMT ref: 000000014000417B

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: CommandInfoInitializeLineStartup__setargv_cinit_wincmdln
String ID:
API String ID: 1081043060-0
Opcode ID: 0e525a029f3c9379bc667cf13eb564230b6b773ff7a43c10802f93299b43159c
Instruction ID: 5e116b9988e8f961825a1c3e745da8700499624d8fdae5a4e9b6fd0bba04d3cf
Opcode Fuzzy Hash: 0e525a029f3c9379bc667cf13eb564230b6b773ff7a43c10802f93299b43159c
Instruction Fuzzy Hash: 43415DF160478186FB63EBA3B4413EA22A1AB8D7C5F544039B749536F3EF38C9818746

Function 00000001400036B0 Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32 ref: 00000001400036DF
GetLastError.KERNEL32 ref: 00000001400036ED
CloseHandle.KERNELBASE ref: 0000000140003717

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: CloseErrorHandleLastOpenProcess
String ID:
API String ID: 3453201768-0
Opcode ID: ba3bdd8d4b6520c47544b77885bc5682f226bda47c0f6702306fc36d4afcf9ff
Instruction ID: 29c36edad4cbe4456c1e5d56e1e489f9a7f3070941572f87b43ba1d2570c8cd5
Opcode Fuzzy Hash: ba3bdd8d4b6520c47544b77885bc5682f226bda47c0f6702306fc36d4afcf9ff
Instruction Fuzzy Hash: 9B014476318B8082E315DB17B80078AB6A5F78DBC0F484428FF8843B69DA38C5418B04

Function 0000000140002160 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE ref: 00000001400021DF
GetLastError.KERNEL32 ref: 00000001400021E9

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: ErrorLastMemoryProcessRead
String ID:
API String ID: 2417666006-0
Opcode ID: 738e364ac98b109d1f902aed40cd010b936bad501335c4d62d388d32040120af
Instruction ID: d0824b595194ae0f816e219e88f91e526c91884c79d853c1c97cfcba69b48e09
Opcode Fuzzy Hash: 738e364ac98b109d1f902aed40cd010b936bad501335c4d62d388d32040120af
Instruction Fuzzy Hash: 42213D72319B8096E766CF52B440BDAB7A8F399BC0F584125BF8943B19DB38C605CB40

Function 0000000140006D48 Relevance: 3.0, APIs: 2, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(?,?,?,?,00000001400040C2), ref: 0000000140006D5A
HeapSetInformation.KERNEL32 ref: 0000000140006D84

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: 27e44b1b6268c0d544476f1fec22c4af1d438eeb43799487ba81ee6cadacc236
Instruction ID: 246af1013d14c5667408807a7657882260a7fa6da917086fc4c36d72adaf5ecd
Opcode Fuzzy Hash: 27e44b1b6268c0d544476f1fec22c4af1d438eeb43799487ba81ee6cadacc236
Instruction Fuzzy Hash: A1E048B572278043E75ADB26A8157956250F74C3C0F505019FB4903BA4DF3CC1858B00

Function 0000000140007CC4 Relevance: 2.5, APIs: 2, Instructions: 30
sleepCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.LIBCMT ref: 0000000140007CE3

Part of subcall function 000000014000A9F0: _FF_MSGBANNER.LIBCMT ref: 000000014000AA20
Part of subcall function 000000014000A9F0: HeapAlloc.KERNEL32(?,?,00000000,0000000140007CE8,?,?,00000000,0000000140006FD1,?,?,?,000000014000707B), ref: 000000014000AA45
Part of subcall function 000000014000A9F0: _errno.LIBCMT ref: 000000014000AA69
Part of subcall function 000000014000A9F0: _errno.LIBCMT ref: 000000014000AA74

Sleep.KERNEL32(?,?,00000000,0000000140006FD1,?,?,?,000000014000707B,?,?,?,?,?,?,00000000,0000000140004358), ref: 0000000140007CFA

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: _errno$AllocHeapSleepmalloc
String ID:
API String ID: 496785850-0
Opcode ID: 31c6dfb5965236465b61a71dc8a1373e5855104e6cf83bc14204ef1d40353bea
Instruction ID: cadc7b0da79966dee7169d7bbb693cfb5829486343461f55473eb18a9ac76907
Opcode Fuzzy Hash: 31c6dfb5965236465b61a71dc8a1373e5855104e6cf83bc14204ef1d40353bea
Instruction Fuzzy Hash: 0AF0C27260078486EA12DF17B4403AE73A0E78CBE0F580125FF5903765DF38C9918740

Function 0000000140001120 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE ref: 0000000140001141

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 9cf46646d2e420a71669caba6a41cd8cc1c440e01bff2c30a90047ae0998cef5
Instruction ID: 7c25440c2d9f27fab6620d7f1cabdf187c938c27d88307f51b1f67d8d778176e
Opcode Fuzzy Hash: 9cf46646d2e420a71669caba6a41cd8cc1c440e01bff2c30a90047ae0998cef5
Instruction Fuzzy Hash: 80E01AB6B2088082E777EB16E8013DA72E2F388B05FC40111B78D435A4EB7CCA598A01

Non-executed Functions

Function 0000000140002710 Relevance: 53.0, APIs: 35, Instructions: 503memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 0000000140002773
ReadProcessMemory.KERNEL32 ref: 00000001400027B7
GetLastError.KERNEL32 ref: 00000001400027C1
GlobalFree.KERNEL32 ref: 0000000140002EED

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: Global$AllocErrorFreeLastMemoryProcessRead
String ID:
API String ID: 880132777-0
Opcode ID: 75454d54b03a707dbd19c3a3bd70313273ca086a0fbc7868067fe0d4610f207f
Instruction ID: 81354d4f257917a37da6dd762d8a5476d34b10bf18e12a88d3df297ff6f2d5c3
Opcode Fuzzy Hash: 75454d54b03a707dbd19c3a3bd70313273ca086a0fbc7868067fe0d4610f207f
Instruction Fuzzy Hash: 6F325EB221978186EB66CF12F44479AB7A4F78DBC4F544125FB8A47BA8DF78C805CB40

Function 0000000140004B44 Relevance: 42.7, APIs: 10, Strings: 14, Instructions: 714COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000497C: _getptd.LIBCMT ref: 0000000140004992

_errno.LIBCMT ref: 0000000140004BAC

Part of subcall function 0000000140004694: DecodePointer.KERNEL32 ref: 00000001400046BB

_errno.LIBCMT ref: 0000000140004C78
write_multi_char.LIBCMT ref: 0000000140005297
write_multi_char.LIBCMT ref: 00000001400052C8
write_multi_char.LIBCMT ref: 000000014000537E
free.LIBCMT ref: 0000000140005396

Strings

l, xrefs: 0000000140005421
g, xrefs: 0000000140005136
#, xrefs: 000000014000558F
+, xrefs: 0000000140005595
*, xrefs: 000000014000554E
-, xrefs: 000000014000559B
h, xrefs: 000000014000541B
w, xrefs: 0000000140005427
, xrefs: 000000014000526B
I, xrefs: 0000000140005415
*, xrefs: 0000000140005515
g, xrefs: 00000001400051F4
, xrefs: 0000000140005589
0, xrefs: 00000001400055A1

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: write_multi_char$_errno$DecodePointer_getptdfree
String ID: $ $#$*$*$+$-$0$I$g$g$h$l$w
API String ID: 2009448492-3944679695
Opcode ID: 2c5abf9b0b4c08a6a9a1677c765fa438a297132eee6d0e445cd7707e86a33db0
Instruction ID: 3bacf8e6c19835c22ee3f6538b96c29f08dd7b6e4daf596977e36d57f445fdfa
Opcode Fuzzy Hash: 2c5abf9b0b4c08a6a9a1677c765fa438a297132eee6d0e445cd7707e86a33db0
Instruction Fuzzy Hash: 9E52F3F260868086FB76DB1AB4447EF6AA1B34E7C2F145102FB86476F6DB78C940CB45

Function 0000000140008220 Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140008271
_errno.LIBCMT ref: 0000000140008278

Strings

U, xrefs: 000000014000882F

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: __doserrno_errno
String ID: U
API String ID: 921712934-4171548499
Opcode ID: 808deaefe2d6cd0a218e93e2d5ce9eb759426b00709d33f764fdc08eb11d8729
Instruction ID: 794b7f660c7422d05297fe134f04c9b39660634bb6bc888d27084810b462f6c3
Opcode Fuzzy Hash: 808deaefe2d6cd0a218e93e2d5ce9eb759426b00709d33f764fdc08eb11d8729
Instruction Fuzzy Hash: EF12CEB2618A4186EB32CF26F4443EAA7A0F78CBD4F554116FF8A47AB5DB39C445CB10

Function 00000001400099B0 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 00000001400099ED
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 0000000140009A09
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 0000000140009A31
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 0000000140009A3A
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 0000000140009A50
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 0000000140009A59
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 0000000140009A6F
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 0000000140009A78
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 0000000140009A96
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 0000000140009A9F
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 0000000140009AD1
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 0000000140009AE0
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 0000000140009B38
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 0000000140009B58
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,0000000140005FA4,?,?,?,?,?,0000000140006038), ref: 0000000140009B71

Strings

GetProcessWindowStation, xrefs: 0000000140009A8C
MessageBoxA, xrefs: 00000001400099FF
GetLastActivePopup, xrefs: 0000000140009A3F
GetActiveWindow, xrefs: 0000000140009A20
USER32.DLL, xrefs: 00000001400099E6
GetUserObjectInformationA, xrefs: 0000000140009A5E

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3085332118-232180764
Opcode ID: 89fd190075050803a35edbb28543260a80664b7a662d37c1aa6185e818745589
Instruction ID: b7837e25fa8e4133561d70a377a6854f52ae32e062f3aea15f68cdba0d26677a
Opcode Fuzzy Hash: 89fd190075050803a35edbb28543260a80664b7a662d37c1aa6185e818745589
Instruction Fuzzy Hash: 655113B0612B4180FE67EB67B9547EA2390AB8DBD0F484425BF1E037B6EF38C5428304

Function 000000014000A418 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 000000014000A48A
GetLastError.KERNEL32 ref: 000000014000A4A0
MultiByteToWideChar.KERNEL32 ref: 000000014000A54A
malloc.LIBCMT ref: 000000014000A5BB
MultiByteToWideChar.KERNEL32 ref: 000000014000A5F2
LCMapStringW.KERNEL32 ref: 000000014000A617
LCMapStringW.KERNEL32 ref: 000000014000A667
malloc.LIBCMT ref: 000000014000A6BA
LCMapStringW.KERNEL32 ref: 000000014000A6F4
WideCharToMultiByte.KERNEL32 ref: 000000014000A737
free.LIBCMT ref: 000000014000A748
free.LIBCMT ref: 000000014000A756
LCMapStringA.KERNEL32 ref: 000000014000A7E5
malloc.LIBCMT ref: 000000014000A853
LCMapStringA.KERNEL32 ref: 000000014000A89C
free.LIBCMT ref: 000000014000A8E4
LCMapStringA.KERNEL32 ref: 000000014000A904
free.LIBCMT ref: 000000014000A916
free.LIBCMT ref: 000000014000A928

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
String ID:
API String ID: 1837315383-0
Opcode ID: bdf5a1e736310f6e372902e92e2ddc645e4c21aba5b2d7a55352fca4c3d966d6
Instruction ID: 8d627de3f1b2d73944fbc154439a19398d0f4fb3f17c7e2dccda3afa044f94d5
Opcode Fuzzy Hash: bdf5a1e736310f6e372902e92e2ddc645e4c21aba5b2d7a55352fca4c3d966d6
Instruction Fuzzy Hash: EAF1AEB66046808AE722CF26E8407D977E1F74DBE8F588615FB5A57BE4DB3CC9418700

Function 0000000140005DDC Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,?,?,0000000140006038,?,?,?,?,000000014000AA25,?,?,00000000,0000000140007CE8), ref: 0000000140005E9F
GetStdHandle.KERNEL32(?,?,?,?,?,0000000140006038,?,?,?,?,000000014000AA25,?,?,00000000,0000000140007CE8), ref: 0000000140005FAB
WriteFile.KERNEL32 ref: 0000000140005FE5

Strings

..., xrefs: 0000000140005F02
<program name unknown>, xrefs: 0000000140005EA9
Microsoft Visual C++ Runtime Library, xrefs: 0000000140005F8F
Runtime Error!Program: , xrefs: 0000000140005E5E

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 0ceec01d8c333b141f4b82ff0657e1cafac80972adc543a3f0d9512e02458eef
Instruction ID: 8d928fbe2ade2b8b3ae8c5896f7180599bc73582f8a9fdd6434d485f36250013
Opcode Fuzzy Hash: 0ceec01d8c333b141f4b82ff0657e1cafac80972adc543a3f0d9512e02458eef
Instruction Fuzzy Hash: 36518AB172068242FB26EB27F955BEB6351A78E7C5F804126BF4947AF6CF3CC6058600

Function 0000000140009170 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014000B1D3
RtlLookupFunctionEntry.KERNEL32 ref: 000000014000B1F2
RtlVirtualUnwind.KERNEL32 ref: 000000014000B23E
IsDebuggerPresent.KERNEL32 ref: 000000014000B2B0
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014000B2C8
UnhandledExceptionFilter.KERNEL32 ref: 000000014000B2D5
GetCurrentProcess.KERNEL32 ref: 000000014000B2EE
TerminateProcess.KERNEL32 ref: 000000014000B2FC

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 219e5dc446c90ba60384ea3552e70986c1d6d9b5fe4d5b9d517e246cf82529eb
Instruction ID: 1553a30eb809cbffc94ae2ae4c9c86a1ff96820af2c00abc0a0e08ad949171e4
Opcode Fuzzy Hash: 219e5dc446c90ba60384ea3552e70986c1d6d9b5fe4d5b9d517e246cf82529eb
Instruction Fuzzy Hash: 7F31DDB5205B8486EA62DB52F8443DA73A4F78D7D4F904126EB8E43BB5DF78C488CB00

Function 0000000140008F38 Relevance: 10.6, APIs: 7, Instructions: 138COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000140008F7E
_errno.LIBCMT ref: 0000000140008FEC
_errno.LIBCMT ref: 0000000140008FF7
_errno.LIBCMT ref: 000000014000902B
WideCharToMultiByte.KERNEL32 ref: 00000001400090C6
GetLastError.KERNEL32 ref: 00000001400090E6
_errno.LIBCMT ref: 000000014000910C

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: _errno$ByteCharErrorLastMultiWide
String ID:
API String ID: 3895584640-0
Opcode ID: bc39cb7de233fd1076975311eea11e326537b08a0bdf20d4de56e3e651922f6c
Instruction ID: b8ccbf75a7a3123a83c227fd7fc7ef8e803bf567e45700fe883bf6aeb152de4e
Opcode Fuzzy Hash: bc39cb7de233fd1076975311eea11e326537b08a0bdf20d4de56e3e651922f6c
Instruction Fuzzy Hash: F45194B26086C18AE772DF66F4407EEB791F3897D0F148125BBC947AE5DA78C8818B05

Function 000000014000456C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00000001400045AB
IsDebuggerPresent.KERNEL32 ref: 0000000140004649
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000140004653
UnhandledExceptionFilter.KERNEL32 ref: 000000014000465E
GetCurrentProcess.KERNEL32 ref: 0000000140004674
TerminateProcess.KERNEL32 ref: 0000000140004682

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: f46059cc0bcce0b9e6999a34a8f764e4a15e684d21dd2957faa906e7da174232
Instruction ID: 4f6d0079a559d92c241cf3e642a76d2944cade44a99d9c2723f7c975cea0b16c
Opcode Fuzzy Hash: f46059cc0bcce0b9e6999a34a8f764e4a15e684d21dd2957faa906e7da174232
Instruction Fuzzy Hash: 30314DB2619B8082EB25CB56F4447DBB3A0F79D784F500116EB8943AAAEF7CC548CB00

Function 0000000140006D94 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 0000000140006DCB
GetCurrentProcessId.KERNEL32 ref: 0000000140006DD6
GetCurrentThreadId.KERNEL32 ref: 0000000140006DE2
GetTickCount.KERNEL32 ref: 0000000140006DEE
QueryPerformanceCounter.KERNEL32 ref: 0000000140006DFF

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: cc165a4ed93d64c16e46a4671fb9b08fbbceab76091860af4e49f47541c7ee00
Instruction ID: a1b6a4cb67b744add7fe9da93ead17269b0cfcd476237b6353619a950a33e428
Opcode Fuzzy Hash: cc165a4ed93d64c16e46a4671fb9b08fbbceab76091860af4e49f47541c7ee00
Instruction Fuzzy Hash: 18012971265A4482EB62CF23F954B9663A0F74DBD0F446620FF5E477B4DA78C9998300

Function 000000014000B30C Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014000B34B
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014000B391
UnhandledExceptionFilter.KERNEL32 ref: 000000014000B39C

Part of subcall function 0000000140005DDC: GetModuleFileNameA.KERNEL32(?,?,?,?,?,0000000140006038,?,?,?,?,000000014000AA25,?,?,00000000,0000000140007CE8), ref: 0000000140005E9F

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
String ID:
API String ID: 2731829486-0
Opcode ID: a51d8c525d07e11825b3c84e58694be9d6a1edb38c030c757f794c76dfd35615
Instruction ID: 5d5014a21f042bcd58ac3dfd577f52dc968c08060984530065600db6fc2ff14e
Opcode Fuzzy Hash: a51d8c525d07e11825b3c84e58694be9d6a1edb38c030c757f794c76dfd35615
Instruction Fuzzy Hash: D3012971225A8442E626EB52F4557EB63A0FB8D384F40012AB78E076B6DF3CC505CB01

Function 000000014000B3F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 000000014000B420

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: fee34a3b222b80d1ba74ae3f68dfa49f184afed886897a001e9cd5a72e608383
Instruction ID: 72e2b37dd600a55fb0185217343bfc49f80374dfe24c7cc55e28c821e7b11029
Opcode Fuzzy Hash: fee34a3b222b80d1ba74ae3f68dfa49f184afed886897a001e9cd5a72e608383
Instruction Fuzzy Hash: 67E039B161868181E632EB22B4013DA67A0A79C798FC00202FB8D476B5DE3CC2058A00

Function 00000001400059DC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00000001400059E7

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 52fe1ce489ed374420583670e6deaac3fc9466084de3074ece4b878ac935a5b6
Instruction ID: b86a72362f74594de1b952b7962156e727b8b35ca69e42723a1e80cf026fdd7e
Opcode Fuzzy Hash: 52fe1ce489ed374420583670e6deaac3fc9466084de3074ece4b878ac935a5b6
Instruction Fuzzy Hash: 6AB012B0B23440C1D605FB23FC853C212A0775E351FC00415D20D82130DB7CC5DB8B00

Function 0000000140009D84 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000000140009D99

Part of subcall function 0000000140007C84: HeapFree.KERNEL32(?,?,00000000,000000014000436C,?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140007C9A
Part of subcall function 0000000140007C84: _errno.LIBCMT ref: 0000000140007CA4
Part of subcall function 0000000140007C84: GetLastError.KERNEL32(?,?,00000000,000000014000436C,?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140007CAC

free.LIBCMT ref: 0000000140009DA2
free.LIBCMT ref: 0000000140009DAB
free.LIBCMT ref: 0000000140009DB4
free.LIBCMT ref: 0000000140009DBD
free.LIBCMT ref: 0000000140009DC6
free.LIBCMT ref: 0000000140009DCE
free.LIBCMT ref: 0000000140009DD7
free.LIBCMT ref: 0000000140009DE0
free.LIBCMT ref: 0000000140009DE9
free.LIBCMT ref: 0000000140009DF2
free.LIBCMT ref: 0000000140009DFB
free.LIBCMT ref: 0000000140009E04
free.LIBCMT ref: 0000000140009E0D
free.LIBCMT ref: 0000000140009E16
free.LIBCMT ref: 0000000140009E1F
free.LIBCMT ref: 0000000140009E2B
free.LIBCMT ref: 0000000140009E37
free.LIBCMT ref: 0000000140009E43
free.LIBCMT ref: 0000000140009E4F
free.LIBCMT ref: 0000000140009E5B
free.LIBCMT ref: 0000000140009E67
free.LIBCMT ref: 0000000140009E73
free.LIBCMT ref: 0000000140009E7F
free.LIBCMT ref: 0000000140009E8B
free.LIBCMT ref: 0000000140009E97
free.LIBCMT ref: 0000000140009EA3
free.LIBCMT ref: 0000000140009EAF
free.LIBCMT ref: 0000000140009EBB
free.LIBCMT ref: 0000000140009EC7
free.LIBCMT ref: 0000000140009ED3
free.LIBCMT ref: 0000000140009EDF
free.LIBCMT ref: 0000000140009EEB
free.LIBCMT ref: 0000000140009EF7
free.LIBCMT ref: 0000000140009F03
free.LIBCMT ref: 0000000140009F0F
free.LIBCMT ref: 0000000140009F1B
free.LIBCMT ref: 0000000140009F27
free.LIBCMT ref: 0000000140009F33
free.LIBCMT ref: 0000000140009F3F
free.LIBCMT ref: 0000000140009F4B
free.LIBCMT ref: 0000000140009F57
free.LIBCMT ref: 0000000140009F63

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 0b7bbb66fcf70451c0ebf028c3e1c2a61768ede2dd98f2416a31560f336c69ba
Instruction ID: 24dc9cead91f978a6b9e4c6b567b51fd2451137c36279258074564716f454595
Opcode Fuzzy Hash: 0b7bbb66fcf70451c0ebf028c3e1c2a61768ede2dd98f2416a31560f336c69ba
Instruction Fuzzy Hash: 204175B2A115C181FE8AEF37D851BEC1320AB88B88F044175BB4D4B1B7CE24C945C391

Function 000000014000709C Relevance: 18.1, APIs: 11, Strings: 1, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00000001400070E8

Part of subcall function 0000000140007C84: HeapFree.KERNEL32(?,?,00000000,000000014000436C,?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140007C9A
Part of subcall function 0000000140007C84: _errno.LIBCMT ref: 0000000140007CA4
Part of subcall function 0000000140007C84: GetLastError.KERNEL32(?,?,00000000,000000014000436C,?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140007CAC

Part of subcall function 0000000140009FB8: free.LIBCMT ref: 0000000140009FD6
Part of subcall function 0000000140009FB8: free.LIBCMT ref: 0000000140009FE8
Part of subcall function 0000000140009FB8: free.LIBCMT ref: 0000000140009FFA
Part of subcall function 0000000140009FB8: free.LIBCMT ref: 000000014000A00C
Part of subcall function 0000000140009FB8: free.LIBCMT ref: 000000014000A01E
Part of subcall function 0000000140009FB8: free.LIBCMT ref: 000000014000A030
Part of subcall function 0000000140009FB8: free.LIBCMT ref: 000000014000A042

free.LIBCMT ref: 000000014000710A
free.LIBCMT ref: 0000000140007122
free.LIBCMT ref: 000000014000712E
free.LIBCMT ref: 0000000140007152
free.LIBCMT ref: 0000000140007166
free.LIBCMT ref: 0000000140007175
free.LIBCMT ref: 0000000140007181
free.LIBCMT ref: 00000001400071AE
free.LIBCMT ref: 00000001400071D6
free.LIBCMT ref: 00000001400071F0

Strings

set cnt=%u, xrefs: 00000001400070A6

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID: set cnt=%u
API String ID: 1012874770-2828257716
Opcode ID: a7204f641fd888543ebccd5a300dc037583feb6d28fc0ac9f0ff31aa7df69560
Instruction ID: 7a6db6a2343e5dd5c0e9816ab56062e0f075227aa9347ab99c1b5310c34c24cd
Opcode Fuzzy Hash: a7204f641fd888543ebccd5a300dc037583feb6d28fc0ac9f0ff31aa7df69560
Instruction Fuzzy Hash: 8E41EEB2A0168584FEA6DF66E451BE82361A788BC4F480435AB0D4B6E5CF7C8991C351

Function 00000001400043A8 Relevance: 18.1, APIs: 12, Instructions: 82COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00000001400043C7

Part of subcall function 0000000140007C84: HeapFree.KERNEL32(?,?,00000000,000000014000436C,?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140007C9A
Part of subcall function 0000000140007C84: _errno.LIBCMT ref: 0000000140007CA4
Part of subcall function 0000000140007C84: GetLastError.KERNEL32(?,?,00000000,000000014000436C,?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140007CAC

free.LIBCMT ref: 00000001400043D5
free.LIBCMT ref: 00000001400043E3
free.LIBCMT ref: 00000001400043F1
free.LIBCMT ref: 00000001400043FF
free.LIBCMT ref: 000000014000440D
free.LIBCMT ref: 000000014000441E
free.LIBCMT ref: 0000000140004436
_lock.LIBCMT ref: 0000000140004440
free.LIBCMT ref: 000000014000446E
_lock.LIBCMT ref: 0000000140004483
free.LIBCMT ref: 00000001400044CD

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: 0e8482407633a7921117a23cf237df3ad36ba258f9077fbf120b108d3a69a6b4
Instruction ID: d2f13f909b34aacd1498618138174f5b232319266cf79c858414d8288f07a6f7
Opcode Fuzzy Hash: 0e8482407633a7921117a23cf237df3ad36ba258f9077fbf120b108d3a69a6b4
Instruction Fuzzy Hash: F131E8B160258185FF9BEEA3B091BF91351AB88BC4F481225BB0E076E7CF3889418256

Function 000000014000B44C Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014000B4A2
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014000B4C1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014000B566
malloc.LIBCMT ref: 000000014000B57D
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014000B5C5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014000B600
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014000B63C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014000B67C
free.LIBCMT ref: 000000014000B68A
free.LIBCMT ref: 000000014000B6AC

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: ByteCharMultiWide$Infofree$malloc
String ID:
API String ID: 1309074677-0
Opcode ID: a0f4a3ba1ed18510eac19daeb87d654ac03dc1a802101e499c438ba8f6897839
Instruction ID: b8c244fe979aed404efefedd5fd6aca1a07b76cce841ec919e7ea618817f1f65
Opcode Fuzzy Hash: a0f4a3ba1ed18510eac19daeb87d654ac03dc1a802101e499c438ba8f6897839
Instruction Fuzzy Hash: D661B1B2214A8086EB26DF27B8407DA73E5F78C7E8F544625FB5A47BF4DB38C5818600

Function 000000014000A050 Relevance: 13.7, APIs: 9, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,000000014000A322), ref: 000000014000A0B0
GetLastError.KERNEL32(?,?,?,?,00000000,0000000A,00000008,000000014000A322), ref: 000000014000A0C2
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,000000014000A322), ref: 000000014000A122
malloc.LIBCMT ref: 000000014000A18E
MultiByteToWideChar.KERNEL32(?,?,?,?,00000000,0000000A,00000008,000000014000A322), ref: 000000014000A1D8
GetStringTypeW.KERNEL32(?,?,?,?,00000000,0000000A,00000008,000000014000A322), ref: 000000014000A1EF
free.LIBCMT ref: 000000014000A200
GetStringTypeA.KERNEL32(?,?,?,?,00000000,0000000A,00000008,000000014000A322), ref: 000000014000A27D
free.LIBCMT ref: 000000014000A28D

Part of subcall function 000000014000B44C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014000B4A2
Part of subcall function 000000014000B44C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014000B4C1
Part of subcall function 000000014000B44C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014000B5C5
Part of subcall function 000000014000B44C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 000000014000B600

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
String ID:
API String ID: 3804003340-0
Opcode ID: 39fec09fe7d862a5082dd06ab3aee44626303477938a03265c05d06889bf9834
Instruction ID: f8a428f8f1c27eb13ca814c4eb41f29db3e9b51ec7c871c10cb5126b7a8d9394
Opcode Fuzzy Hash: 39fec09fe7d862a5082dd06ab3aee44626303477938a03265c05d06889bf9834
Instruction Fuzzy Hash: BA618DB22006808AEB22DF66F840BD977E5F74EBE8F544225FF1953BE4DA78C9458740

Function 0000000140001000 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000000140001015
GetProcAddress.KERNEL32 ref: 0000000140001032
GetCurrentProcess.KERNEL32 ref: 0000000140001048
GetProcAddress.KERNEL32 ref: 0000000140001069

Strings

IsWow64Process, xrefs: 0000000140001023
Wow64DisableWow64FsRedirection, xrefs: 000000014000105F
kernel32.dll, xrefs: 0000000140001006

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: AddressProc$CurrentHandleModuleProcess
String ID: IsWow64Process$Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 977827838-2164305346
Opcode ID: f10d2ad565f41914e2be0011ed248bd1c70d6dcddcc56e2f69a12dbe984a9b4d
Instruction ID: b8c1b6a9da65b661df1d773be3d9d5e39ffad0629026e022e46448475c6f277a
Opcode Fuzzy Hash: f10d2ad565f41914e2be0011ed248bd1c70d6dcddcc56e2f69a12dbe984a9b4d
Instruction Fuzzy Hash: 0601ECB123678081EA8ADB56B4547D563A0BB8C7C5F445015FB4E037B4EF7CC184C700

Function 0000000140001090 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000001400010A5
GetProcAddress.KERNEL32 ref: 00000001400010C2
GetCurrentProcess.KERNEL32 ref: 00000001400010D8
GetProcAddress.KERNEL32 ref: 00000001400010F9

Strings

IsWow64Process, xrefs: 00000001400010B3
kernel32.dll, xrefs: 0000000140001096
Wow64RevertWow64FsRedirection, xrefs: 00000001400010EF

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: AddressProc$CurrentHandleModuleProcess
String ID: IsWow64Process$Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 977827838-3015363329
Opcode ID: 8ca9e9ffaf6c02ee1d1ef1e8e0790e373e52147c569e813085291193a4d0f7d3
Instruction ID: 8f047146c1362feecd576a1a9e3fb2dfad68f5d87360168ea563691e7ac91dee
Opcode Fuzzy Hash: 8ca9e9ffaf6c02ee1d1ef1e8e0790e373e52147c569e813085291193a4d0f7d3
Instruction Fuzzy Hash: 3001D6B523674082EE8ADB96B894BE963A0AB8C7C1F481015FB4E037B4EF78C184C700

Function 00000001400080E8 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000140008111
_errno.LIBCMT ref: 000000014000811A
__doserrno.LIBCMT ref: 000000014000816A
_errno.LIBCMT ref: 0000000140008171

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 8cde325aed96a0fb36415dc33ff2919d5dbae84baa299f2d9ac9992a17a0aff2
Instruction ID: 833a92ed06525261f85501f91e41295ba4668f681d28abd4caeb0473ac624520
Opcode Fuzzy Hash: 8cde325aed96a0fb36415dc33ff2919d5dbae84baa299f2d9ac9992a17a0aff2
Instruction Fuzzy Hash: FB31BAB2214B8081E723DB27B8417DE2655B789BF0F118315BF7907BE3CA7884028B04

Function 0000000140008980 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00000001400089A9
_errno.LIBCMT ref: 00000001400089B2
__doserrno.LIBCMT ref: 0000000140008A01
_errno.LIBCMT ref: 0000000140008A08

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 1de3bbbdb22082daae01e57830c4a7bd3f7a96b8caa6de5e8735a83879859248
Instruction ID: 8424a48825bb3466cd1346276ea2c3b8a090cf49eab6c9960a89ffcd0f361eb3
Opcode Fuzzy Hash: 1de3bbbdb22082daae01e57830c4a7bd3f7a96b8caa6de5e8735a83879859248
Instruction Fuzzy Hash: 0631AFF2614A8081F723DF67B84179E3A55B78A7E0F55861ABF6907BF3CB7884028705

Function 000000014000BA20 Relevance: 12.1, APIs: 8, Instructions: 79COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000014000BA3F
_errno.LIBCMT ref: 000000014000BA48
__doserrno.LIBCMT ref: 000000014000BA98
_errno.LIBCMT ref: 000000014000BA9F

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: e0491ad91fd7e2e89972cd83df9fa3de1c3cd71b0fb9db2b585291e16f70db89
Instruction ID: 4c1ba423e9b1515642a5736ef90e986451ae5e5c71fbe5095b918d5efc03b9f4
Opcode Fuzzy Hash: e0491ad91fd7e2e89972cd83df9fa3de1c3cd71b0fb9db2b585291e16f70db89
Instruction Fuzzy Hash: 5131BFB2604B8086E723EF77B8417EE3651A78A790F558215FB6507BF7CB78C4018709

Function 000000014000562C Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014000497C: _getptd.LIBCMT ref: 0000000140004992

_errno.LIBCMT ref: 000000014000566C
_errno.LIBCMT ref: 0000000140005826

Strings

0, xrefs: 0000000140005737
0, xrefs: 0000000140005765
-, xrefs: 00000001400056FE
+, xrefs: 0000000140005709

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: _errno$_getptd
String ID: +$-$0$0
API String ID: 3432092939-699404926
Opcode ID: 7063b99684df259daf2a0fdf98b76d5b2af511295cac328950ad2bf15cd811ac
Instruction ID: baffb331a24d6b8c2e32fcc4bf3e9bdabe17c9363f40f8e18ad6796579cd6fab
Opcode Fuzzy Hash: 7063b99684df259daf2a0fdf98b76d5b2af511295cac328950ad2bf15cd811ac
Instruction Fuzzy Hash: 2D71E6B2908A8485F7B7E617B4053EB2691E74EBD6F298211FF5A036F1EB78C840D701

Function 0000000140002540 Relevance: 10.6, APIs: 7, Instructions: 112threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140002350: GetLastError.KERNEL32 ref: 000000014000237E

OpenThread.KERNEL32 ref: 000000014000257A
GetLastError.KERNEL32 ref: 0000000140002588
CloseHandle.KERNEL32 ref: 00000001400026D2

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: ErrorLast$CloseHandleOpenThread
String ID:
API String ID: 855557445-0
Opcode ID: 1903bb7913e4aea3f2645cd8ed0401ab8ebb9ae3850a1c3baa194e9efaabe59a
Instruction ID: bf355b4118d7872fb6bc1152d8101654e1e0fdf0c3d4e378df032b9cf9cb1093
Opcode Fuzzy Hash: 1903bb7913e4aea3f2645cd8ed0401ab8ebb9ae3850a1c3baa194e9efaabe59a
Instruction Fuzzy Hash: FE417CB2315B8087E766DB23B4407EA63A4F78DBC4F588024EF8A47B64EF39C9458710

Function 000000014000B850 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014000B869
_errno.LIBCMT ref: 000000014000B8B6

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 3cf68246be9c877594333203b08bd2f58b68355280d1b2f6723eba62a9fcac42
Instruction ID: a9312902c278db3e4ee2b7a77a38ccf619f2542b57743fdf6879dc2ab7cf5c7f
Opcode Fuzzy Hash: 3cf68246be9c877594333203b08bd2f58b68355280d1b2f6723eba62a9fcac42
Instruction Fuzzy Hash: 3C31A5B2A14A8045F723EF77B5557EE2651A7997D0F154219BB15076F3CF7CC8018704

Function 0000000140006F70 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 0000000140006F97

Part of subcall function 0000000140005DDC: GetModuleFileNameA.KERNEL32(?,?,?,?,?,0000000140006038,?,?,?,?,000000014000AA25,?,?,00000000,0000000140007CE8), ref: 0000000140005E9F

Part of subcall function 0000000140005A60: ExitProcess.KERNEL32 ref: 0000000140005A6F

Part of subcall function 0000000140007CC4: malloc.LIBCMT ref: 0000000140007CE3
Part of subcall function 0000000140007CC4: Sleep.KERNEL32(?,?,00000000,0000000140006FD1,?,?,?,000000014000707B,?,?,?,?,?,?,00000000,0000000140004358), ref: 0000000140007CFA

_errno.LIBCMT ref: 0000000140006FD9
_lock.LIBCMT ref: 0000000140006FED
free.LIBCMT ref: 000000014000700F
_errno.LIBCMT ref: 0000000140007014
LeaveCriticalSection.KERNEL32(?,?,?,000000014000707B,?,?,?,?,?,?,00000000,0000000140004358), ref: 000000014000703A

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
String ID:
API String ID: 1024173049-0
Opcode ID: 73d27a1774517e93bf437b1f2b58e27f5abb258e5d02c370d3f7d45c9b4a55c6
Instruction ID: 4c003e722e6021a59286af514f49aaf45584b6305e10afc2c06660b354eb13d9
Opcode Fuzzy Hash: 73d27a1774517e93bf437b1f2b58e27f5abb258e5d02c370d3f7d45c9b4a55c6
Instruction Fuzzy Hash: 132189B1A1468182F667EB23F414BEA63A5F78DBC0F049125BB4A876F2CF7CC8408755

Function 0000000140002440 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000000140002465
GetLastError.KERNEL32 ref: 0000000140002470
GetProcAddress.KERNEL32 ref: 0000000140002482
GetLastError.KERNEL32 ref: 000000014000249B

Strings

Wow64GetThreadSelectorEntry, xrefs: 0000000140002478
Kernel32.dll, xrefs: 0000000140002457

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: ErrorLast$AddressHandleModuleProc
String ID: Kernel32.dll$Wow64GetThreadSelectorEntry
API String ID: 1762409328-2935370172
Opcode ID: 0c170b1e50661bb785bc0e7b074cd89f9d5189518034bd7e827e41a0d61ebc71
Instruction ID: 65a2fef7c9c7bd11d1424d8a1ffaf0e1e2c786880bc4d901ef0d3cb58c77d6bd
Opcode Fuzzy Hash: 0c170b1e50661bb785bc0e7b074cd89f9d5189518034bd7e827e41a0d61ebc71
Instruction Fuzzy Hash: 5F016DB1716B4086FB06CF57B84079562A0AB8DBC0F584025FF5943765EF38C9448740

Function 0000000140007A64 Relevance: 9.1, APIs: 6, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0000000140007A83

Part of subcall function 00000001400076A0: _getptd.LIBCMT ref: 00000001400076AA

Part of subcall function 000000014000775C: GetOEMCP.KERNEL32(?,?,?,?,?,?,?,0000000140007A9E,?,?,?,?,?,0000000140007C73), ref: 0000000140007786

Part of subcall function 0000000140007CC4: malloc.LIBCMT ref: 0000000140007CE3
Part of subcall function 0000000140007CC4: Sleep.KERNEL32(?,?,00000000,0000000140006FD1,?,?,?,000000014000707B,?,?,?,?,?,?,00000000,0000000140004358), ref: 0000000140007CFA

free.LIBCMT ref: 0000000140007B0F

Part of subcall function 0000000140007C84: HeapFree.KERNEL32(?,?,00000000,000000014000436C,?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140007C9A
Part of subcall function 0000000140007C84: _errno.LIBCMT ref: 0000000140007CA4
Part of subcall function 0000000140007C84: GetLastError.KERNEL32(?,?,00000000,000000014000436C,?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140007CAC

_lock.LIBCMT ref: 0000000140007B47
free.LIBCMT ref: 0000000140007BF7
free.LIBCMT ref: 0000000140007C27
_errno.LIBCMT ref: 0000000140007C2C

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 2878544890-0
Opcode ID: 4fceae20e418f77ce842c2886a37afb857d33c3242fd6813837a55a49e38de46
Instruction ID: c74b7cd7b19c86bb7a40a56e2e44e72fd1ff0ca267c357e1dc4b18f709be9327
Opcode Fuzzy Hash: 4fceae20e418f77ce842c2886a37afb857d33c3242fd6813837a55a49e38de46
Instruction Fuzzy Hash: 6A517CB2A0068086E767DB26B440BE9B7A1F788BD4F54821AFB5E473B6CB7CC541C710

Function 000000014000AE2C Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__initconout.LIBCMT ref: 000000014000AE5A

Part of subcall function 000000014000B6D4: CreateFileA.KERNEL32 ref: 000000014000B6FD

WriteConsoleW.KERNEL32 ref: 000000014000AE86
GetLastError.KERNEL32 ref: 000000014000AEA1
GetConsoleOutputCP.KERNEL32(?,?,?,?,0000000140008548,?,?,?,00000001,00000000,?,00000001,0000000140008A4C,?,00000000,?), ref: 000000014000AEB3
WideCharToMultiByte.KERNEL32 ref: 000000014000AEE6
WriteConsoleA.KERNEL32 ref: 000000014000AF0C

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide__initconout
String ID:
API String ID: 2210154019-0
Opcode ID: 3847cebf34ef8fe519bc520f1609f5bc5eea0f70f2317f58bd4716ff20f0b23a
Instruction ID: f36b571148acb9c5d6000f2f95e86bff99f7230f9e002f7abd88b473779a5dab
Opcode Fuzzy Hash: 3847cebf34ef8fe519bc520f1609f5bc5eea0f70f2317f58bd4716ff20f0b23a
Instruction Fuzzy Hash: 373159B2614A8582EB22CB62F4547EA63B0F78A7B4F501315F76A07AF4DBBCC545CB00

Function 0000000140004300 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 000000014000430A
FlsGetValue.KERNEL32(?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140004318
SetLastError.KERNEL32(?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140004370

Part of subcall function 0000000140007D30: Sleep.KERNEL32(?,?,?,0000000140004333,?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140007D75

FlsSetValue.KERNEL32(?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140004344
free.LIBCMT ref: 0000000140004367

Part of subcall function 000000014000424C: _lock.LIBCMT ref: 000000014000429C
Part of subcall function 000000014000424C: _lock.LIBCMT ref: 00000001400042BC

GetCurrentThreadId.KERNEL32 ref: 0000000140004358

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 5f34e0fd3207d4ff2146838a1e53426339c71e6239ce123d3b31858fa5f9c4de
Instruction ID: b33bdc97385f1d3ae81a4e8d48b6232c058a88b06399b4de1021089595fda490
Opcode Fuzzy Hash: 5f34e0fd3207d4ff2146838a1e53426339c71e6239ce123d3b31858fa5f9c4de
Instruction Fuzzy Hash: 9B017CB461170182FB07DF77B445BE922A1AB8DBE0F488224BB29033E2EE3CC4448210

Function 0000000140009FB8 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000000140009FD6

Part of subcall function 0000000140007C84: HeapFree.KERNEL32(?,?,00000000,000000014000436C,?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140007C9A
Part of subcall function 0000000140007C84: _errno.LIBCMT ref: 0000000140007CA4
Part of subcall function 0000000140007C84: GetLastError.KERNEL32(?,?,00000000,000000014000436C,?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140007CAC

free.LIBCMT ref: 0000000140009FE8
free.LIBCMT ref: 0000000140009FFA
free.LIBCMT ref: 000000014000A00C
free.LIBCMT ref: 000000014000A01E
free.LIBCMT ref: 000000014000A030
free.LIBCMT ref: 000000014000A042

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: fd71f77c5fc6cc53e258529c3f890ae0fd389e9c3dc19fe08a82801181395f5f
Instruction ID: 9248dbb57dd8c8fc79b1ff29f36c26379173841e9b7f7a914ac2dcea7de45e6a
Opcode Fuzzy Hash: fd71f77c5fc6cc53e258529c3f890ae0fd389e9c3dc19fe08a82801181395f5f
Instruction Fuzzy Hash: B9019BB260088591FEA7DF53E492FF91361A7CC7C4F440445B70E879B28E38D9809352

Function 00000001400024C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00000001400024DE
GetProcAddress.KERNEL32 ref: 0000000140002509
GetLastError.KERNEL32 ref: 0000000140002520

Strings

Wow64GetThreadContext, xrefs: 00000001400024FF
Kernel32.dll, xrefs: 00000001400024D2

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: Kernel32.dll$Wow64GetThreadContext
API String ID: 4275029093-4075402077
Opcode ID: ca73d05068edcfbd0bff73a568805ca1fd9e49e37523435a8671861ab56e8b98
Instruction ID: 1dcb106765e76c2e13f812d0b265d989c1120e1d05e8e1d1a619d470a1bc4f27
Opcode Fuzzy Hash: ca73d05068edcfbd0bff73a568805ca1fd9e49e37523435a8671861ab56e8b98
Instruction Fuzzy Hash: 06F031B1726B8082FB56CB57B94479563A0EB8DBC0F085035FF49477A9EE3CC5858700

Function 00000001400069E8 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 0000000140006A0D

Part of subcall function 0000000140007D30: Sleep.KERNEL32(?,?,?,0000000140004333,?,?,?,000000014000438F,?,?,?,0000000140003B2D), ref: 0000000140007D75

GetFileType.KERNEL32 ref: 0000000140006B8A

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID:
API String ID: 1527402494-0
Opcode ID: a2103ee4e726047675d0c6192c066eef2d827095f8b9b8fb57a4085d6ff0d321
Instruction ID: 1bb0e84d5a69706c1b8391882ee1a8bfd5a0b5189e7c9238e51be9d2ad983df0
Opcode Fuzzy Hash: a2103ee4e726047675d0c6192c066eef2d827095f8b9b8fb57a4085d6ff0d321
Instruction Fuzzy Hash: 0791B4B260468081E722CB3AE4487A937A6F3097F4F658725E7B9573F1DB39C882C711

Function 000000014000949C Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00000001400095AD,?,?,?,?,0000000140005B56,?,?,00000001,0000000140004170), ref: 00000001400094C5
DecodePointer.KERNEL32(?,?,?,00000001400095AD,?,?,?,?,0000000140005B56,?,?,00000001,0000000140004170), ref: 00000001400094D4

Part of subcall function 000000014000B3B0: _errno.LIBCMT ref: 000000014000B3B9

EncodePointer.KERNEL32(?,?,?,00000001400095AD,?,?,?,?,0000000140005B56,?,?,00000001,0000000140004170), ref: 0000000140009551

Part of subcall function 0000000140007DB4: realloc.LIBCMT ref: 0000000140007DDF
Part of subcall function 0000000140007DB4: Sleep.KERNEL32(?,?,00000000,0000000140009541,?,?,?,00000001400095AD,?,?,?,?,0000000140005B56,?,?,00000001), ref: 0000000140007DFB

EncodePointer.KERNEL32(?,?,?,00000001400095AD,?,?,?,?,0000000140005B56,?,?,00000001,0000000140004170), ref: 0000000140009560
EncodePointer.KERNEL32(?,?,?,00000001400095AD,?,?,?,?,0000000140005B56,?,?,00000001,0000000140004170), ref: 000000014000956C

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: c52e4e8e026aee856f407a725959238e4c881c56461040fb35984d7096aff257
Instruction ID: 9f09be78bdf5cfc8267acd02f70f9dd9e2d8387c15e7eceb79b2464c211f60b7
Opcode Fuzzy Hash: c52e4e8e026aee856f407a725959238e4c881c56461040fb35984d7096aff257
Instruction Fuzzy Hash: 96214FB1715A4480EE13EBA3F9853DAA3A1B74D7C1F844825BB5E0B7B6DA78C181C304

Function 00000001400047EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140008D9C: _errno.LIBCMT ref: 0000000140008DA5

_errno.LIBCMT ref: 0000000140004819
_errno.LIBCMT ref: 0000000140004835
_getbuf.LIBCMT ref: 00000001400048A2

Strings

set cnt=%u, xrefs: 00000001400047FE

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: _errno$_getbuf
String ID: set cnt=%u
API String ID: 606515832-2828257716
Opcode ID: e7fc0ddcd09eab2da87f3c2bad6808c806f1cf937b796ec0826f76bb8fb079ea
Instruction ID: 49f0b93bb06c02d154b754d2e5af7588712a26fede5e5ae1126c66b4597f8180
Opcode Fuzzy Hash: e7fc0ddcd09eab2da87f3c2bad6808c806f1cf937b796ec0826f76bb8fb079ea
Instruction Fuzzy Hash: 4341C2F2604B8086EB66DF2AE4413AD37A0E78CBD4F148615EBA9473F6DB34C851C784

Function 00000001400076A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00000001400076AA
_lock.LIBCMT ref: 00000001400076D8
free.LIBCMT ref: 000000014000770F

Strings

set cnt=%u, xrefs: 00000001400076A5

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: _getptd_lockfree
String ID: set cnt=%u
API String ID: 3892346632-2828257716
Opcode ID: 7201dcab26361b89bf4b1f02a74abce189312c501766974eb0ef828ea51235dd
Instruction ID: 077c2f06a8f8e2f1e701c720c4ea063f1f3f1cad55ac26694a35d2bff8db9782
Opcode Fuzzy Hash: 7201dcab26361b89bf4b1f02a74abce189312c501766974eb0ef828ea51235dd
Instruction Fuzzy Hash: F9116A72A15A8482EBAADB16F840BEA63A1F74CBD0F484125FB5D077B6CF38C844C710

Function 0000000140005A24 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,0000000140005A6D,?,?,00000028,000000014000AA39,?,?,00000000,0000000140007CE8,?,?,00000000,0000000140006FD1), ref: 0000000140005A33
GetProcAddress.KERNEL32(?,?,000000FF,0000000140005A6D,?,?,00000028,000000014000AA39,?,?,00000000,0000000140007CE8,?,?,00000000,0000000140006FD1), ref: 0000000140005A48

Strings

CorExitProcess, xrefs: 0000000140005A3E
mscoree.dll, xrefs: 0000000140005A2C

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 8077aba52962df8e4d485bd96ff3894c33d407a2b986854ee18d980751494c19
Instruction ID: 87174268823635a215ecc10db649d8f05eb1742a8762b6cbdbb3abb8cd5430dd
Opcode Fuzzy Hash: 8077aba52962df8e4d485bd96ff3894c33d407a2b986854ee18d980751494c19
Instruction Fuzzy Hash: 47E062B076370081FF1BDB53B894BE51250AB5E7C1F4864299A1E173B1EE3CC559C711

Function 0000000140002350 Relevance: 6.3, APIs: 5, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000000014000237E
GlobalAlloc.KERNEL32 ref: 0000000140002398
GlobalFree.KERNEL32 ref: 000000014000240A
CloseHandle.KERNEL32 ref: 0000000140002413

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: Global$AllocCloseErrorFreeHandleLast
String ID:
API String ID: 318044929-0
Opcode ID: 2c5b20160dcf21fb234f315528d8a483d4c26ce78fda4b9213d5795856ffa910
Instruction ID: c5339e6e2736b2c829b631b9b268efe1e11b22059db58e845c5f07aff5815358
Opcode Fuzzy Hash: 2c5b20160dcf21fb234f315528d8a483d4c26ce78fda4b9213d5795856ffa910
Instruction Fuzzy Hash: C5219FB26046408BEB66DF27B40179AB6E0F75CBC4F198035EF49873A4EB78C841CB50

Function 0000000140004224 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,0000000140004559,?,?,00000000,00000001400040EC), ref: 0000000140004233
DeleteCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,?,?,?,?,?,0000000140004559), ref: 0000000140006F0A
free.LIBCMT ref: 0000000140006F13
DeleteCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,?,?,?,?,?,0000000140004559), ref: 0000000140006F33

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 9e3f091b3ea5a1d378a1554f26e070b7ae859130acd6805bd7c77b43d306a3dc
Instruction ID: 14a49594b6673744a7b44bc32c36412160dedd67d22af4ee2d75b8b639badb6f
Opcode Fuzzy Hash: 9e3f091b3ea5a1d378a1554f26e070b7ae859130acd6805bd7c77b43d306a3dc
Instruction Fuzzy Hash: 35119AB1A12A80C2FA1ACF27F4503A97361F749BD0F588225FB5517AB5CB38C591CB00

Function 000000014000B74C Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000014000B761

Part of subcall function 0000000140004694: DecodePointer.KERNEL32 ref: 00000001400046BB

_flush.LIBCMT ref: 000000014000B78A
_freebuf.LIBCMT ref: 000000014000B794

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: DecodePointer_errno_flush_freebuf
String ID:
API String ID: 1889905870-0
Opcode ID: 46d97551379b156b172757c588fd4fb91044ee41b0987b47a08c04e6079ca8c9
Instruction ID: 84fa225897bd9138b8fbde7c84776147ae61ea1c7cbdf24ef90eb8d51bbe758f
Opcode Fuzzy Hash: 46d97551379b156b172757c588fd4fb91044ee41b0987b47a08c04e6079ca8c9
Instruction Fuzzy Hash: 9F0124F2B1864102FB26EA7BB4113E956919BDDBE8F290328BF19472F3CE38C4018200

Function 000000014000ACD8 Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000014000ACE1
_errno.LIBCMT ref: 000000014000ACE9

Memory Dump Source

Source File: 00000000.00000002.2178814033.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2178791295.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178836865.000000014000C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178859162.000000014000F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2178966135.0000000140036000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2179016621.000000014003A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_1735021454574.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: ce9995388a960a9417bc2e9f6effb4c96c8a69ce434933a1a541bf1e6afaddb7
Instruction ID: 001ef56c74c5d3a5e1f4db13c3c8e5f6ab4c98c85571580cfaf58bb19c0e9a60
Opcode Fuzzy Hash: ce9995388a960a9417bc2e9f6effb4c96c8a69ce434933a1a541bf1e6afaddb7
Instruction Fuzzy Hash: EF01D4F2614A4445FB17EB26E4513D8369197AA7A2F518306FB2E076F2CB7C44018605

Analysis Process: explorer.exePID: 4004, Parent PID: 5256COMMON

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	99.2%
Signature Coverage:	1.4%
Total number of Nodes:	1780
Total number of Limit Nodes:	81

Executed Functions

Function 0000000180001ED0 Relevance: 9.9, APIs: 3, Strings: 3, Instructions: 918
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000000018000D2C4: _errno.LIBCMT ref: 000000018000D2DD

Part of subcall function 00000001800010E0: GetNativeSystemInfo.KERNEL32 ref: 0000000180001101

GlobalFree.KERNEL32 ref: 0000000180002B51

Strings

$MD1, xrefs: 0000000180002757
?, xrefs: 0000000180002904
gfff, xrefs: 0000000180002113

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: FreeGlobalInfoNativeSystem_errno
String ID: $MD1$?$gfff
API String ID: 2278041733-2078118166
Opcode ID: 5f2c421c6a07a3e3d2963dd4ef7b1b1f3b5fb676400d10221e93a7127a9de650
Instruction ID: ecc6feac4f5bf1ea090c30f3f77c46783113d54330767a366e4feff81798c637
Opcode Fuzzy Hash: 5f2c421c6a07a3e3d2963dd4ef7b1b1f3b5fb676400d10221e93a7127a9de650
Instruction Fuzzy Hash: 12722F71518B488FD7A5EF24D4957EAB7E1FB98341F00892EE49EC3291DF30A649CB42

Function 0000000180003B40 Relevance: 9.3, APIs: 6, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32558bb850f3c2cf0c2c254cb496f08563158198c610a8a7e6cf4217b97d4969
Instruction ID: e6aaa3197967bcab7a907498de6e5c90361519e2e5ad383921ca128c56c941b7
Opcode Fuzzy Hash: 32558bb850f3c2cf0c2c254cb496f08563158198c610a8a7e6cf4217b97d4969
Instruction Fuzzy Hash: 80A1C430218B49CFE796DF15D8897E973E5FB8C301F508629E49AC72D1DF3499458B82

Function 00000001800033F0 Relevance: 9.2, APIs: 6, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ad83c775c8780dee623aa14b5bf85c92dac3e650c1fc36ae3a69b7e3bf6c61
Instruction ID: e5ab5392bafa2c0cb17684c8847db0583a7c5f652f8bd16428fb4abaf0f55954
Opcode Fuzzy Hash: 94ad83c775c8780dee623aa14b5bf85c92dac3e650c1fc36ae3a69b7e3bf6c61
Instruction Fuzzy Hash: 9F51C530218B488FE799DF2998493AAB6E5FBD8352F10462DF48AC32D1DF74C9458B41

Function 00000001800041E0 Relevance: 7.7, APIs: 5, Instructions: 210
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32 ref: 000000018000422E

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 5a7d9b673715129d7dfc5d83c03f8af6f580d029298280c7dd7525f5ea0ee178
Instruction ID: 53657cd98644d0d9de41157b0052dda7fda9864db0bd37cc4d4d23f3e79dafbf
Opcode Fuzzy Hash: 5a7d9b673715129d7dfc5d83c03f8af6f580d029298280c7dd7525f5ea0ee178
Instruction Fuzzy Hash: 5161B771208A08CFE795DB68D8487E973E0FB8C315F10462DE59BC72A1DF7499458B86

Function 00000001800072A0 Relevance: 6.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.LIBCMT ref: 00000001800072CA

Part of subcall function 000000018000D870: _FF_MSGBANNER.LIBCMT ref: 000000018000D8A0
Part of subcall function 000000018000D870: _errno.LIBCMT ref: 000000018000D8E9
Part of subcall function 000000018000D870: _errno.LIBCMT ref: 000000018000D8F4

malloc.LIBCMT ref: 000000018000732B

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: _errnomalloc
String ID:
API String ID: 2517923351-0
Opcode ID: 6c33eb6669c5131f3041ce7ad3721dfc3906b75e30d0b0a9a87bdc77bd911f28
Instruction ID: f440a108dd4c415892b3a95d4f69082f88541561dbb3acf8a3b6132d9ff71d4b
Opcode Fuzzy Hash: 6c33eb6669c5131f3041ce7ad3721dfc3906b75e30d0b0a9a87bdc77bd911f28
Instruction Fuzzy Hash: AD81663051CB898ED792EB2884417EAB7E0FBA9750F40856AF88DC7242DF34D65987D3

Function 0000000180001000 Relevance: 1.9, APIs: 1, Instructions: 402synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018000CF5C: _getptd.LIBCMT ref: 000000018000CF64

CreateMutexExW.KERNEL32 ref: 0000000180002EBD

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: CreateMutex_getptd
String ID:
API String ID: 1218354264-0
Opcode ID: 5e6b32911e7ee468a59e9446b280a4272ab6e43e8edd2c9d85040de1e0de09a1
Instruction ID: a99c7b89faaa1c2ef3ef6a318bdc800b181dcc30f134879d3f458adf00d043a4
Opcode Fuzzy Hash: 5e6b32911e7ee468a59e9446b280a4272ab6e43e8edd2c9d85040de1e0de09a1
Instruction Fuzzy Hash: 4BD18530218A4D8FF79AEB14D8957EA73E1FB98340F44C529F44AC7192DE78DA498782

Function 0000000180004460 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 222
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 000000018000452E

Strings

, xrefs: 00000001800044BE

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-3916222277
Opcode ID: b59f23568b84737825a868cdef9583452c88605ccc0962b6b265924643991b9b
Instruction ID: 11fca29627decc8c492dfb51485c437d1ac4c8b16eabfe4dc4435d9760ff9385
Opcode Fuzzy Hash: b59f23568b84737825a868cdef9583452c88605ccc0962b6b265924643991b9b
Instruction Fuzzy Hash: A181D27020864C8FEB95DF28D8487EA77E1FB89355F508629F48AC72E0DF74C5098B86

Function 0000000180005E00 Relevance: 6.2, APIs: 4, Instructions: 241
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32 ref: 0000000180005E68

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: c33227f78def897f2c7caf3e69340f8da9958d197893add00dce4bbebc9ef3a3
Instruction ID: 83a06cd48bcf39f01f2f57712c6f9a50f8f0c87e883da1e53fdbc21f24aff36a
Opcode Fuzzy Hash: c33227f78def897f2c7caf3e69340f8da9958d197893add00dce4bbebc9ef3a3
Instruction Fuzzy Hash: D981833161C6488FE7A5DF6498487EB73D2EB88391F15852EF4CAC3290DF7596068B42

Function 0000000180005090 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 0000000180005180

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2f24683230256da73a92b6224230259aa85e01a71729dac1983cd3ef2052a618
Instruction ID: 0bf000bdbbda505982e9fd7a727475adda7faee7407101d1370ee34e629a68cd
Opcode Fuzzy Hash: 2f24683230256da73a92b6224230259aa85e01a71729dac1983cd3ef2052a618
Instruction Fuzzy Hash: 1C517034618B4C8BEBE5EB5C98457AA77E1FB9C341F04816DF889C3285DE34ED498782

Function 0000000180006280 Relevance: 4.7, APIs: 2, Strings: 1, Instructions: 194
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32 ref: 00000001800062DC
GlobalFree.KERNEL32 ref: 0000000180006463

Strings

0, xrefs: 00000001800063B5

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: Global$AllocFree
String ID: 0
API String ID: 3394109436-4108050209
Opcode ID: d06942922e6316174bae75cca06d025bd43f05bc2cea1e9d519623ef70e7dd9d
Instruction ID: f0303d85ea469aeeebc3348abf99e3bfcc9f21014176600010c6c02529bc85a4
Opcode Fuzzy Hash: d06942922e6316174bae75cca06d025bd43f05bc2cea1e9d519623ef70e7dd9d
Instruction Fuzzy Hash: 86615F70618B088FEB95DF18C0957A677E2FB9C340F50856DE88AC73A6DF34D9458B82

Function 0000000180007D90 Relevance: 3.3, APIs: 2, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNEL32 ref: 0000000180007FA9
VirtualProtectEx.KERNEL32 ref: 0000000180007FD5

Part of subcall function 0000000180007BC0: VirtualProtectEx.KERNEL32 ref: 0000000180007C09
Part of subcall function 0000000180007BC0: VirtualProtectEx.KERNEL32 ref: 0000000180007C33

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0824e74d374687fc9302544f1a5b5840816b4953a06dc48ebe33bdb9c8aaef13
Instruction ID: f94f2fb0f02f161d660a8c8ab4c8f384c1912499dff43cf7e5f71e5084719fe7
Opcode Fuzzy Hash: 0824e74d374687fc9302544f1a5b5840816b4953a06dc48ebe33bdb9c8aaef13
Instruction Fuzzy Hash: FD819630B15B4D8BE7A6EB14D8817F972D1FB6C390F448169F84AC2287DE28DE4587C2

Function 0000000180004E90 Relevance: 3.2, APIs: 2, Instructions: 189
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 0000000180004F3E
ResumeThread.KERNEL32 ref: 000000018000503B

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: Thread$CreateResume
String ID:
API String ID: 3373111408-0
Opcode ID: 4b4ac41434d37a412c23c756dd5a2fba4875ac3c510041d012472bc4ae7f0eee
Instruction ID: 80157a5e435ccfdc3fee8a7353cc9d9c67aba6f8308dc70f7bc577631c7baed2
Opcode Fuzzy Hash: 4b4ac41434d37a412c23c756dd5a2fba4875ac3c510041d012472bc4ae7f0eee
Instruction Fuzzy Hash: 32519871208B0E4BF7A5EF1994587BAB7D4FBA8341F00852EF889C3261DF74D9498785

Function 08651090 Relevance: 3.1, APIs: 2, Instructions: 94
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNEL32 ref: 08651119
VirtualProtect.KERNEL32 ref: 0865114C

Memory Dump Source

Source File: 00000001.00000002.3393371360.0000000008651000.00000020.00000001.00020000.00000000.sdmp, Offset: 08651000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8651000_explorer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a8e21e152b0876bbf318a5bec3f137bfd16194ce79e1ed3a4551575268d3ff46
Instruction ID: 572502e62b4b27e059cde9ff61e6349e7d0389c4dd9ed5f13f6a9d31ad72e20a
Opcode Fuzzy Hash: a8e21e152b0876bbf318a5bec3f137bfd16194ce79e1ed3a4551575268d3ff46
Instruction Fuzzy Hash: 3031A87421CA888FDB98EF58C494F1AF3E1FB99309F51496CA48AC7391C7B8D941CB46

Function 0000000180007BC0 Relevance: 3.1, APIs: 2, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNEL32 ref: 0000000180007C09
VirtualProtectEx.KERNEL32 ref: 0000000180007C33

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 01f01cd444ce0dfde906d49b1b91e451c9cf1412b7cbcb49f6b6fddb18aeaae7
Instruction ID: c8e58c12fe52381085f5dc7afef6c93ea3a5ba39779d121c77299f3db4e58779
Opcode Fuzzy Hash: 01f01cd444ce0dfde906d49b1b91e451c9cf1412b7cbcb49f6b6fddb18aeaae7
Instruction Fuzzy Hash: 99015A3071CA1C4FEB94EB2CA84879ABBE2FBDD750F00465EB54AC3255CE38C9058782

Function 000000018000D830 Relevance: 3.0, APIs: 2, Instructions: 25
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL ref: 000000018000D846
_errno.LIBCMT ref: 000000018000D850

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: FreeHeap_errno
String ID:
API String ID: 1418752586-0
Opcode ID: fc300658bdf66316156499e7dd14fb9cdc132b3844eee78bfcbee5951fafe97c
Instruction ID: c72e4b8b0c6b6fcab5919b8e303c146a01e1ab12737662dc4635c5dfb3b8006b
Opcode Fuzzy Hash: fc300658bdf66316156499e7dd14fb9cdc132b3844eee78bfcbee5951fafe97c
Instruction Fuzzy Hash: B3E08C30702E0E4BFB9AA7B65C8D3B536E0EB5C356F00C429B401C7291FE68C9448341

Function 0868AB9C Relevance: 3.0, APIs: 2, Instructions: 18
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNEL32 ref: 0868ABAE
HeapSetInformation.KERNEL32 ref: 0868ABD8

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: d8ac970067d45cc6b8ca6f04f620d81849d1d9a637adec4463d69dc87cbded27
Instruction ID: 6d117573ba922c73ab79aafcd68a53b615af543aa8de04dc82d5c0bdb7ba4341
Opcode Fuzzy Hash: d8ac970067d45cc6b8ca6f04f620d81849d1d9a637adec4463d69dc87cbded27
Instruction Fuzzy Hash: 3FE086B572279096E74D9B21E8567566291F78C741F919029ED8902794DF3EC1458F00

Function 0000000180001BB0 Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

GetWindowTextA.USER32 ref: 0000000180001BF8

Part of subcall function 000000018000D2C4: _errno.LIBCMT ref: 000000018000D2DD

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: TextWindow_errno
String ID:
API String ID: 3019145358-0
Opcode ID: b677f81b3f2ffa560ebbccea1017e9ed6b394e3674843ad288ac0304c4cb9e2f
Instruction ID: 77d6d3ec35cdb7c7ed6e7881458c7ec6d7553eb18d2ce4b3cc22b0b01fb80f72
Opcode Fuzzy Hash: b677f81b3f2ffa560ebbccea1017e9ed6b394e3674843ad288ac0304c4cb9e2f
Instruction Fuzzy Hash: 3D71197151CB888FD7A5DF28D4957DAB7E1FB99300F004A2EE58EC3251DB7496488B83

Function 00000001800017B0 Relevance: 1.6, APIs: 1, Instructions: 119libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 000000018000180E

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 092771797dd8eeeaa591b19d176f86b44a84155633dc7582d88bcd735b576e88
Instruction ID: 7dc838926c74155d805a2f47bc1461b4899a4e8620b95bf709a320a01489e7ae
Opcode Fuzzy Hash: 092771797dd8eeeaa591b19d176f86b44a84155633dc7582d88bcd735b576e88
Instruction Fuzzy Hash: 4331653051CA0D8FE795EF2894497A676E1FB9C341F50822EF84EC3291EF34C9448782

Function 0000000180005D00 Relevance: 1.6, APIs: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 0000000180005D5C

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: socket
String ID:
API String ID: 98920635-0
Opcode ID: e788f23cd038b3535f6c5993ff3036ce3a079d437048379db1c28a76881289bc
Instruction ID: 4bb6f6e6b6edcf02f823851ce2042b61fd4ee6284707f8234e1b68f0e6e7e58a
Opcode Fuzzy Hash: e788f23cd038b3535f6c5993ff3036ce3a079d437048379db1c28a76881289bc
Instruction Fuzzy Hash: E021C770208B0D4FE7A9AF1898493FA77D0EB9C315F10852FF89AC3391DA7499058782

Function 00000001800011B0 Relevance: 1.6, APIs: 1, Instructions: 83registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.KERNEL32 ref: 0000000180001235

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 9ac3b8b0ba84d999f9f914ef0e93d3836a84e3ed6c0e900450fc8296a8502626
Instruction ID: fecf059f4c156b18543093ed06e905ddefa737dbb1d2fe88a2e13eccfb9803fb
Opcode Fuzzy Hash: 9ac3b8b0ba84d999f9f914ef0e93d3836a84e3ed6c0e900450fc8296a8502626
Instruction Fuzzy Hash: 6E21843461CB4DCFEB91DB68A45876AB7E1FBA8342F04452DF84AC3290EF74C9458B42

Function 0000000180005C20 Relevance: 1.6, APIs: 1, Instructions: 82networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 0000000180005C71

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 090b19a6b471cf81c26862f0c2c3a13d27bff1be5bb1431a09aea9f676972aa6
Instruction ID: 1773db1c7cf9f9e2fec702992df419f326b66ac2e99562e9bd9b513adb97b3c6
Opcode Fuzzy Hash: 090b19a6b471cf81c26862f0c2c3a13d27bff1be5bb1431a09aea9f676972aa6
Instruction Fuzzy Hash: 5B11037060CB0C4FF668AE98A84A77A77D0E74D352F10462EE4CAC3291EA609D468786

Function 0000000180012928 Relevance: 1.6, APIs: 1, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018001294B

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: ffcca2f477c90883bfcac22c8be04dfff8cb4a3c7fa26df7db4bc107e273938e
Instruction ID: 5cb6f55356bcff33271e580b6eebc380a5b34fe508eaaca57b63d56fb82afccf
Opcode Fuzzy Hash: ffcca2f477c90883bfcac22c8be04dfff8cb4a3c7fa26df7db4bc107e273938e
Instruction Fuzzy Hash: 2711C431224E4E4BFB9ADB2C88587B972D2EB9C395F44C629A806C31D4FF74C6694701

Function 0000000180005B90 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

sendto.WS2_32(?,?,?,?,00000002,?,-00000001,0000000180005DA8), ref: 0000000180005BE0

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: sendto
String ID:
API String ID: 1876886790-0
Opcode ID: 45cf40861cfc29e66c7ef7be70d01dc55af5cf6328e33f610eb24d80ae721409
Instruction ID: 520a613ef59b2123309eedf36ce1b3cac54b7af707208aa9371330aa6756cf75
Opcode Fuzzy Hash: 45cf40861cfc29e66c7ef7be70d01dc55af5cf6328e33f610eb24d80ae721409
Instruction Fuzzy Hash: 5F110C7060C70C4FE754DE5C684E77A77D0E79C352F51462EF4DAC32E1DA6099464386

Function 0000000180004DF0 Relevance: 1.6, APIs: 1, Instructions: 55threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNEL32 ref: 0000000180004E5D

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 3f1b10e0ec4a9d93bc79e0e9caa9f245b55638458df9a8c05351cc1a84ca907d
Instruction ID: 080694349685a7129626e5ca01faff713315f58f34c37ec5ffa0c5819a21b8bb
Opcode Fuzzy Hash: 3f1b10e0ec4a9d93bc79e0e9caa9f245b55638458df9a8c05351cc1a84ca907d
Instruction Fuzzy Hash: 89115E7160CB488FE7A5DF18E4883AAB7E1FBDC345F40862EF489C3155DB748A048786

Function 00000001800010E0 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 0000000180001101

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: b739bf00b84cea278dbb1ac31ffff928a817d804d6718e2123ef48c8cafd9643
Instruction ID: 031dedfee65ecc0cca533cb4c18a43a3bfa0cab118393cd8ed21de31d5ced106
Opcode Fuzzy Hash: b739bf00b84cea278dbb1ac31ffff928a817d804d6718e2123ef48c8cafd9643
Instruction Fuzzy Hash: F0E09231024A4C4BE38BE724CC897EA72E2F78C705F944215FC8A80090FE3C479E8682

Function 0000000180010C98 Relevance: 1.5, APIs: 1, Instructions: 26memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(?,?,?,?,?,?,?,?,?,000000018000DD49), ref: 0000000180010CAA

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 4fdca9c5319175416e55ca5f323eb5680ab12a2b7b3c541f9ce4627eaf74460a
Instruction ID: e393395ee21a50b72b190f916765b2d1fef929cfb6792be4ae3ef835fa29265b
Opcode Fuzzy Hash: 4fdca9c5319175416e55ca5f323eb5680ab12a2b7b3c541f9ce4627eaf74460a
Instruction Fuzzy Hash: 9FE04F70614A094BE78CAF38DC5E36676E1F7C8341F54C53EB88AC2290EE7DC4458742

Function 086528F0 Relevance: 1.5, APIs: 1, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.3393371360.0000000008651000.00000020.00000001.00020000.00000000.sdmp, Offset: 08651000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8651000_explorer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65533fe2a296d722abbbfd6d5a33d892bd8917294aa977f88cedc82edc4c8fd1
Instruction ID: 16c2c9a30b6ef923867d874fd6cf2e8c127f490b31b01987d1ecd6717cd4d892
Opcode Fuzzy Hash: 65533fe2a296d722abbbfd6d5a33d892bd8917294aa977f88cedc82edc4c8fd1
Instruction Fuzzy Hash: 0C91B3746187888FD794DF18C098B1ABBE1FB98346F51596DF88AC3360DB74D885CB06

Non-executed Functions

Function 0868E804 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32 ref: 0868E876
GetLastError.KERNEL32 ref: 0868E88C
MultiByteToWideChar.KERNEL32 ref: 0868E936
malloc.LIBCMT ref: 0868E9A7
MultiByteToWideChar.KERNEL32 ref: 0868E9DE
LCMapStringW.KERNEL32 ref: 0868EA03
LCMapStringW.KERNEL32 ref: 0868EA53
malloc.LIBCMT ref: 0868EAA6
LCMapStringW.KERNEL32 ref: 0868EAE0
WideCharToMultiByte.KERNEL32 ref: 0868EB23
free.LIBCMT ref: 0868EB34
free.LIBCMT ref: 0868EB42
LCMapStringA.KERNEL32 ref: 0868EBD1
malloc.LIBCMT ref: 0868EC3F
LCMapStringA.KERNEL32 ref: 0868EC88
free.LIBCMT ref: 0868ECD0
LCMapStringA.KERNEL32 ref: 0868ECF0
free.LIBCMT ref: 0868ED02
free.LIBCMT ref: 0868ED14

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
String ID:
API String ID: 1837315383-0
Opcode ID: 3313e138b9a74a3a53528cd811aef4569a513fe9d63799613f2a3a5c62c307db
Instruction ID: 69bbaa673484c0332cd69372c64cd0809e498ab8d208a9c75b831ceb79d37059
Opcode Fuzzy Hash: 3313e138b9a74a3a53528cd811aef4569a513fe9d63799613f2a3a5c62c307db
Instruction Fuzzy Hash: 7FE1F436600780CBCB20EF25E84079D77A6F748BE9F5A8719EA6E57B98DB39C541C700

Function 000000018001823C Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180018265
_errno.LIBCMT ref: 000000018001826E
__doserrno.LIBCMT ref: 00000001800182BF
_errno.LIBCMT ref: 00000001800182C6

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 43601c8c7b2f4b0f1200a7d9cd53ab2c4e33ed5c1cc4ba5399e24b4865e30923
Instruction ID: 3fa480570c39a7c0e17123c0f307b66eb67b7debe144f2a528cddf566df7f509
Opcode Fuzzy Hash: 43601c8c7b2f4b0f1200a7d9cd53ab2c4e33ed5c1cc4ba5399e24b4865e30923
Instruction Fuzzy Hash: 9641E530518A484EF39AEF3888423AD77C0EB4B364F558B2DF062A71D3EE749B059391

Function 0868AFD4 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 0868B097
GetStdHandle.KERNEL32 ref: 0868B1A3
WriteFile.KERNEL32 ref: 0868B1DD

Strings

Runtime Error!Program: , xrefs: 0868B056
<program name unknown>, xrefs: 0868B0A1
..., xrefs: 0868B0FA
Microsoft Visual C++ Runtime Library, xrefs: 0868B187

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: bdc9c95267300ace858b7450ec9648f501c3d30a68fdde1652205f4c1f4fad29
Instruction ID: 882beede90e597fd571f57c0c5e879cfe4dee8d8f93976ac004ae0e92dd4e99b
Opcode Fuzzy Hash: bdc9c95267300ace858b7450ec9648f501c3d30a68fdde1652205f4c1f4fad29
Instruction Fuzzy Hash: 405102A6710741C2EB28EB21E96076E2352B788795F92832EDE9D4ABD4CF3DC109C704

Function 0868E3F0 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 08690753
RtlLookupFunctionEntry.KERNEL32(?,0868A6F3,?,?,?,?,0868C715,?,?,?,?,00000000,0868730B), ref: 08690772
RtlVirtualUnwind.KERNEL32 ref: 086907BE
IsDebuggerPresent.KERNEL32 ref: 08690830
SetUnhandledExceptionFilter.KERNEL32 ref: 08690848
UnhandledExceptionFilter.KERNEL32 ref: 08690855
GetCurrentProcess.KERNEL32 ref: 0869086E
TerminateProcess.KERNEL32 ref: 0869087C

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: 8faf1e7a9eb732325bdfecd12948fc0ed64e85396adfb56f4871c3fbfa7df72c
Instruction ID: c552de6c28c05b23423906abbd4c0dab5d1e7d83fefa5ea14a533bfe8a309780
Opcode Fuzzy Hash: 8faf1e7a9eb732325bdfecd12948fc0ed64e85396adfb56f4871c3fbfa7df72c
Instruction Fuzzy Hash: BB314935104F80D5EB94AB14F86435A73A8F784755F42812ADACE53BA4EF7EC095CB01

Function 086878E4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 08687923
IsDebuggerPresent.KERNEL32 ref: 086879C1
SetUnhandledExceptionFilter.KERNEL32 ref: 086879CB
UnhandledExceptionFilter.KERNEL32 ref: 086879D6
GetCurrentProcess.KERNEL32 ref: 086879EC
TerminateProcess.KERNEL32 ref: 086879FA

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: ec36631e149f57fc21c0e52b31c3a8b1ed30f491ca2df94c0dcef3bfa982b701
Instruction ID: 2ac579f90e5f7f237f3f17c8b1b7106d1ade736bc80d6755e13d73f131141c08
Opcode Fuzzy Hash: ec36631e149f57fc21c0e52b31c3a8b1ed30f491ca2df94c0dcef3bfa982b701
Instruction Fuzzy Hash: 0F214836608B85C2DB24DB60F45439AB3A8F789745F51412ADBCD43BA8EF7DC199CB00

Function 0000000180015028 Relevance: 7.7, APIs: 5, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000000018001506E
_errno.LIBCMT ref: 00000001800150DC
_errno.LIBCMT ref: 00000001800150E7
_errno.LIBCMT ref: 000000018001511B
_errno.LIBCMT ref: 00000001800151FC

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: d14f15ac672a53c34aa39881308cd2f140cbcb15642c4c589e3670614f47f2f1
Instruction ID: d133ae7be4c53a2dfdc60fe052dd8832499520743795b990ff23e35164a2d277
Opcode Fuzzy Hash: d14f15ac672a53c34aa39881308cd2f140cbcb15642c4c589e3670614f47f2f1
Instruction Fuzzy Hash: 2A514430614A9C8FE3E6EFA894847AE76D1F78E351F54851DF0DACB1D1DE3045498741

Function 0868F0D4 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0868F0E9

Part of subcall function 086870F8: HeapFree.KERNEL32 ref: 0868710E
Part of subcall function 086870F8: _errno.LIBCMT ref: 08687118
Part of subcall function 086870F8: GetLastError.KERNEL32 ref: 08687120

free.LIBCMT ref: 0868F0F2
free.LIBCMT ref: 0868F0FB
free.LIBCMT ref: 0868F104
free.LIBCMT ref: 0868F10D
free.LIBCMT ref: 0868F116
free.LIBCMT ref: 0868F11E
free.LIBCMT ref: 0868F127
free.LIBCMT ref: 0868F130
free.LIBCMT ref: 0868F139
free.LIBCMT ref: 0868F142
free.LIBCMT ref: 0868F14B
free.LIBCMT ref: 0868F154
free.LIBCMT ref: 0868F15D
free.LIBCMT ref: 0868F166
free.LIBCMT ref: 0868F16F
free.LIBCMT ref: 0868F17B
free.LIBCMT ref: 0868F187
free.LIBCMT ref: 0868F193
free.LIBCMT ref: 0868F19F
free.LIBCMT ref: 0868F1AB
free.LIBCMT ref: 0868F1B7
free.LIBCMT ref: 0868F1C3
free.LIBCMT ref: 0868F1CF
free.LIBCMT ref: 0868F1DB
free.LIBCMT ref: 0868F1E7
free.LIBCMT ref: 0868F1F3
free.LIBCMT ref: 0868F1FF
free.LIBCMT ref: 0868F20B
free.LIBCMT ref: 0868F217
free.LIBCMT ref: 0868F223
free.LIBCMT ref: 0868F22F
free.LIBCMT ref: 0868F23B
free.LIBCMT ref: 0868F247
free.LIBCMT ref: 0868F253
free.LIBCMT ref: 0868F25F
free.LIBCMT ref: 0868F26B
free.LIBCMT ref: 0868F277
free.LIBCMT ref: 0868F283
free.LIBCMT ref: 0868F28F
free.LIBCMT ref: 0868F29B
free.LIBCMT ref: 0868F2A7
free.LIBCMT ref: 0868F2B3

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: f279103992dd5ad4dc59d123879ae7c91c13eff5f13c0979e33fa35bac6552c5
Instruction ID: 156cc8abfbab2b542e7d599e1af104007f6790d18a2c81bad8724f74b11e9ab4
Opcode Fuzzy Hash: f279103992dd5ad4dc59d123879ae7c91c13eff5f13c0979e33fa35bac6552c5
Instruction Fuzzy Hash: 534188A6215680C1CB45FF79C8D46EC1320EBC5FC5F65423D8A6D6B3E4CE91C849935C

Function 0868FA54 Relevance: 38.6, APIs: 16, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0868FA91
GetProcAddress.KERNEL32 ref: 0868FAAD
RtlEncodePointer.NTDLL ref: 0868FABF
GetProcAddress.KERNEL32 ref: 0868FAD5
RtlEncodePointer.NTDLL ref: 0868FADE
GetProcAddress.KERNEL32 ref: 0868FAF4
RtlEncodePointer.NTDLL ref: 0868FAFD
GetProcAddress.KERNEL32 ref: 0868FB13
RtlEncodePointer.NTDLL ref: 0868FB1C
GetProcAddress.KERNEL32 ref: 0868FB3A
RtlEncodePointer.NTDLL ref: 0868FB43
RtlDecodePointer.NTDLL ref: 0868FB75
RtlDecodePointer.NTDLL ref: 0868FB84
RtlDecodePointer.NTDLL ref: 0868FBDC
RtlDecodePointer.NTDLL ref: 0868FBFC
RtlDecodePointer.NTDLL ref: 0868FC15

Strings

GetActiveWindow, xrefs: 0868FAC4
GetUserObjectInformationA, xrefs: 0868FB02
MessageBoxA, xrefs: 0868FAA3
GetProcessWindowStation, xrefs: 0868FB30
USER32.DLL, xrefs: 0868FA8A
GetLastActivePopup, xrefs: 0868FAE3

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 2643518689-232180764
Opcode ID: 39f71b1e01be3e7598b01ecc797e56604442c4232cf5213920280205f3dded74
Instruction ID: 596a0654be0d3605e722f3ead5cbdd46cb57281a78c99cdfc11d8bbb14b4198a
Opcode Fuzzy Hash: 39f71b1e01be3e7598b01ecc797e56604442c4232cf5213920280205f3dded74
Instruction Fuzzy Hash: BE416D25242B01D0EE15FB66B97032A2395BB89BD1F478629CD9E03B64FF3DC142C701

Function 086876E0 Relevance: 18.1, APIs: 12, Instructions: 82COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 086876FF

Part of subcall function 086870F8: HeapFree.KERNEL32 ref: 0868710E
Part of subcall function 086870F8: _errno.LIBCMT ref: 08687118
Part of subcall function 086870F8: GetLastError.KERNEL32 ref: 08687120

free.LIBCMT ref: 0868770D
free.LIBCMT ref: 0868771B
free.LIBCMT ref: 08687729
free.LIBCMT ref: 08687737
free.LIBCMT ref: 08687745
free.LIBCMT ref: 08687756
free.LIBCMT ref: 0868776E
_lock.LIBCMT ref: 08687778
free.LIBCMT ref: 086877A6
_lock.LIBCMT ref: 086877BB
free.LIBCMT ref: 08687805

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: 376d596e6fbea7d518b28a71cdc31c2903fe193648389720dca1a098e9054f15
Instruction ID: 1d825e54da61ed5efda14d765e3f045d41033b261143708cd02dad59f5310b52
Opcode Fuzzy Hash: 376d596e6fbea7d518b28a71cdc31c2903fe193648389720dca1a098e9054f15
Instruction Fuzzy Hash: 7F212C29307640C4EE19FBA5D1A0B7C2321AF82BC6F6A572D8A1E177D4CF59C445D329

Function 086911D4 Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 0869122A
GetCPInfo.KERNEL32 ref: 08691249
MultiByteToWideChar.KERNEL32 ref: 086912EE
malloc.LIBCMT ref: 08691305
MultiByteToWideChar.KERNEL32 ref: 0869134D
WideCharToMultiByte.KERNEL32 ref: 08691388
WideCharToMultiByte.KERNEL32 ref: 086913C4
WideCharToMultiByte.KERNEL32 ref: 08691404
free.LIBCMT ref: 08691412
free.LIBCMT ref: 08691434

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: ByteCharMultiWide$Infofree$malloc
String ID:
API String ID: 1309074677-0
Opcode ID: 0446cdde5fa73f2dffd72d7a99b777e9e2f9cf30c9086f4fab62af80e8be8df1
Instruction ID: 3a831d01deb39e55a1256d2acd645c06fcec2f0d1d2ad102121abb9a8dd189a8
Opcode Fuzzy Hash: 0446cdde5fa73f2dffd72d7a99b777e9e2f9cf30c9086f4fab62af80e8be8df1
Instruction Fuzzy Hash: 1151D672200781C6DF249F25E44035D77E9F786BE9F6A4A29DAAA47BD4DF3CC1868300

Function 0868C7F0 Relevance: 15.1, APIs: 10, Instructions: 121COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0868C81F
GetLastError.KERNEL32 ref: 0868C839
GetEnvironmentStringsW.KERNEL32 ref: 0868C85F
WideCharToMultiByte.KERNEL32 ref: 0868C8B4
WideCharToMultiByte.KERNEL32 ref: 0868C8F0
free.LIBCMT ref: 0868C8FE
FreeEnvironmentStringsW.KERNEL32 ref: 0868C909
GetEnvironmentStrings.KERNEL32 ref: 0868C921
FreeEnvironmentStringsA.KERNEL32 ref: 0868C962
FreeEnvironmentStringsA.KERNEL32 ref: 0868C97E

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide$ErrorLastfree
String ID:
API String ID: 994105223-0
Opcode ID: d393557732c112ddf0894083fdc387bb45cca2a0d0bdfcb51c60485ec16ba4b3
Instruction ID: bf43b3ec40c8d41e37ab15dec079a99f37f8bfd70749128c99c8c58d97b87479
Opcode Fuzzy Hash: d393557732c112ddf0894083fdc387bb45cca2a0d0bdfcb51c60485ec16ba4b3
Instruction Fuzzy Hash: 0441E072649744C2DE64BF22A958328B765F788FD2F0A8219CAAF17B14DF3CD092C754

Function 0868A704 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0868A750

Part of subcall function 086870F8: HeapFree.KERNEL32 ref: 0868710E
Part of subcall function 086870F8: _errno.LIBCMT ref: 08687118
Part of subcall function 086870F8: GetLastError.KERNEL32 ref: 08687120

Part of subcall function 0868F308: free.LIBCMT ref: 0868F326
Part of subcall function 0868F308: free.LIBCMT ref: 0868F338
Part of subcall function 0868F308: free.LIBCMT ref: 0868F34A
Part of subcall function 0868F308: free.LIBCMT ref: 0868F35C
Part of subcall function 0868F308: free.LIBCMT ref: 0868F36E
Part of subcall function 0868F308: free.LIBCMT ref: 0868F380
Part of subcall function 0868F308: free.LIBCMT ref: 0868F392

free.LIBCMT ref: 0868A772
free.LIBCMT ref: 0868A78A
free.LIBCMT ref: 0868A796
free.LIBCMT ref: 0868A7BA
free.LIBCMT ref: 0868A7CE
free.LIBCMT ref: 0868A7DD
free.LIBCMT ref: 0868A7E9
free.LIBCMT ref: 0868A816
free.LIBCMT ref: 0868A83E
free.LIBCMT ref: 0868A858

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: becd643ee524bd9784f9e06b01e95822b90b3266b9ed5f6fbb1eece3059595a2
Instruction ID: 3936ccbf92bbd38bc572519abab984ce4ac212d7849dc9d68308c483919ca467
Opcode Fuzzy Hash: becd643ee524bd9784f9e06b01e95822b90b3266b9ed5f6fbb1eece3059595a2
Instruction Fuzzy Hash: C0314E7A602690C4DF15FFA5C4947AC2320EB84B97F5A463ACF1E5A794CF68C092D326

Function 0868EDDC Relevance: 13.7, APIs: 9, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32 ref: 0868EE3C
GetLastError.KERNEL32 ref: 0868EE4E
MultiByteToWideChar.KERNEL32 ref: 0868EEAE
malloc.LIBCMT ref: 0868EF1A
MultiByteToWideChar.KERNEL32 ref: 0868EF64
GetStringTypeW.KERNEL32 ref: 0868EF7B
free.LIBCMT ref: 0868EF8C
GetStringTypeA.KERNEL32 ref: 0868F009
free.LIBCMT ref: 0868F019

Part of subcall function 086911D4: GetCPInfo.KERNEL32 ref: 0869122A
Part of subcall function 086911D4: GetCPInfo.KERNEL32 ref: 08691249
Part of subcall function 086911D4: MultiByteToWideChar.KERNEL32 ref: 0869134D
Part of subcall function 086911D4: WideCharToMultiByte.KERNEL32 ref: 08691388

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
String ID:
API String ID: 3804003340-0
Opcode ID: 32208ec6c202189c7dd212cbee53c089e66ac4da055353748e56a9f0b2fe217a
Instruction ID: 567dd44760be0614ae723a074bff436905e8c4cd0ce58b48301c72ab6a42db12
Opcode Fuzzy Hash: 32208ec6c202189c7dd212cbee53c089e66ac4da055353748e56a9f0b2fe217a
Instruction Fuzzy Hash: CB51AD323007D0CBCB20AF25E4447597BA6F748BE9F5A4729EE6D53B98DB7AC4418740

Function 00000001800141D8 Relevance: 12.1, APIs: 8, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180014201
_errno.LIBCMT ref: 000000018001420A
__doserrno.LIBCMT ref: 000000018001425A
_errno.LIBCMT ref: 0000000180014261

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 7498d157698b7746850beff3fd2e829e48bf732930855a58c519cf1a8e397565
Instruction ID: 38bc18eaac75e1555d8fbb1c523b8b4abda5b6477ca50980ab2acc1a7ffb61ff
Opcode Fuzzy Hash: 7498d157698b7746850beff3fd2e829e48bf732930855a58c519cf1a8e397565
Instruction Fuzzy Hash: 6A31E631118E484EF39AEF2888423F976D0EB8B360FD18719F456D71E3DE7099468791

Function 0000000180014A70 Relevance: 12.1, APIs: 8, Instructions: 121COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180014A99
_errno.LIBCMT ref: 0000000180014AA2
__doserrno.LIBCMT ref: 0000000180014AF1
_errno.LIBCMT ref: 0000000180014AF8

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 7e7b2030ab5781a99dcd3cb582a0ad324e8d866afa0755c9bcd99179dfbf31d4
Instruction ID: ffd5e09e35865f82dca7ee5424638edfcc46553956dfcebd4d13adf6d73d7197
Opcode Fuzzy Hash: 7e7b2030ab5781a99dcd3cb582a0ad324e8d866afa0755c9bcd99179dfbf31d4
Instruction Fuzzy Hash: EE31E971508E4C8EF39ADF289C423B976D0EB8A360F918A1DF4569B1E3DF70D9064751

Function 00000001800186FC Relevance: 12.1, APIs: 8, Instructions: 103COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000000018001871B
_errno.LIBCMT ref: 0000000180018724
__doserrno.LIBCMT ref: 0000000180018774
_errno.LIBCMT ref: 000000018001877B

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 294244c60f646f5cbe51277ac12688e761e17f52b157ebf124e9b4b5352406c2
Instruction ID: cb0d40c4daa3642e78e311ec45b8ceee09d4b347cec2a76e0119e49c0e98f8a8
Opcode Fuzzy Hash: 294244c60f646f5cbe51277ac12688e761e17f52b157ebf124e9b4b5352406c2
Instruction Fuzzy Hash: 8E31C631518E4C4EF39ADF248C423AD7690FF4A3A4F918629F466971D3DF34CA099742

Function 0868C09C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 199COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 0868C0C1

Part of subcall function 0868BF08: Sleep.KERNEL32 ref: 0868BF4D

GetFileType.KERNEL32 ref: 0868C23E

Strings

@, xrefs: 0868C339

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID: @
API String ID: 1527402494-2766056989
Opcode ID: c128dbd6632ffd4248ad9e379446d5093a9cea490d8b2a16af4a0e249b3aac7a
Instruction ID: e3c56c9d1e9cdc7ac782e87dfcc88b3f711902e49434bb12999c5274c5003cc4
Opcode Fuzzy Hash: c128dbd6632ffd4248ad9e379446d5093a9cea490d8b2a16af4a0e249b3aac7a
Instruction Fuzzy Hash: 5A81AF72204780C5D754AB28E8987283BA9F3067B5F578729CABE473D0DF79C846C726

Function 086872A8 Relevance: 10.6, APIs: 7, Instructions: 87threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0868AB9C: HeapCreate.KERNEL32 ref: 0868ABAE
Part of subcall function 0868AB9C: HeapSetInformation.KERNEL32 ref: 0868ABD8

_RTC_Initialize.LIBCMT ref: 086872D8
GetCommandLineA.KERNEL32 ref: 086872DD

Part of subcall function 0868C7F0: GetEnvironmentStringsW.KERNEL32 ref: 0868C81F
Part of subcall function 0868C7F0: GetEnvironmentStringsW.KERNEL32 ref: 0868C85F

Part of subcall function 0868C09C: GetStartupInfoA.KERNEL32 ref: 0868C0C1

__setargv.LIBCMT ref: 08687306
_cinit.LIBCMT ref: 0868731A

Part of subcall function 0868755C: FlsFree.KERNEL32 ref: 0868756B
Part of subcall function 0868755C: RtlDeleteCriticalSection.NTDLL ref: 0868CF22
Part of subcall function 0868755C: free.LIBCMT ref: 0868CF2B
Part of subcall function 0868755C: RtlDeleteCriticalSection.NTDLL ref: 0868CF4B

Part of subcall function 0868C38C: free.LIBCMT ref: 0868C3D3

Part of subcall function 0868BF08: Sleep.KERNEL32 ref: 0868BF4D

FlsSetValue.KERNEL32 ref: 086873A0
GetCurrentThreadId.KERNEL32 ref: 086873B4
free.LIBCMT ref: 086873C3

Part of subcall function 086870F8: HeapFree.KERNEL32 ref: 0868710E
Part of subcall function 086870F8: _errno.LIBCMT ref: 08687118
Part of subcall function 086870F8: GetLastError.KERNEL32 ref: 08687120

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: Heapfree$CriticalDeleteEnvironmentFreeSectionStrings$CommandCreateCurrentErrorInfoInformationInitializeLastLineSleepStartupThreadValue__setargv_cinit_errno
String ID:
API String ID: 1549890855-0
Opcode ID: 283c50d896a9d63658f4f00dc5de43a054881fe9a129636bfa1b9e81bab13372
Instruction ID: 6f8a4a9c874d5dcf0a393f9d78228ee523bd02721fab9e28341cc8d28eb57f55
Opcode Fuzzy Hash: 283c50d896a9d63658f4f00dc5de43a054881fe9a129636bfa1b9e81bab13372
Instruction Fuzzy Hash: 7B218E68600702C7EB58B7B1A86132D2195AF95353F37C72DDD6EA6390FF69C042872B

Function 0868CF88 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 0868CFAF

Part of subcall function 0868AFD4: GetModuleFileNameA.KERNEL32 ref: 0868B097

Part of subcall function 0868AC74: ExitProcess.KERNEL32 ref: 0868AC83

Part of subcall function 0868BE9C: malloc.LIBCMT ref: 0868BEBB
Part of subcall function 0868BE9C: Sleep.KERNEL32 ref: 0868BED2

_errno.LIBCMT ref: 0868CFF1
_lock.LIBCMT ref: 0868D005
free.LIBCMT ref: 0868D027
_errno.LIBCMT ref: 0868D02C
RtlLeaveCriticalSection.NTDLL ref: 0868D052

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
String ID:
API String ID: 1024173049-0
Opcode ID: 283bd625c8364f752987b89d34cabbe9ebeec6f66fb256fd47e402271791c09f
Instruction ID: 34a4a7279899b078985ae042f56d2fe91e112649f0ffacc1d9a117daa9cdb9bd
Opcode Fuzzy Hash: 283bd625c8364f752987b89d34cabbe9ebeec6f66fb256fd47e402271791c09f
Instruction Fuzzy Hash: A511BB25705740C6E764BF21E84472A3264FB86796F478239DA8E8B7C4CF7CC8478729

Function 0868A4E4 Relevance: 9.1, APIs: 6, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 0868A503

Part of subcall function 0868A120: _getptd.LIBCMT ref: 0868A12A

Part of subcall function 0868A1DC: GetOEMCP.KERNEL32 ref: 0868A206

Part of subcall function 0868BE9C: malloc.LIBCMT ref: 0868BEBB
Part of subcall function 0868BE9C: Sleep.KERNEL32 ref: 0868BED2

free.LIBCMT ref: 0868A58F

Part of subcall function 086870F8: HeapFree.KERNEL32 ref: 0868710E
Part of subcall function 086870F8: _errno.LIBCMT ref: 08687118
Part of subcall function 086870F8: GetLastError.KERNEL32 ref: 08687120

_lock.LIBCMT ref: 0868A5C7
free.LIBCMT ref: 0868A677
free.LIBCMT ref: 0868A6A7
_errno.LIBCMT ref: 0868A6AC

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 2878544890-0
Opcode ID: 580b649d5609bd17aeb9ea713830221fdc699fcba30a52baa2cb33095edf5949
Instruction ID: 8ff095dd14495630f3ca2d412db9a7cdc024e13d535e75e2564eaee10927405c
Opcode Fuzzy Hash: 580b649d5609bd17aeb9ea713830221fdc699fcba30a52baa2cb33095edf5949
Instruction Fuzzy Hash: E1512376600740C6D315BFA5E440369B7A1F785B96F1A831BCEAE473A8DF38C082CB16

Function 08687638 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 08687642
FlsGetValue.KERNEL32 ref: 08687650
SetLastError.KERNEL32 ref: 086876A8

Part of subcall function 0868BF08: Sleep.KERNEL32 ref: 0868BF4D

FlsSetValue.KERNEL32 ref: 0868767C
free.LIBCMT ref: 0868769F

Part of subcall function 08687584: _lock.LIBCMT ref: 086875D4
Part of subcall function 08687584: _lock.LIBCMT ref: 086875F4

GetCurrentThreadId.KERNEL32 ref: 08687690

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 37ad6029f9974726fbbb501f797784d54179e855ebd20c38894f830b3584d9fe
Instruction ID: d220bb47058d89a438d79b7a9779a204473a75ef9fd93f2d89eee531a7452358
Opcode Fuzzy Hash: 37ad6029f9974726fbbb501f797784d54179e855ebd20c38894f830b3584d9fe
Instruction Fuzzy Hash: 6A016724201701D6EB05BF65E454B286292BB4CB61F1B8328CAA9023D4FE3DC4558711

Function 0868F308 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0868F326

Part of subcall function 086870F8: HeapFree.KERNEL32 ref: 0868710E
Part of subcall function 086870F8: _errno.LIBCMT ref: 08687118
Part of subcall function 086870F8: GetLastError.KERNEL32 ref: 08687120

free.LIBCMT ref: 0868F338
free.LIBCMT ref: 0868F34A
free.LIBCMT ref: 0868F35C
free.LIBCMT ref: 0868F36E
free.LIBCMT ref: 0868F380
free.LIBCMT ref: 0868F392

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: ba785d1238c982941d140903edaecbae51a63fc984231ccd6f56899fb4e0d745
Instruction ID: 94d0506aec19393bb877dbf213a6414f2c9846a0716136c69e99f6e14491144a
Opcode Fuzzy Hash: ba785d1238c982941d140903edaecbae51a63fc984231ccd6f56899fb4e0d745
Instruction Fuzzy Hash: 66014F67240540D2DB54FB65D4E17381330F7C4B82F974209CB5EA7B90CF66D8C497AA

Function 000000018001852C Relevance: 7.6, APIs: 5, Instructions: 100COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000000180018545
_errno.LIBCMT ref: 0000000180018592

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 66e38eb1e5d66ecc368760ba28c7464eab6b20168ac38c0cfa2f5cdc5c2698cc
Instruction ID: 7eaa298a39d5edb1a091d49c89841dc9be7c21f829c64403009eb85fb0032ddf
Opcode Fuzzy Hash: 66e38eb1e5d66ecc368760ba28c7464eab6b20168ac38c0cfa2f5cdc5c2698cc
Instruction Fuzzy Hash: 0531D330614E484BF39AEB3898813EE7691FF4A368F41862CB416871D3DF748A089741

Function 0868F53C Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL ref: 0868F565
RtlDecodePointer.NTDLL ref: 0868F574

Part of subcall function 0869145C: _errno.LIBCMT ref: 08691465

RtlEncodePointer.NTDLL ref: 0868F5F1

Part of subcall function 0868BF8C: realloc.LIBCMT ref: 0868BFB7
Part of subcall function 0868BF8C: Sleep.KERNEL32 ref: 0868BFD3

RtlEncodePointer.NTDLL ref: 0868F600
RtlEncodePointer.NTDLL ref: 0868F60C

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: 0cc20bc375ed2b9f610671fd6a6de7abce82c7d909c4fdaef63fdc2765df7a7b
Instruction ID: 926548600e5b0e6b9aedff284167da8e2c28730539b8d23b2a41e984cdb34dc8
Opcode Fuzzy Hash: 0cc20bc375ed2b9f610671fd6a6de7abce82c7d909c4fdaef63fdc2765df7a7b
Instruction Fuzzy Hash: ED21C325702740C1CA05FB62F94421AB3A1B745BC2F465A3ADA5E0B728EEB8C4C68749

Function 0000000180011378 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 285COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018000D360: _getptd.LIBCMT ref: 000000018000D376

_errno.LIBCMT ref: 00000001800113B8
_errno.LIBCMT ref: 0000000180011572

Strings

$, xrefs: 0000000180011475
$, xrefs: 00000001800113EE

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: _errno$_getptd
String ID: $$$
API String ID: 3432092939-233714265
Opcode ID: 628abe1c37211aa1e69a6a3a5b0f5158e21bd252ecc63f90f0ca9b436314b50e
Instruction ID: 719a013db85181580619d3f18e3ccd385cc2ff7d98486f2603fb3e4d842d2cf1
Opcode Fuzzy Hash: 628abe1c37211aa1e69a6a3a5b0f5158e21bd252ecc63f90f0ca9b436314b50e
Instruction Fuzzy Hash: 56911830418E5C8EF7FE9A1894453F536D6FB8D796F55825DF8E7870C2DE208A4A4382

Function 0868AC38 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0868AC47
GetProcAddress.KERNEL32 ref: 0868AC5C

Strings

mscoree.dll, xrefs: 0868AC40
CorExitProcess, xrefs: 0868AC52

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 7b4cb664fb2ab5645f0be5aeebf7c8d4f91b51fef83cf398051d408f8a539b73
Instruction ID: 5371183d73b026162ad6636a765b45113155fd92743edb945f4a085964734118
Opcode Fuzzy Hash: 7b4cb664fb2ab5645f0be5aeebf7c8d4f91b51fef83cf398051d408f8a539b73
Instruction Fuzzy Hash: D2D01210753B00A2EE199B91A8E433423547B4CB02F49502DC9BE063E0EE3985598300

Function 0000000180013DFC Relevance: 6.1, APIs: 4, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 0000000180013E23

Part of subcall function 0000000180012D10: malloc.LIBCMT ref: 0000000180012D2F

_errno.LIBCMT ref: 0000000180013E65
_lock.LIBCMT ref: 0000000180013E79
_errno.LIBCMT ref: 0000000180013EA0

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: _errno$_lockmalloc
String ID:
API String ID: 1671854079-0
Opcode ID: 381b43b2b8868dfcb9f7b802502813704024486d86e8a58bb0aeecdb47f1f8d8
Instruction ID: 888981d36ae89b3067ddb48cb700251f1a868c6ce81f92e328970524db5aa5b3
Opcode Fuzzy Hash: 381b43b2b8868dfcb9f7b802502813704024486d86e8a58bb0aeecdb47f1f8d8
Instruction Fuzzy Hash: B1214A30614E0D8FF7E6EB64D8463E9B2D0EB8C384F509929B44AC32D6DE78DA488741

Function 0000000180016F70 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 0000000180016F79
_errno.LIBCMT ref: 0000000180016F81

Memory Dump Source

Source File: 00000001.00000002.3400453857.0000000180001000.00000020.00000001.00020000.00000000.sdmp, Offset: 0000000180001000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_180001000_explorer.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 3c138d0b8e5f6388ccef93b597e4149f16349683ddef87cac72fa958e73bcdba
Instruction ID: 7fb6307f630c15b9362d7ee8c26be92a3507078568b3bbf3d38f2e14c59678f4
Opcode Fuzzy Hash: 3c138d0b8e5f6388ccef93b597e4149f16349683ddef87cac72fa958e73bcdba
Instruction Fuzzy Hash: D201B531524D4C4EF39BDB649C117E83690FB4A36AF81C66CB406D70F2DF7846098311

Function 0868755C Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32 ref: 0868756B
RtlDeleteCriticalSection.NTDLL ref: 0868CF22
free.LIBCMT ref: 0868CF2B
RtlDeleteCriticalSection.NTDLL ref: 0868CF4B

Memory Dump Source

Source File: 00000001.00000002.3393425629.0000000008681000.00000020.00000001.00020000.00000000.sdmp, Offset: 08655000, based on PE: true

Associated: 00000001.00000002.3393388164.0000000008655000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393404640.0000000008659000.00000004.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393444515.0000000008692000.00000002.00000001.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.3393461383.0000000008696000.00000040.00000001.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_8655000_explorer.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 31135a0a69f803a47937673d2efa7490800c990632010fab1e98cc66b807944b
Instruction ID: 04cf6a09182378cb8983db5b994a257a398082c7f29ccd8c8d052ed4d7495f9e
Opcode Fuzzy Hash: 31135a0a69f803a47937673d2efa7490800c990632010fab1e98cc66b807944b
Instruction Fuzzy Hash: 7611E131A06A40C6FF18AF25F8543187320FB44B91F9A8319EBAD03795CF39C0A6CB12

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1735021454574.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\ZP76TkMV.bat

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
1735021454574.exe

Function 00000001400018F0 Relevance: 53.0, APIs: 35, Instructions: 504
memoryCOMMON

Function 0000000140003160 Relevance: 40.6, APIs: 22, Strings: 1, Instructions: 319
memorysynchronizationCOMMON

Function 0000000140002260 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62
libraryloaderCOMMON

Function 0000000140003830 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52
synchronizationthreadCOMMON

Function 0000000140003740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
processCOMMON

Function 00000001400015F0 Relevance: 28.1, APIs: 6, Strings: 10, Instructions: 141
memoryCOMMON

Function 0000000140001170 Relevance: 25.6, APIs: 17, Instructions: 118
fileCOMMON

Function 0000000140001470 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92
processsynchronizationCOMMON

Function 0000000140006834 Relevance: 15.1, APIs: 10, Instructions: 121
COMMON

Function 0000000140005BB0 Relevance: 13.6, APIs: 9, Instructions: 98
COMMON

Function 0000000140004018 Relevance: 12.1, APIs: 8, Instructions: 111
COMMON

Function 00000001400036B0 Relevance: 4.5, APIs: 3, Instructions: 38
COMMON

Function 0000000140002160 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Function 0000000140006D48 Relevance: 3.0, APIs: 2, Instructions: 18
memoryCOMMON

Function 0000000140007CC4 Relevance: 2.5, APIs: 2, Instructions: 30
sleepCOMMONLIBRARYCODE