Edit tour

Windows Analysis Report
iDaD62by4N.exe

Overview

General Information

Sample name:	iDaD62by4N.exe renamed because original name is a hash value
Original sample name:	da566ba3ba5c66a305a19f2695b6f638.exe
Analysis ID:	1583296
MD5:	da566ba3ba5c66a305a19f2695b6f638
SHA1:	b2aeef0bd25408585f26779271a025a77a825e25
SHA256:	0171b83f8a99eb2b3c2e06077c692cba3c17fd697535676d356c7db679abc976
Tags:	exeMeterpreteruser-abuse_ch
Infos:

Detection

Metasploit, Meterpreter

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Metasploit Payload

Yara detected Meterpreter

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to change the desktop window for a process (likely to hide graphical interactions)

Contains functionality to check if the process is started with administrator privileges

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found direct / indirect Syscall (likely to bypass EDR)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to delete services

Contains functionality to dynamically determine API calls

Contains functionality to enumerate device drivers

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

iDaD62by4N.exe (PID: 1096 cmdline: "C:\Users\user\Desktop\iDaD62by4N.exe" MD5: DA566BA3BA5C66A305A19F2695B6F638)

conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Meterpreter		No Attribution	http://schierlm.users.sourceforge.net/avevasion.html http://www.secureworks.com/research/threat-profiles/gold-franklin http://www.secureworks.com/research/threat-profiles/gold-winter https://asec.ahnlab.com/en/53046/ https://asec.ahnlab.com/en/56236/	https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter

Malware Configuration

Threatname: Meterpreter

{"Type": "tcp", "IP": "43.136.177.76", "Port": 6666}

Threatname: Metasploit

{"Type": "Metasploit Connect", "IP": "43.136.177.76", "Port": 6666}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
iDaD62by4N.exe	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
iDaD62by4N.exe	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x16d69:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
iDaD62by4N.exe	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0x16dbf:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x4766c:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
dump.pcap	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x47545:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x4777d:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x478cb:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
dump.pcap	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x475b1:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x477e9:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x47937:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3274357378.0000022DA3670000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.3274357378.0000022DA3670000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x81:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.3274357378.0000022DA3670000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0xd7:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
00000000.00000000.2025069939.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000000.2025069939.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x569:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000000.2025069939.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0x5bf:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x569:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0x5bf:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x139e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x1277:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x14af:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x15fd:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x12e3:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x151b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x1669:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmp	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmp	MALWARE_Win_Meterpreter	Detects Meterpreter payload	ditekSHen	0xc38:$s1: PACKET TRANSMIT 0xc48:$s2: PACKET RECEIVE 0xa18:$s3: \\%s\pipe\%s 0xa60:$s3: \\%s\pipe\%s 0x990:$s4: %04x-%04x:%s 0x7c7c:$s5: server.dll
00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x4139e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x41277:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x414af:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x415fd:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x412e3:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x4151b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x41669:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_Meterpreter	Detects Meterpreter payload	ditekSHen	0x37a38:$s1: PACKET TRANSMIT 0x37a48:$s2: PACKET RECEIVE 0x37818:$s3: \\%s\pipe\%s 0x37860:$s3: \\%s\pipe\%s 0x37790:$s4: %04x-%04x:%s 0x3ea7c:$s5: server.dll
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.iDaD62by4N.exe.7ff6ef710000.0.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.0.iDaD62by4N.exe.7ff6ef710000.0.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x16d69:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
0.0.iDaD62by4N.exe.7ff6ef710000.0.unpack	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0x16dbf:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
0.2.iDaD62by4N.exe.7ff6ef710000.5.unpack	JoeSecurity_MetasploitPayload_3	Yara detected Metasploit Payload	Joe Security
0.2.iDaD62by4N.exe.7ff6ef710000.5.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x16d69:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
0.2.iDaD62by4N.exe.7ff6ef710000.5.unpack	Windows_Trojan_Metasploit_91bc5d7d	unknown	unknown	0x16dbf:$a: 49 BE 77 73 32 5F 33 32 00 00 41 56 49 89 E6 48 81 EC A0 01 00 00 49 89 E5
0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x4139e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x41277:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x414af:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x415fd:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x412e3:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x4151b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x41669:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack	MALWARE_Win_Meterpreter	Detects Meterpreter payload	ditekSHen	0x37a38:$s1: PACKET TRANSMIT 0x37a48:$s2: PACKET RECEIVE 0x37818:$s3: \\%s\pipe\%s 0x37860:$s3: \\%s\pipe\%s 0x37790:$s4: %04x-%04x:%s 0x3ea7c:$s5: server.dll
0.2.iDaD62by4N.exe.22da3810000.1.unpack	JoeSecurity_Meterpreter	Yara detected Meterpreter	Joe Security
0.2.iDaD62by4N.exe.22da3810000.1.unpack	Windows_Trojan_Metasploit_38b8ceec	Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon).	unknown	0x4139e:$a1: 89 E5 31 D2 64 8B 52 30 8B 52 0C 8B 52 14 8B 72 28 0F B7 4A 26 31 FF 31 C0 AC 3C 61
0.2.iDaD62by4N.exe.22da3810000.1.unpack	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x41277:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x414af:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61 0x415fd:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
0.2.iDaD62by4N.exe.22da3810000.1.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x412e3:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x4151b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1 0x41669:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
0.2.iDaD62by4N.exe.22da3810000.1.unpack	MALWARE_Win_Meterpreter	Detects Meterpreter payload	ditekSHen	0x37a38:$s1: PACKET TRANSMIT 0x37a48:$s2: PACKET RECEIVE 0x37818:$s3: \\%s\pipe\%s 0x37860:$s3: \\%s\pipe\%s 0x37790:$s4: %04x-%04x:%s 0x3ea7c:$s5: server.dll
Click to see the 11 entries

Suricata Signatures

ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T11:56:58.572624+0100	2025644	1	A Network Trojan was detected	43.136.177.76	6666	192.168.2.5	49704	TCP

ETPRO MALWARE Cobalt Strike Stager Payload

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T11:56:57.566564+0100	2851878	1	A Network Trojan was detected	43.136.177.76	6666	192.168.2.5	49704	TCP
2025-01-02T11:56:57.566718+0100	2851878	1	A Network Trojan was detected	43.136.177.76	6666	192.168.2.5	49704	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: iDaD62by4N.exe

Avira: detected

Found malware configuration

Source: iDaD62by4N.exe	Malware Configuration Extractor: Metasploit {"Type": "Metasploit Connect", "IP": "43.136.177.76", "Port": 6666}
Source: 0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack	Malware Configuration Extractor: Meterpreter {"Type": "tcp", "IP": "43.136.177.76", "Port": 6666}

Multi AV Scanner detection for submitted file

Source: iDaD62by4N.exe	Virustotal: Detection: 34%			Perma Link
Source: iDaD62by4N.exe	ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA381B564 CryptDecodeObjectEx,GetLastError,CryptAcquireContextW,CryptAcquireContextW,GetLastError,CryptImportPublicKeyInfo,GetLastError,CryptEncrypt,calloc,memcpy_s,CryptEncrypt,GetLastError,free,LocalFree,CryptDestroyKey,CryptReleaseContext,	0_2_0000022DA381B564
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA381AC84 memcpy_s,CryptDuplicateKey,GetLastError,CryptSetKeyParam,GetLastError,CryptGenRandom,GetLastError,CryptSetKeyParam,GetLastError,htonl,malloc,memcpy_s,CryptEncrypt,GetLastError,htonl,memcpy_s,memcpy_s,malloc,htonl,memcpy_s,memcpy_s,CryptDestroyKey,	0_2_0000022DA381AC84
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA381B138 calloc,CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptImportKey,GetLastError,free,	0_2_0000022DA381B138
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA381B69F CryptImportPublicKeyInfo,GetLastError,free,LocalFree,CryptDestroyKey,CryptReleaseContext,	0_2_0000022DA381B69F
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA381B4A4 CryptDestroyKey,CryptReleaseContext,free,	0_2_0000022DA381B4A4
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA381A904 calloc,htonl,htonl,CryptDuplicateKey,GetLastError,CryptSetKeyParam,GetLastError,CryptSetKeyParam,GetLastError,CryptDecrypt,GetLastError,memmove_s,htonl,htonl,malloc,memcpy_s,CryptDestroyKey,	0_2_0000022DA381A904
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5444790 GetLastError,CryptDestroyHash,CryptReleaseContext,fclose,	0_2_0000022DA5444790
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5444770 GetLastError,CryptAcquireContextA,GetLastError,CryptCreateHash,GetLastError,_fread_nolock,CryptHashData,_fread_nolock,CryptGetHashParam,GetLastError,CryptGetHashParam,GetLastError,CryptDestroyHash,CryptReleaseContext,fclose,	0_2_0000022DA5444770

Source: iDaD62by4N.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: createThread.pdb source: iDaD62by4N.exe

Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54451C0 _snprintf,strrchr,_snprintf,strrchr,GetLastError,FindFirstFileW,GetLastError,_snprintf,_snprintf,free,free,FindNextFileW,GetLastError,FindClose,free,free,free,	0_2_0000022DA54451C0
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5445940 FindFirstFileW,FindClose,	0_2_0000022DA5445940
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5445660 SetLastError,lstrcmpiW,GetFileAttributesW,SetLastError,RemoveDirectoryW,GetLastError,lstrlenW,lstrlenW,wsprintfW,FindFirstFileW,lstrcpyW,lstrcmpiW,lstrcmpiW,lstrlenW,lstrlenW,lstrlenW,wsprintfW,SetFileAttributesW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,	0_2_0000022DA5445660
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5447060 calloc,swprintf,FindFirstFileW,calloc,swprintf,free,FindNextFileW,FindClose,free,GetLastError,GetLastError,free,	0_2_0000022DA5447060
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5446F00 swprintf,FindFirstFileW,FindNextFileW,FindClose,GetLastError,GetLastError,	0_2_0000022DA5446F00
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B2090 calloc,swprintf,FindFirstFileW,calloc,swprintf,free,FindNextFileW,FindClose,free,GetLastError,GetLastError,free,	0_2_0000022DA54B2090
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B1F30 swprintf,FindFirstFileW,CreateFileW,CloseHandle,FindNextFileW,FindClose,GetLastError,GetLastError,	0_2_0000022DA54B1F30

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA5441260 GetLogicalDriveStringsA,GetLastError,GetDriveTypeA,malloc,WNetGetUniversalNameA,free,GetDiskFreeSpaceExA,

0_2_0000022DA5441260

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2851878 - Severity 1 - ETPRO MALWARE Cobalt Strike Stager Payload : 43.136.177.76:6666 -> 192.168.2.5:49704

Yara detected Meterpreter

Source: Yara match	File source: 0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iDaD62by4N.exe.22da3810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 43.136.177.76

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 43.136.177.76:6666

Source: Joe Sandbox View

ASN Name: LILLY-ASUS LILLY-ASUS

Source: Network traffic

Suricata IDS: 2025644 - Severity 1 - ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server) : 43.136.177.76:6666 -> 192.168.2.5:49704

Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76
Source: unknown	TCP traffic detected without corresponding DNS query: 43.136.177.76

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA3821AA4 recv,SetLastError,recv,GetLastError,SetLastError,SetLastError,htonl,malloc,SetLastError,memcpy_s,recv,GetLastError,SetLastError,SetLastError,SetLastError,GetLastError,free,free,

0_2_0000022DA3821AA4

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA5453B00 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,GetAsyncKeyState,GetKeyNameTextW,ToUnicodeEx,GetKeyNameTextW,_snwprintf,

0_2_0000022DA5453B00

Source: iDaD62by4N.exe

Binary or memory string: GetRawInputData

Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5453B00 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,GetAsyncKeyState,GetKeyNameTextW,ToUnicodeEx,GetKeyNameTextW,_snwprintf,		0_2_0000022DA5453B00
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5453E30 GetKeyState,GetKeyState,GetKeyState,GetKeyboardState,GetForegroundWindow,GetWindowThreadProcessId,EnumChildWindows,OpenProcess,GetSystemTime,GetDateFormatW,GetTimeFormatW,_snwprintf,_snwprintf,CloseHandle,GetAsyncKeyState,GetKeyNameTextW,ToUnicodeEx,GetKeyNameTextW,_snwprintf,		0_2_0000022DA5453E30

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA381B138 calloc,CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptImportKey,GetLastError,free,

0_2_0000022DA381B138

System Summary

Malicious sample detected (through community Yara rule)

Source: iDaD62by4N.exe, type: SAMPLE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: iDaD62by4N.exe, type: SAMPLE	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.0.iDaD62by4N.exe.7ff6ef710000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.0.iDaD62by4N.exe.7ff6ef710000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 0.2.iDaD62by4N.exe.7ff6ef710000.5.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.2.iDaD62by4N.exe.7ff6ef710000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 0.2.iDaD62by4N.exe.22da3810000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 0.2.iDaD62by4N.exe.22da3810000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.2.iDaD62by4N.exe.22da3810000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 0.2.iDaD62by4N.exe.22da3810000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 00000000.00000002.3274357378.0000022DA3670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3274357378.0000022DA3670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 00000000.00000000.2025069939.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000000.2025069939.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d Author: unknown
Source: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter payload Author: ditekSHen
Source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon). Author: unknown
Source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter payload Author: ditekSHen

Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37C91B8 NtAllocateVirtualMemory,	0_2_0000022DA37C91B8
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37C9214 NtProtectVirtualMemory,	0_2_0000022DA37C9214
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_00007FF6EF718720 NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,GetStdHandle,GetLastError,	0_2_00007FF6EF718720

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA54B5C10 OpenSCManagerA,GetLastError,OpenServiceA,GetLastError,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,SetLastError,

0_2_0000022DA54B5C10

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA544BE70 calloc,_snprintf,mbstowcs,calloc,mbstowcs,malloc,CreatePipe,CreatePipe,LoadLibraryA,GetProcAddress,GetProcAddress,OpenProcess,malloc,GetLastError,wprintf,GetLastError,free,GetLastError,GetLastError,wprintf,GetLastError,FreeLibrary,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,DuplicateTokenEx,DuplicateTokenEx,GetLastError,LoadLibraryA,GetProcAddress,GetProcAddress,CreateProcessAsUserW,GetLastError,LoadLibraryA,GetProcAddress,mbstowcs,malloc,mbstowcs,mbstowcs,malloc,mbstowcs,GetLastError,FreeLibrary,free,free,FreeLibrary,GetLastError,LoadLibraryA,GetCurrentProcessId,GetProcAddress,CreateProcessAsUserW,CreateProcessW,GetLastError,FreeLibrary,CloseHandle,CreateProcessW,GetLastError,ResumeThread,GetLastError,CloseHandle,CloseHandle,CloseHandle,free,free,free,free,free,

0_2_0000022DA544BE70

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA5450C30 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,GetLastError,CloseHandle,

0_2_0000022DA5450C30

Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37C9540	0_2_0000022DA37C9540
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37F4FE8	0_2_0000022DA37F4FE8
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37F584C	0_2_0000022DA37F584C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37E9EE8	0_2_0000022DA37E9EE8
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37F66D8	0_2_0000022DA37F66D8
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37F1CBC	0_2_0000022DA37F1CBC
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37EC564	0_2_0000022DA37EC564
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37E0D2C	0_2_0000022DA37E0D2C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37E9BDC	0_2_0000022DA37E9BDC
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37EE31C	0_2_0000022DA37EE31C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37EBA1C	0_2_0000022DA37EBA1C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37F3178	0_2_0000022DA37F3178
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37ED134	0_2_0000022DA37ED134
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA37EC914	0_2_0000022DA37EC914
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_00007FF6EF7120C0	0_2_00007FF6EF7120C0
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_00007FF6EF724D40	0_2_00007FF6EF724D40
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_00007FF6EF71AD50	0_2_00007FF6EF71AD50
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_00007FF6EF723520	0_2_00007FF6EF723520
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_00007FF6EF714BC0	0_2_00007FF6EF714BC0
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_00007FF6EF723C20	0_2_00007FF6EF723C20
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_00007FF6EF721350	0_2_00007FF6EF721350
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_00007FF6EF7202D0	0_2_00007FF6EF7202D0
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_00007FF6EF719260	0_2_00007FF6EF719260
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA383A7DC	0_2_0000022DA383A7DC
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA383EF1C	0_2_0000022DA383EF1C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA383C61C	0_2_0000022DA383C61C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA383D514	0_2_0000022DA383D514
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA383DD34	0_2_0000022DA383DD34
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA3843D78	0_2_0000022DA3843D78
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA384644C	0_2_0000022DA384644C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA3845BE8	0_2_0000022DA3845BE8
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA38472D8	0_2_0000022DA38472D8
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA383AAE8	0_2_0000022DA383AAE8
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA383192C	0_2_0000022DA383192C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA381A140	0_2_0000022DA381A140
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA383D164	0_2_0000022DA383D164
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA38428BC	0_2_0000022DA38428BC
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5474204	0_2_0000022DA5474204
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5443A80	0_2_0000022DA5443A80
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA547F28C	0_2_0000022DA547F28C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA547EA28	0_2_0000022DA547EA28
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54733E8	0_2_0000022DA54733E8
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54703B4	0_2_0000022DA54703B4
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54463B0	0_2_0000022DA54463B0
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5475C5C	0_2_0000022DA5475C5C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA545DC10	0_2_0000022DA545DC10
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5479C1C	0_2_0000022DA5479C1C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA546FB58	0_2_0000022DA546FB58
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA546EB84	0_2_0000022DA546EB84
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA546C5E4	0_2_0000022DA546C5E4
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA544BE70	0_2_0000022DA544BE70
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5474D28	0_2_0000022DA5474D28
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA547600C	0_2_0000022DA547600C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA547BEE0	0_2_0000022DA547BEE0
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54786F0	0_2_0000022DA54786F0
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA547FF50	0_2_0000022DA547FF50
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5457720	0_2_0000022DA5457720
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B5260	0_2_0000022DA54B5260
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54C4E88	0_2_0000022DA54C4E88
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B5E30	0_2_0000022DA54B5E30
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B9D00	0_2_0000022DA54B9D00
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54C4098	0_2_0000022DA54C4098
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B6984	0_2_0000022DA54B6984
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B8514	0_2_0000022DA54B8514
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54BA00C	0_2_0000022DA54BA00C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54C3790	0_2_0000022DA54C3790
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54BC47C	0_2_0000022DA54BC47C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54C4448	0_2_0000022DA54C4448
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54BE6DC	0_2_0000022DA54BE6DC
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B8B00	0_2_0000022DA54B8B00
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54BBAB8	0_2_0000022DA54BBAB8
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54C56C0	0_2_0000022DA54C56C0
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B8F64	0_2_0000022DA54B8F64

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: String function: 00007FF6EF722F90 appears 63 times

Source: iDaD62by4N.exe, type: SAMPLE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: iDaD62by4N.exe, type: SAMPLE	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.0.iDaD62by4N.exe.7ff6ef710000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.0.iDaD62by4N.exe.7ff6ef710000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 0.2.iDaD62by4N.exe.7ff6ef710000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.2.iDaD62by4N.exe.7ff6ef710000.5.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 0.2.iDaD62by4N.exe.22da3810000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 0.2.iDaD62by4N.exe.22da3810000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.2.iDaD62by4N.exe.22da3810000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 0.2.iDaD62by4N.exe.22da3810000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 00000000.00000002.3274357378.0000022DA3670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3274357378.0000022DA3670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 00000000.00000000.2025069939.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000000.2025069939.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_91bc5d7d reference_sample = 0dd993ff3917dc56ef02324375165f0d66506c5a9b9548eda57c58e041030987, os = windows, severity = x86, creation_date = 2021-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 8848a3de66a25dd98278761a7953f31b7995e48621dec258f3d92bd91a4a3aa3, id = 91bc5d7d-31e3-4c02-82b3-a685194981f3, last_modified = 2021-10-04
Source: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload
Source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_38b8ceec os = windows, severity = x86, description = Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = 44b9022d87c409210b1d0807f5a4337d73f19559941660267d63cd2e4f2ff342, id = 38b8ceec-601c-4117-b7a0-74720e26bf38, last_modified = 2021-08-23
Source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_Meterpreter author = ditekSHen, description = Detects Meterpreter payload

Source: classification engine

Classification label: mal100.troj.evad.winEXE@2/1@0/1

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA5455A19 GetLastError,FormatMessageA,free,SetLastError,

0_2_0000022DA5455A19

Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA381F018 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_0000022DA381F018
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA38128F8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,OpenProcess,GetLastError,CreateEventW,GetLastError,GetCurrentProcess,DuplicateHandle,GetLastError,VirtualAllocEx,GetLastError,WriteProcessMemory,GetLastError,WriteProcessMemory,GetLastError,WriteProcessMemory,GetLastError,WriteProcessMemory,GetLastError,free,GetLastError,free,CloseHandle,CloseHandle,	0_2_0000022DA38128F8
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA544CA70 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,	0_2_0000022DA544CA70
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5451B90 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_0000022DA5451B90
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5450C30 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,GetLastError,CloseHandle,	0_2_0000022DA5450C30
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5449E40 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,wcsstr,CloseHandle,FreeLibrary,	0_2_0000022DA5449E40
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B45E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_0000022DA54B45E0
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B6740 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,GetHandleInformation,CloseHandle,SetLastError,	0_2_0000022DA54B6740

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA5441260 GetLogicalDriveStringsA,GetLastError,GetDriveTypeA,malloc,WNetGetUniversalNameA,free,GetDiskFreeSpaceExA,

0_2_0000022DA5441260

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: OpenSCManagerA,GetLastError,CreateServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,SetLastError,

0_2_0000022DA54B5B20

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA54570E0 CoInitialize,CoCreateInstance,VariantInit,_Wcsftime,VariantClear,GetLastError,CoUninitialize,

0_2_0000022DA54570E0

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA54B49B0 FindResourceA,calloc,CreateEventA,CreateEventA,LoadResource,GetLastError,SizeofResource,LockResource,CloseHandle,CloseHandle,VirtualFreeEx,CloseHandle,VirtualAllocEx,GetLastError,WriteProcessMemory,GetLastError,GetProcessId,WaitForSingleObject,ReadProcessMemory,GetLastError,SetEvent,GetLastError,WaitForSingleObject,_snwprintf_s,_snwprintf_s,_snwprintf_s,GetLastError,

0_2_0000022DA54B49B0

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA54B5970 OpenSCManagerA,GetLastError,OpenServiceA,GetLastError,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,SetLastError,

0_2_0000022DA54B5970

Source: C:\Users\user\Desktop\iDaD62by4N.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Users\user\Desktop\iDaD62by4N.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03

Source: iDaD62by4N.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: iDaD62by4N.exe	Virustotal: Detection: 34%
Source: iDaD62by4N.exe	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\iDaD62by4N.exe "C:\Users\user\Desktop\iDaD62by4N.exe"
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Section loaded: dhcpcsvc.dll	Jump to behavior

Source: iDaD62by4N.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: iDaD62by4N.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: iDaD62by4N.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: createThread.pdb source: iDaD62by4N.exe

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_00007FF6EF719AC0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,ReleaseMutex,

0_2_00007FF6EF719AC0

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA37FA318 push rax; iretd

0_2_0000022DA37FA319

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA54B5970 OpenSCManagerA,GetLastError,OpenServiceA,GetLastError,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,SetLastError,

0_2_0000022DA54B5970

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA54511D0 ClearEventLogA,GetLastError,

0_2_0000022DA54511D0

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA383A7DC EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0000022DA383A7DC

Malware Analysis System Evasion

Contains functionality to check if the process is started with administrator privileges

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA5449E40 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,wcsstr,CloseHandle,FreeLibrary,

0_2_0000022DA5449E40

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: malloc,EnumDeviceDrivers,GetDeviceDriverFileNameW,free,free,free,

0_2_0000022DA5452050

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: GetVersionExA,GetLastError,OpenSCManagerA,GetLastError,EnumServicesStatusA,GetLastError,GetLastError,malloc,GetLastError,EnumServicesStatusA,GetLastError,OpenServiceA,QueryServiceStatusEx,OpenProcess,GetCurrentThreadId,_snwprintf_s,VirtualAllocEx,WriteProcessMemory,WaitForSingleObject,GetExitCodeThread,GetCurrentThread,OpenThreadToken,DuplicateToken,CloseServiceHandle,GetHandleInformation,CloseHandle,GetHandleInformation,CloseHandle,GetHandleInformation,CloseHandle,CloseServiceHandle,free,SetLastError,

0_2_0000022DA54B5E30

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-66975

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-67031

Source: C:\Users\user\Desktop\iDaD62by4N.exe

API coverage: 3.9 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54451C0 _snprintf,strrchr,_snprintf,strrchr,GetLastError,FindFirstFileW,GetLastError,_snprintf,_snprintf,free,free,FindNextFileW,GetLastError,FindClose,free,free,free,	0_2_0000022DA54451C0
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5445940 FindFirstFileW,FindClose,	0_2_0000022DA5445940
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5445660 SetLastError,lstrcmpiW,GetFileAttributesW,SetLastError,RemoveDirectoryW,GetLastError,lstrlenW,lstrlenW,wsprintfW,FindFirstFileW,lstrcpyW,lstrcmpiW,lstrcmpiW,lstrlenW,lstrlenW,lstrlenW,wsprintfW,SetFileAttributesW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindNextFileW,GetLastError,FindClose,RemoveDirectoryW,	0_2_0000022DA5445660
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5447060 calloc,swprintf,FindFirstFileW,calloc,swprintf,free,FindNextFileW,FindClose,free,GetLastError,GetLastError,free,	0_2_0000022DA5447060
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5446F00 swprintf,FindFirstFileW,FindNextFileW,FindClose,GetLastError,GetLastError,	0_2_0000022DA5446F00
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B2090 calloc,swprintf,FindFirstFileW,calloc,swprintf,free,FindNextFileW,FindClose,free,GetLastError,GetLastError,free,	0_2_0000022DA54B2090
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B1F30 swprintf,FindFirstFileW,CreateFileW,CloseHandle,FindNextFileW,FindClose,GetLastError,GetLastError,	0_2_0000022DA54B1F30

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA5441260 GetLogicalDriveStringsA,GetLastError,GetDriveTypeA,malloc,WNetGetUniversalNameA,free,GetDiskFreeSpaceExA,

0_2_0000022DA5441260

Source: iDaD62by4N.exe, 00000000.00000002.3274403965.0000022DA36CE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\iDaD62by4N.exe	API call chain: ExitProcess graph end node			graph_0-67117
Source: C:\Users\user\Desktop\iDaD62by4N.exe	API call chain: ExitProcess graph end node			graph_0-66524

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_00007FF6EF725AC4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6EF725AC4

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA38414DC EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_0000022DA38414DC

Source: C:\Users\user\Desktop\iDaD62by4N.exe

0_2_00007FF6EF719AC0

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_00007FF6EF719230 HeapAlloc,GetProcessHeap,HeapAlloc,

0_2_00007FF6EF719230

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_00007FF6EF725C6C SetUnhandledExceptionFilter,	0_2_00007FF6EF725C6C
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_00007FF6EF725AC4 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6EF725AC4
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA381A844 GetModuleHandleW,SetUnhandledExceptionFilter,ExitProcess,ExitThread,	0_2_0000022DA381A844
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA3840BE0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0000022DA3840BE0
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54779E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0000022DA54779E4
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54BB4D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0000022DA54BB4D4

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to change the desktop window for a process (likely to hide graphical interactions)

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA5452A00 GetCurrentProcessId,GetCurrentProcessId,OpenWindowStationA,RevertToSelf,OpenWindowStationA,GetProcessWindowStation,SetProcessWindowStation,GetLastError,OpenDesktopA,GetLastError,SetThreadDesktop,GetLastError,SwitchDesktop,GetLastError,CloseDesktop,CloseWindowStation,SetProcessWindowStation,

0_2_0000022DA5452A00

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA544AA20 VirtualAlloc,GetThreadContext,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,TerminateProcess,

0_2_0000022DA544AA20

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA3819AE4 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,		0_2_0000022DA3819AE4
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B6560 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,		0_2_0000022DA54B6560

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\iDaD62by4N.exe	NtAllocateVirtualMemory: Indirect: 0x22DA37C9206	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	NtProtectVirtualMemory: Indirect: 0x22DA3725F83	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	NtAllocateVirtualMemory: Indirect: 0x22DA5342D8E	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	NtAllocateVirtualMemory: Indirect: 0x22DA3725F2E	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	NtProtectVirtualMemory: Indirect: 0x22DA5342DE3	Jump to behavior
Source: C:\Users\user\Desktop\iDaD62by4N.exe	NtProtectVirtualMemory: Indirect: 0x22DA37C9257	Jump to behavior

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA381ED28 AllocateAndInitializeSid,SetEntriesInAclW,AllocateAndInitializeSid,LocalAlloc,InitializeAcl,LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,SetSecurityDescriptorSacl,

0_2_0000022DA381ED28

Source: C:\Users\user\Desktop\iDaD62by4N.exe

0_2_0000022DA381ED28

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: GetComputerNameA,GetLastError,LoadLibraryA,GetProcAddress,GetProcAddress,GetNativeSystemInfo,GetProcAddress,GetLocaleInfoA,malloc,GetLocaleInfoA,GetLocaleInfoA,malloc,GetLocaleInfoA,_snprintf,_snprintf,free,free,NetWkstaGetInfo,free,NetApiBufferFree,IsUserAnAdmin,GetCurrentProcessId,

0_2_0000022DA54515C0

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA3820A6C CreateNamedPipeW,GetLastError,CreateNamedPipeW,GetLastError,ConnectNamedPipe,GetLastError,CloseHandle,

0_2_0000022DA3820A6C

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_00007FF6EF72598C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6EF72598C

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA5451920 GetTimeZoneInformation,GetLocalTime,_snwprintf_s,

0_2_0000022DA5451920

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Code function: 0_2_0000022DA3814AE8 GetVersionExW,GetLastError,SetLastError,GetLastError,VirtualAlloc,GetLastError,VirtualAlloc,GetLastError,SetLastError,GetLastError,SetLastError,GetLastError,VirtualFree,VirtualFree,

0_2_0000022DA3814AE8

Source: C:\Users\user\Desktop\iDaD62by4N.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected Metasploit Payload

Source: Yara match	File source: iDaD62by4N.exe, type: SAMPLE
Source: Yara match	File source: 0.0.iDaD62by4N.exe.7ff6ef710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iDaD62by4N.exe.7ff6ef710000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3274357378.0000022DA3670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.2025069939.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Meterpreter

Source: Yara match	File source: 0.2.iDaD62by4N.exe.22da37c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.iDaD62by4N.exe.22da3810000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA38216F8 bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,closesocket,	0_2_0000022DA38216F8
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA5448AA0 malloc,WSASocketA,WSASocketA,setsockopt,closesocket,WSASocketA,WSAGetLastError,htons,htons,htons,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,WSACreateEvent,WSAGetLastError,WSAEventSelect,WSAGetLastError,closesocket,free,	0_2_0000022DA5448AA0
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54495B0 malloc,inet_addr,inet_addr,WSASocketA,WSAGetLastError,htons,bind,WSAGetLastError,WSACreateEvent,WSAGetLastError,WSAEventSelect,WSAGetLastError,closesocket,free,	0_2_0000022DA54495B0
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B2E39 RpcBindingFree,free,	0_2_0000022DA54B2E39
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B2D30 malloc,_snwprintf_s,DceErrorInqTextA,RpcBindingFree,free,	0_2_0000022DA54B2D30
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B3940 RpcBindingFree,	0_2_0000022DA54B3940
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B3810 RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,	0_2_0000022DA54B3810
Source: C:\Users\user\Desktop\iDaD62by4N.exe	Code function: 0_2_0000022DA54B2E90 _snwprintf_s,RpcStringBindingComposeW,DceErrorInqTextA,RpcBindingFromStringBindingW,RpcStringFreeW,RpcBindingSetAuthInfoW,	0_2_0000022DA54B2E90

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	31 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	12 Service Execution	1 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 System Service Discovery	Remote Desktop Protocol	31 Input Capture	2 Encrypted Channel	Exfiltration Over Bluetooth	1 System Shutdown/Reboot
Email Addresses	DNS Server	Domain Accounts	At	12 Windows Service	1 Valid Accounts	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	11 Access Token Manipulation	2 Obfuscated Files or Information	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Windows Service	1 DLL Side-Loading	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	22 Process Injection	1 Masquerading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Valid Accounts	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Access Token Manipulation	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	22 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Indicator Removal	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
iDaD62by4N.exe	35%	Virustotal		Browse
iDaD62by4N.exe	55%	ReversingLabs	Win64.Backdoor.Meterpreter
iDaD62by4N.exe	100%	Avira	HEUR/AGEN.1318399

Source	Detection	Scanner	Label	Link
43.136.177.76	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
43.136.177.76	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
43.136.177.76	unknown	Japan		4249	LILLY-ASUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583296
Start date and time:	2025-01-02 11:56:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	iDaD62by4N.exe renamed because original name is a hash value
Original Sample Name:	da566ba3ba5c66a305a19f2695b6f638.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@2/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 25 Number of non-executed functions: 318
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LILLY-ASUS	Hilix.sh4.elf	Get hash	malicious	Mirai	Browse	43.147.184.0
	armv5l.elf	Get hash	malicious	Unknown	Browse	40.201.14.36
	armv7l.elf	Get hash	malicious	Unknown	Browse	40.216.153.85
	armv4l.elf	Get hash	malicious	Unknown	Browse	43.68.215.233
	armv6l.elf	Get hash	malicious	Unknown	Browse	40.157.226.86
	01012025.html	Get hash	malicious	HTMLPhisher	Browse	43.152.64.207
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	43.70.37.252
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	43.1.228.236
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	43.58.148.3
	http://usps.com-trackaddn.top/l	Get hash	malicious	Unknown	Browse	43.153.71.154

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\iDaD62by4N.exe
File Type:	data
Category:	dropped
Size (bytes):	47
Entropy (8bit):	1.168829563685559
Encrypted:	false
SSDEEP:	3:/lSll2DQi:AoMi
MD5:	DAB633BEBCCE13575989DCFA4E2203D6
SHA1:	33186D50F04C5B5196C1FCC1FAD17894B35AC6C7
SHA-256:	1C00FBA1B82CD386E866547F33E1526B03F59E577449792D99C882DEF05A1D17
SHA-512:	EDDBB22D9FC6065B8F5376EC95E316E7569530EFAA9EA9BC641881D763B91084DCCC05BC793E8E29131D20946392A31BD943E8FC632D91EE13ABA7B0CD1C626F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.266159713204113
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	iDaD62by4N.exe
File size:	130'560 bytes
MD5:	da566ba3ba5c66a305a19f2695b6f638
SHA1:	b2aeef0bd25408585f26779271a025a77a825e25
SHA256:	0171b83f8a99eb2b3c2e06077c692cba3c17fd697535676d356c7db679abc976
SHA512:	b7b942d5e481c607af64128cfa21a8fff45e145c9b985f2fc75096f55c9d0567d953a0e53c6e20bcb97fcdc172e470e5a3b431079c94c37b243b13485be78438
SSDEEP:	1536:aggOxyGHTvy1FJ0SnAFYmVKfIGvPV5UQzKhlC4GYOZFsUQpBZA0iANaVgUHniMBh:aZOsuYFJ0SAFYmcfX5ECrv7sUAxiMC
TLSH:	E6D36C237651E1ECC40AC07882564AB2A772F4D91B31ABEF17D442383E6DEE55F3C698
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........-...Lo..Lo..Lo..4...Lo...n..Lo...l..Lo...k..Lo...j..Lo..9n..Lo..Ln.tLo..Lo..Lo.G.m..Lo.Rich.Lo.................PE..d.....og...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400156a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x676FD595 [Sat Dec 28 10:40:21 2024 UTC]
TLS Callbacks:	0x400098b0, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d7998d62e33e6d63fb8500b41aad05e4

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FC1287D2B08h
dec eax
add esp, 28h
jmp 00007FC1287D2697h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
sub esp, 10h
dec esp
mov dword ptr [esp], edx
dec esp
mov dword ptr [esp+08h], ebx
dec ebp
xor ebx, ebx
dec esp
lea edx, dword ptr [esp+18h]
dec esp
sub edx, eax
dec ebp
cmovb edx, ebx
dec esp
mov ebx, dword ptr [00000010h]
dec ebp
cmp edx, ebx
jnc 00007FC1287D2838h
inc cx
and edx, 8D4DF000h
wait
add al, dh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f2ac	0xc8	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x21000	0x1128	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x23000	0x2b4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1c4d0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1c580	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c390	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x18000	0x2c0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x162af	0x16400	a5cd393d96d88970e60ed50b5eb43ef6	False	0.5357707162921348	data	6.371944244713758	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x18000	0x7d46	0x7e00	327b0a04575c5b5218328c6954a08657	False	0.3939422123015873	data	5.3032993600140665	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x20000	0x2f0	0x200	8671c6fb755911e93d0a86270a9cb6da	False	0.224609375	data	1.5524319039400882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x21000	0x1128	0x1200	422f8470a8cd8b28c9a852d9c1c87987	False	0.4774305555555556	data	4.918853406781578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x23000	0x2b4	0x400	4ad2e6c5bbecd8ead1a7dd0ce148f99a	False	0.5029296875	data	4.2976888503280195	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
api-ms-win-core-synch-l1-2-0.dll	WaitOnAddress, WakeByAddressAll, WakeByAddressSingle
kernel32.dll	GetCurrentProcess, GetStdHandle, GetCurrentProcessId, UnhandledExceptionFilter, HeapFree, HeapReAlloc, lstrlenW, ReleaseMutex, GetEnvironmentVariableW, GetConsoleMode, GetCurrentDirectoryW, IsDebuggerPresent, RtlVirtualUnwind, GetModuleHandleW, MultiByteToWideChar, WriteConsoleW, WideCharToMultiByte, GetModuleHandleA, GetProcAddress, GetProcessHeap, HeapAlloc, RtlLookupFunctionEntry, RtlCaptureContext, InitializeSListHead, WaitForSingleObjectEx, LoadLibraryA, CreateMutexA, QueryPerformanceCounter, GetCurrentThread, SetThreadStackGuarantee, AddVectoredExceptionHandler, GetLastError, CloseHandle, SetUnhandledExceptionFilter, GetSystemTimeAsFileTime, WaitForSingleObject, CreateThread, VirtualAlloc, SetLastError, GetCurrentThreadId, IsProcessorFeaturePresent
ntdll.dll	RtlNtStatusToDosError, NtWriteFile
VCRUNTIME140.dll	memcpy, memset, memcmp, _CxxThrowException, __C_specific_handler, __current_exception, __CxxFrameHandler3, memmove, __current_exception_context
api-ms-win-crt-runtime-l1-1-0.dll	exit, _exit, __p___argc, __p___argv, _cexit, _c_exit, _register_thread_local_exe_atexit_callback, _set_app_type, _configure_narrow_argv, _get_initial_narrow_environment, _initialize_onexit_table, _register_onexit_function, _crt_atexit, terminate, _initialize_narrow_environment, _initterm, _seh_filter_exe, _initterm_e
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr
api-ms-win-crt-stdio-l1-1-0.dll	_set_fmode, __p__commode
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-heap-l1-1-0.dll	free, _set_new_mode

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T11:56:57.566564+0100	2851878	ETPRO MALWARE Cobalt Strike Stager Payload	1	43.136.177.76	6666	192.168.2.5	49704	TCP
2025-01-02T11:56:57.566718+0100	2851878	ETPRO MALWARE Cobalt Strike Stager Payload	1	43.136.177.76	6666	192.168.2.5	49704	TCP
2025-01-02T11:56:58.572624+0100	2025644	ET MALWARE Possible Metasploit Payload Common Construct Bind_API (from server)	1	43.136.177.76	6666	192.168.2.5	49704	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 11:56:56.591957092 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:56.596892118 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:56.596962929 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.566106081 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.566564083 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.566600084 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.566612959 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.566670895 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.566680908 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.566693068 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.566704035 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.566710949 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.566718102 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.566729069 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.566764116 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.566831112 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.566843033 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.566879988 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.571574926 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.571598053 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.571608067 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.571666002 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.817804098 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.817825079 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.817836046 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.817853928 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.817867041 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.817915916 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.817926884 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.817955017 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.818000078 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.818011045 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.818023920 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.818064928 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.818599939 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.818613052 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.818624020 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.818636894 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.818646908 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.818655014 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.818660021 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.818676949 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.818687916 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.819516897 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.819571018 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.819583893 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.819628000 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.819659948 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.819672108 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.819683075 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.819701910 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.820414066 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.820432901 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.820488930 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.822771072 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.824243069 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:57.906233072 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.906250954 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:57.906338930 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.068486929 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.068504095 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.068526030 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.068537951 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.068550110 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.068574905 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.068609953 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.068720102 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.068756104 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.068758011 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.068772078 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.068809032 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.068943977 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.068985939 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.068996906 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.069032907 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.069116116 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.069128036 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.069152117 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.069489002 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.069502115 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.069514036 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.069535017 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.069550037 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.069556952 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.069569111 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.069581032 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.069591999 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.069602013 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.069633961 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.069772005 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.069783926 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.069818020 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.070327997 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.070358992 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.070370913 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.070405960 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.070524931 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.070538044 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.070549965 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.070561886 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.070571899 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.070604086 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.070628881 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.070641994 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.070672035 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.071273088 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.071309090 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.071326971 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.071357965 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.071378946 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.071424007 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.071434975 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.071446896 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.071468115 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.071589947 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.071602106 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.071614027 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.071635962 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.071662903 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.072287083 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.072299957 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.072312117 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.072346926 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.072367907 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.072380066 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.072391033 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.072407961 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.072411060 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.072427988 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.072468042 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.072515011 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.157102108 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.157135963 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.157212019 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.319508076 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.319546938 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.319559097 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.319591999 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.319603920 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.319616079 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.319673061 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.319694996 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.319709063 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.319709063 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.319757938 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.319760084 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.319817066 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.319832087 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.319866896 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.319900036 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.319911003 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.319922924 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.319941044 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.319953918 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.320122957 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320173979 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320190907 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320214033 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.320269108 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320282936 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320295095 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320331097 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.320609093 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320625067 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320636988 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320661068 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.320744038 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320756912 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320768118 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320779085 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.320780039 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320800066 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.320838928 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320849895 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.320884943 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.321157932 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.321204901 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.321216106 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.321237087 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.321249962 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.321333885 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.321345091 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.321361065 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.321376085 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.321382046 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.321404934 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.321511984 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.321523905 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.321535110 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.321546078 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.321556091 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.321557999 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.321573019 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.321582079 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.321616888 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.322088003 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.322128057 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.322139978 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.322160959 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.322295904 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.322308064 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.322318077 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.322329998 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.322345018 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.322489023 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.322499990 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.322511911 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.322523117 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.322531939 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.322535038 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.322546959 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.322556019 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.322577000 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.323041916 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.323087931 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.323098898 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.323184013 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.323194027 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.323209047 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.323261023 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.323328018 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.323338985 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.323350906 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.323362112 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.323374033 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.323378086 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.323386908 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.323396921 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.323415995 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.323551893 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.323589087 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.324059963 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.324070930 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.324081898 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.324112892 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.324134111 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.324145079 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.324156046 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.324167013 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.324181080 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.324274063 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.324285984 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.324297905 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.324318886 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.324342012 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.324738026 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.408047915 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408071995 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408083916 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408093929 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408104897 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408117056 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408150911 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408195972 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408207893 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408211946 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.408227921 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408238888 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.408277035 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.408282042 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408293009 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408322096 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.408359051 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408458948 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408471107 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408488035 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408493996 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.408505917 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408521891 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.408541918 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408555031 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.408572912 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.458909035 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.570489883 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570508957 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570528984 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570539951 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570552111 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570553064 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.570564032 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570590019 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.570602894 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570615053 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.570637941 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570652008 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570676088 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.570707083 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570719004 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570744038 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.570751905 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570790052 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.570799112 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570827961 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570838928 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570863962 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.570928097 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570940018 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.570975065 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.570979118 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571013927 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.571046114 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571058035 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571101904 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.571139097 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571151018 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571161985 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571173906 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571181059 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.571224928 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.571347952 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571361065 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571372986 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571384907 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571394920 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.571398020 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571410894 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571420908 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.571449041 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.571548939 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571561098 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571573973 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571599007 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.571619034 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571630955 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571643114 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571661949 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571674109 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571677923 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.571686983 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571696043 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.571716070 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.571885109 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571897030 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571913004 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571923018 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.571923971 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.571950912 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.572043896 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572053909 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572066069 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572084904 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.572113037 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.572113991 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572127104 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572168112 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.572243929 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572257996 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572268009 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572297096 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.572361946 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572374105 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572386026 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572397947 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572397947 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.572424889 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.572623968 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572634935 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572645903 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572657108 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572659016 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.572669029 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572669983 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.572681904 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572693110 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572705984 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572717905 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.572742939 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.572906971 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572920084 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572932005 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572941065 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.572948933 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.573262930 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.575391054 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.575402975 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.575450897 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.575457096 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.575463057 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:58.575499058 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.818331003 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:58.823275089 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:59.187602997 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:59.240165949 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:59.240331888 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:59.245101929 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:59.687720060 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:56:59.740149975 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:59.755888939 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:56:59.761712074 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.264695883 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.264723063 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.264734030 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.264745951 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.264796972 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.264806032 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.264810085 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.264861107 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.264873981 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.264942884 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.264955044 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.264966011 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.264978886 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.264981031 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265017986 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.265043020 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265084982 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.265110016 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265121937 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265158892 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.265167952 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265189886 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265213966 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265223980 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.265228033 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265266895 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.265305042 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265316963 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265364885 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.265396118 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265408039 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265418053 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265449047 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.265553951 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265564919 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265575886 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265592098 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265598059 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.265613079 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.265700102 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265712023 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265722990 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265733004 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265744925 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265747070 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.265774012 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.265789032 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.265855074 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265866041 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265878916 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.265902042 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.265990973 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266002893 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266016006 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266031027 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.266042948 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.266128063 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266139030 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266149998 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266184092 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.266189098 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266202927 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266213894 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266225100 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.266226053 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266248941 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.266443014 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266455889 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266467094 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266478062 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266482115 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.266489983 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266495943 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.266535044 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.266558886 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266576052 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266587019 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266597033 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266613007 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.266650915 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.266674995 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266899109 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266910076 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266920090 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266931057 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266936064 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.266943932 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266954899 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266963005 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.266967058 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266979933 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266988993 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.266992092 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.266999006 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267005920 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267016888 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267025948 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267033100 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267045975 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267052889 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267056942 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267069101 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267081022 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267087936 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267102003 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267431021 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267441988 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267453909 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267468929 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267493963 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267570972 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267582893 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267592907 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267611980 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267622948 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267623901 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267633915 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267642021 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267646074 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267657042 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267673016 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267673969 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267687082 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267687082 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267709970 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267723083 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267728090 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267735004 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267750978 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267761946 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267765999 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267774105 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267786026 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267796040 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267798901 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267811060 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267812014 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267826080 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.267838955 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.267858028 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.268409967 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268421888 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268433094 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268444061 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268454075 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268466949 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268467903 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.268491983 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.268517017 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.268538952 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268552065 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268587112 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.268690109 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268702030 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268712997 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268723965 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268733978 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268735886 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.268744946 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268755913 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268760920 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.268768072 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268769026 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.268779993 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268793106 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268801928 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.268804073 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268816948 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268827915 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.268836975 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.268862963 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.269177914 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.269190073 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.269212008 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.318247080 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.353351116 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.353382111 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.353394985 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.353401899 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.353533030 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.358145952 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.358160019 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.358202934 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.358355045 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.358367920 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.358432055 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.362829924 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.362843037 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.362878084 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.363090038 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.363102913 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.363154888 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.369422913 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.369438887 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.369452953 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.369465113 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.369476080 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.369484901 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.369489908 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.369524956 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.369537115 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.374614954 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.374629021 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.374640942 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.374670982 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.374758005 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.374794006 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.379781961 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.379796028 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.379847050 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.380088091 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.380103111 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.380167961 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.384917021 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.384931087 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.384942055 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.384973049 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.385231972 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.385243893 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.385281086 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.390194893 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.390206099 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.390260935 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.443813086 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.449223995 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.449240923 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.888530970 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:00.943289995 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.943949938 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:00.948817015 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:01.387274027 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:01.427620888 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:01.447990894 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:01.455307007 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:01.887367964 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:01.927635908 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:01.943327904 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:01.948157072 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:02.388165951 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:02.443274975 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:02.443568945 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:02.448379040 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:02.789607048 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:02.833957911 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:02.849673033 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:02.856937885 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:02.856956005 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:03.492496014 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:03.537014961 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:03.552798986 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:03.557661057 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.049640894 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.049662113 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.049673080 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.049685955 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.049701929 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.049710989 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.049729109 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.049732924 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.049778938 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.049782038 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.049793005 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.049806118 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.049818993 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.049820900 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.049854994 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.049911976 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.049926043 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.049949884 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050017118 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050028086 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050041914 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050051928 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050062895 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050064087 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050082922 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050116062 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050147057 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050158024 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050168991 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050203085 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050234079 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050246000 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050256968 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050271988 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050303936 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050426006 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050438881 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050451994 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050462961 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050473928 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050478935 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050487041 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050503016 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050528049 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050678015 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050689936 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050702095 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050712109 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050724030 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050739050 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050769091 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050827980 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050841093 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050853014 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050864935 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050869942 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050878048 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050893068 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050920010 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.050971031 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.050987005 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051018000 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.051026106 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051038027 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051050901 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051062107 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051073074 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051079035 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.051090956 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.051363945 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051376104 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051387072 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051398993 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051404953 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.051415920 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051425934 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.051429033 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051441908 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051451921 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.051489115 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.051510096 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051659107 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051675081 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051686049 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051696062 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051697016 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.051707029 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051717997 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051719904 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.051729918 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051740885 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051747084 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.051753044 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051764011 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051767111 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.051778078 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:57:04.051790953 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.051817894 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.099553108 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:57:04.104310989 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:58:04.779268980 CET	6666	49704	43.136.177.76	192.168.2.5
Jan 2, 2025 11:58:04.833904982 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:58:04.834683895 CET	49704	6666	192.168.2.5	43.136.177.76
Jan 2, 2025 11:58:04.839565992 CET	6666	49704	43.136.177.76	192.168.2.5

Target ID:	0
Start time:	05:56:55
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\iDaD62by4N.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\iDaD62by4N.exe"
Imagebase:	0x7ff6ef710000
File size:	130'560 bytes
MD5 hash:	DA566BA3BA5C66A305A19F2695B6F638
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.3274357378.0000022DA3670000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3274357378.0000022DA3670000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: 00000000.00000002.3274357378.0000022DA3670000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000000.2025069939.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000000.2025069939.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: 00000000.00000000.2025069939.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: JoeSecurity_MetasploitPayload_3, Description: Yara detected Metasploit Payload, Source: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_91bc5d7d, Description: unknown, Source: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Meterpreter, Description: Yara detected Meterpreter, Source: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_Meterpreter, Description: Detects Meterpreter payload, Source: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Meterpreter, Description: Yara detected Meterpreter, Source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_38b8ceec, Description: Identifies the API address lookup function used by metasploit. Also used by other tools (like beacon)., Source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: MALWARE_Win_Meterpreter, Description: Detects Meterpreter payload, Source: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	05:56:55
Start date:	02/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	90.8%
Signature Coverage:	22.3%
Total number of Nodes:	676
Total number of Limit Nodes:	53

Executed Functions

Function 0000022DA54515C0 Relevance: 54.4, APIs: 22, Strings: 9, Instructions: 196
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32 ref: 0000022DA545162D
GetLastError.KERNEL32 ref: 0000022DA5451637
LoadLibraryA.KERNEL32 ref: 0000022DA5451680
GetProcAddress.KERNEL32 ref: 0000022DA5451698
GetProcAddress.KERNEL32 ref: 0000022DA54516AB
GetNativeSystemInfo.KERNEL32 ref: 0000022DA54516BB
GetProcAddress.KERNEL32 ref: 0000022DA545171C
GetLocaleInfoA.KERNEL32 ref: 0000022DA5451744
malloc.LIBCMT ref: 0000022DA5451754
GetLocaleInfoA.KERNEL32 ref: 0000022DA5451769
GetLocaleInfoA.KERNEL32 ref: 0000022DA545177B
malloc.LIBCMT ref: 0000022DA545178B
GetLocaleInfoA.KERNEL32 ref: 0000022DA54517A0
_snprintf.LIBCMT ref: 0000022DA54517D1

Strings

Unknown, xrefs: 0000022DA54517D8
IA64, xrefs: 0000022DA54516D9
x64, xrefs: 0000022DA54516D0
%s_%s, xrefs: 0000022DA54517B8
GetSystemDefaultLangID, xrefs: 0000022DA5451704
IsWow64Process, xrefs: 0000022DA545169E
x86, xrefs: 0000022DA54516E2
GetNativeSystemInfo, xrefs: 0000022DA545168E
kernel32.dll, xrefs: 0000022DA5451679

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Info$Locale$AddressProc$malloc$ComputerErrorLastLibraryLoadNameNativeSystem_snprintf
String ID: %s_%s$GetNativeSystemInfo$GetSystemDefaultLangID$IA64$IsWow64Process$Unknown$kernel32.dll$x64$x86
API String ID: 3227938556-198457881
Opcode ID: 8111a1cd46e082fb863d9515a28ab07058479b3937ed7e79029cc579077c90ed
Instruction ID: f0d4e664d333e243686b8d987ebc4a41b832e0113e66be7ed5c03f27ea894941
Opcode Fuzzy Hash: 8111a1cd46e082fb863d9515a28ab07058479b3937ed7e79029cc579077c90ed
Instruction Fuzzy Hash: 0F91A271B14B81A2EB649FA2E85CBAE63A0F785F80F445026DE4B63B55DFBCC845C740

Function 0000022DA381AC84 Relevance: 33.3, APIs: 22, Instructions: 268
encryptionCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memcpy_s.LIBCMT ref: 0000022DA381ACF0
CryptDuplicateKey.ADVAPI32 ref: 0000022DA381AD66
GetLastError.KERNEL32 ref: 0000022DA381AD70
CryptSetKeyParam.ADVAPI32 ref: 0000022DA381AD9F
GetLastError.KERNEL32 ref: 0000022DA381ADA9
CryptGenRandom.ADVAPI32 ref: 0000022DA381ADDD
GetLastError.KERNEL32 ref: 0000022DA381ADE7
CryptSetKeyParam.ADVAPI32 ref: 0000022DA381AE12
GetLastError.KERNEL32 ref: 0000022DA381AE1C
htonl.WS2_32 ref: 0000022DA381AE3C
malloc.LIBCMT ref: 0000022DA381AE7C
memcpy_s.LIBCMT ref: 0000022DA381AEF9
CryptEncrypt.ADVAPI32 ref: 0000022DA381AF2D
GetLastError.KERNEL32 ref: 0000022DA381AF37
htonl.WS2_32 ref: 0000022DA381AF5F
memcpy_s.LIBCMT ref: 0000022DA381AFA3
memcpy_s.LIBCMT ref: 0000022DA381AFC0
malloc.LIBCMT ref: 0000022DA381B02C
htonl.WS2_32 ref: 0000022DA381B05F
memcpy_s.LIBCMT ref: 0000022DA381B08B
memcpy_s.LIBCMT ref: 0000022DA381B0BF
CryptDestroyKey.ADVAPI32 ref: 0000022DA381B120

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Cryptmemcpy_s$ErrorLast$htonl$Parammalloc$DestroyDuplicateEncryptRandom
String ID:
API String ID: 1759111721-0
Opcode ID: a75b7c051405bc9eb1c4e5d7ea12c36d8c149e7536beefc64b17913c920497d5
Instruction ID: 58cb89d076fe17246c8dc804ce3237911e4f8a8e11a1348ff409d89bf85c2066
Opcode Fuzzy Hash: a75b7c051405bc9eb1c4e5d7ea12c36d8c149e7536beefc64b17913c920497d5
Instruction Fuzzy Hash: 39D1EE76305B8597EBA0CB7AE454B9A77A6F7C8B84F104025DA8D87BA4EF3DC445CB00

Function 0000022DA381B564 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 204
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptDecodeObjectEx.CRYPT32 ref: 0000022DA381B613
GetLastError.KERNEL32 ref: 0000022DA381B61D
CryptAcquireContextW.ADVAPI32 ref: 0000022DA381B654
CryptAcquireContextW.ADVAPI32 ref: 0000022DA381B680
GetLastError.KERNEL32 ref: 0000022DA381B68A
free.LIBCMT ref: 0000022DA381B87A
LocalFree.KERNEL32 ref: 0000022DA381B88C
CryptDestroyKey.ADVAPI32 ref: 0000022DA381B89F
CryptReleaseContext.ADVAPI32 ref: 0000022DA381B8B4

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 0000022DA381B646, 0000022DA381B672

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireErrorLast$DecodeDestroyFreeLocalObjectReleasefree
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 3855991727-1948191093
Opcode ID: 25341dd9ab4916a9fef7560b0812b7934bf005980a32c3f591df03194d9d2cfe
Instruction ID: 52e1cd6adf1282db1f75d91df53ee6123eecfedfb0b260547a3681b618cd671a
Opcode Fuzzy Hash: 25341dd9ab4916a9fef7560b0812b7934bf005980a32c3f591df03194d9d2cfe
Instruction Fuzzy Hash: 0DA1EC36218B819BE7A1CFB5E458B5AB7A2F799784F104025EA8D87B98DF7DC444CB00

Function 0000022DA3821AA4 Relevance: 27.3, APIs: 18, Instructions: 288
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000022DA38281F0: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3818FD8), ref: 0000022DA382820E

recv.WS2_32 ref: 0000022DA3821B58
SetLastError.KERNEL32 ref: 0000022DA3821B6E
recv.WS2_32 ref: 0000022DA3821C42
GetLastError.KERNEL32 ref: 0000022DA3821C53
SetLastError.KERNEL32 ref: 0000022DA3821C67
SetLastError.KERNEL32 ref: 0000022DA3821C92
GetLastError.KERNEL32 ref: 0000022DA3821EDB
free.LIBCMT ref: 0000022DA3821EF8
free.LIBCMT ref: 0000022DA3821F1A

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$freerecv$ObjectSingleWait
String ID:
API String ID: 3522290020-0
Opcode ID: acf328f902c2231a029c33d227560589bb3e942cb677ce90cad7a3e78b4fb588
Instruction ID: ff2de2011eb8cd9f3107703b6febb1d3e10e8a8fe51a51a96fe17c5b3e1b4127
Opcode Fuzzy Hash: acf328f902c2231a029c33d227560589bb3e942cb677ce90cad7a3e78b4fb588
Instruction Fuzzy Hash: 91D1333621868197EBF0DBF5E458B5AB7E2F788744F600125EA9D8BB94EB7CC444CB01

Function 0000022DA381B138 Relevance: 12.2, APIs: 8, Instructions: 183
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.LIBCMT ref: 0000022DA381B189

Part of subcall function 0000022DA381B4A4: CryptDestroyKey.ADVAPI32 ref: 0000022DA381B4F7
Part of subcall function 0000022DA381B4A4: CryptReleaseContext.ADVAPI32 ref: 0000022DA381B526
Part of subcall function 0000022DA381B4A4: free.LIBCMT ref: 0000022DA381B53E

CryptAcquireContextW.ADVAPI32 ref: 0000022DA381B24E
GetLastError.KERNEL32 ref: 0000022DA381B258
CryptGenRandom.ADVAPI32 ref: 0000022DA381B2DD
GetLastError.KERNEL32 ref: 0000022DA381B2E7
CryptImportKey.ADVAPI32 ref: 0000022DA381B32F
GetLastError.KERNEL32 ref: 0000022DA381B339

Part of subcall function 0000022DA381B564: free.LIBCMT ref: 0000022DA381B87A
Part of subcall function 0000022DA381B564: LocalFree.KERNEL32 ref: 0000022DA381B88C
Part of subcall function 0000022DA381B564: CryptDestroyKey.ADVAPI32 ref: 0000022DA381B89F
Part of subcall function 0000022DA381B564: CryptReleaseContext.ADVAPI32 ref: 0000022DA381B8B4

Part of subcall function 0000022DA3816AC4: htonl.WS2_32 ref: 0000022DA3816ADA

free.LIBCMT ref: 0000022DA381B414

Part of subcall function 0000022DA3837A38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA383C20A,?,?,?,0000022DA383C187,?,?,00000000,0000022DA3838A19), ref: 0000022DA3837A4E
Part of subcall function 0000022DA3837A38: _errno.LIBCMT ref: 0000022DA3837A58
Part of subcall function 0000022DA3837A38: GetLastError.KERNEL32(?,?,00000000,0000022DA383C20A,?,?,?,0000022DA383C187,?,?,00000000,0000022DA3838A19), ref: 0000022DA3837A60

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Crypt$ErrorLast$Contextfree$DestroyFreeRelease$AcquireHeapImportLocalRandom_errnocallochtonl
String ID:
API String ID: 475133736-0
Opcode ID: 67210c864a26012c287a4a9d3c8f6c7ae83e5f63248235b38604e0fb7900b0bc
Instruction ID: 528040cb19447b7b581b325c80e4b3ed2bab32614ac438ae2bcfa035c5a0962c
Opcode Fuzzy Hash: 67210c864a26012c287a4a9d3c8f6c7ae83e5f63248235b38604e0fb7900b0bc
Instruction Fuzzy Hash: A9912272218B8497D7D0CF65E48875EB7A1F7C5B84F505026EA8E8BBA8DF79C444CB40

Function 0000022DA381B69F Relevance: 9.0, APIs: 6, Instructions: 37
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptImportPublicKeyInfo.CRYPT32 ref: 0000022DA381B6C3
GetLastError.KERNEL32 ref: 0000022DA381B6CD
CryptEncrypt.ADVAPI32 ref: 0000022DA381B718
calloc.LIBCMT ref: 0000022DA381B72F
free.LIBCMT ref: 0000022DA381B87A
LocalFree.KERNEL32 ref: 0000022DA381B88C
CryptDestroyKey.ADVAPI32 ref: 0000022DA381B89F
CryptReleaseContext.ADVAPI32 ref: 0000022DA381B8B4

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Crypt$ContextDestroyEncryptErrorFreeImportInfoLastLocalPublicReleasecallocfree
String ID:
API String ID: 738811349-0
Opcode ID: e652d24782238043bbe866c50f51af785cf56a49aa1208cf5e8511848bee3867
Instruction ID: e18ea67df8d48e191dd0ab2c29e8f8077bf1bbca085f124fd376104fc7f7f250
Opcode Fuzzy Hash: e652d24782238043bbe866c50f51af785cf56a49aa1208cf5e8511848bee3867
Instruction Fuzzy Hash: E511E131114A8093FBA1DFB6E44CB6AA3A3F7D4B84F140015E68D8A9E4DFBDD884CB01

Function 0000022DA37C9540 Relevance: 3.4, APIs: 2, Instructions: 449libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA37C98B6
__CxxFrameHandler2.LIBCMTD ref: 0000022DA37C9B6F

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: FrameHandler2LibraryLoad
String ID:
API String ID: 2889079456-0
Opcode ID: 6263d641ec332dac5ed4f08b61926634c6d686e0cac3bee97d0370188f5a9ba6
Instruction ID: 22b3e5ed5ad8ef0b318df876027188c1fde3e31564a9dc64010260ef454559d6
Opcode Fuzzy Hash: 6263d641ec332dac5ed4f08b61926634c6d686e0cac3bee97d0370188f5a9ba6
Instruction Fuzzy Hash: DE126976701B40EBEB94CFA8D554BAD73E6FB05B88F104129DE4D6BB98DA38D825C700

Function 0000022DA37C91B8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0488918e477ea9ec4ac75411c96640c13bad580037342a82218a97c9fccc6dbf
Instruction ID: 80084a039045b846408e988c147485502471a12251a070a633af0842013cad4d
Opcode Fuzzy Hash: 0488918e477ea9ec4ac75411c96640c13bad580037342a82218a97c9fccc6dbf
Instruction Fuzzy Hash: A0F07FB6918B84CAC650DF59F48054ABBA4F399790F104216FBC883B28DB38C1608F40

Function 0000022DA37C9214 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc97c1b0fb8047c19bd44717af16640348f0f9ccd159b667f01d249c86242596
Instruction ID: f661125855e145eb190ec58edf8b536c99c7eeacea23703f897084735e379cc5
Opcode Fuzzy Hash: cc97c1b0fb8047c19bd44717af16640348f0f9ccd159b667f01d249c86242596
Instruction Fuzzy Hash: D9E0487A908B8486C650DB59F48054ABBA4F39A7A4F60451AEBCC43B29DB78C264CF40

Function 0000022DA5447BA0 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 231
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000022DA5447BD6
GetProcAddress.KERNEL32 ref: 0000022DA5447BE6
malloc.LIBCMT ref: 0000022DA5447C03

Part of subcall function 0000022DA546AF78: _FF_MSGBANNER.LIBCMT ref: 0000022DA546AFA8
Part of subcall function 0000022DA546AF78: _NMSG_WRITE.LIBCMT ref: 0000022DA546AFB2
Part of subcall function 0000022DA546AF78: HeapAlloc.KERNEL32(?,?,0000000D,0000022DA5477AB4,?,?,?,0000022DA5477D9C,?,?,?,0000022DA5477C9B,?,?,0000000D,0000022DA5471C43), ref: 0000022DA546AFCD
Part of subcall function 0000022DA546AF78: _callnewh.LIBCMT ref: 0000022DA546AFE6
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFF1
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFFC

GetLastError.KERNEL32 ref: 0000022DA5447C31
free.LIBCMT ref: 0000022DA5447F5E

Strings

GetIpForwardTable2, xrefs: 0000022DA5447DC0
FreeMibTable, xrefs: 0000022DA5447BDC
Iphlpapi.dll, xrefs: 0000022DA5447BCA, 0000022DA5447D52

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: _errno$AddressAllocErrorHandleHeapLastModuleProc_callnewhfreemalloc
String ID: FreeMibTable$GetIpForwardTable2$Iphlpapi.dll
API String ID: 2660982488-3103947123
Opcode ID: f2a5fece0d8b451c81201d33b0cbf850d43ab4d2e023ba59bb4abebf69cc3bb0
Instruction ID: fe35459ad0c8cdce4325ae63f3518dce190974d2d06e2196a0df04c5545be6eb
Opcode Fuzzy Hash: f2a5fece0d8b451c81201d33b0cbf850d43ab4d2e023ba59bb4abebf69cc3bb0
Instruction Fuzzy Hash: 6CB16D72A05B809AE710CFA0E88479E77F4F388798F504229DB9D67B58DF78C546CB40

Function 0000022DA54478C0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 171
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 0000022DA54478E7
GetProcAddress.KERNEL32 ref: 0000022DA54478F7
GetAdaptersAddresses.IPHLPAPI ref: 0000022DA544793E
malloc.LIBCMT ref: 0000022DA5447947

Part of subcall function 0000022DA54476C0: malloc.LIBCMT ref: 0000022DA54476DE

Strings

iphlpapi, xrefs: 0000022DA54478D4
GetAdaptersAddresses, xrefs: 0000022DA54478ED

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: malloc$AdaptersAddressAddressesHandleModuleProc
String ID: GetAdaptersAddresses$iphlpapi
API String ID: 4282841641-4067604246
Opcode ID: 8f434f50ffee5d0e5a9aa5839f26dcac3c0680ab3b8d4468273f56d4ab3e5913
Instruction ID: 9c4637a032892560d4a35670b0f751be5e08cbf9404c69fa23b330c4c3fdb946
Opcode Fuzzy Hash: 8f434f50ffee5d0e5a9aa5839f26dcac3c0680ab3b8d4468273f56d4ab3e5913
Instruction Fuzzy Hash: AF71AD76A05B94E3EB648B92E408FAE3370F789B94F404416CE4A67B54EFB8C546CB00

Function 0000022DA36700D6 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124
networklibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA3670108
WSASocketA.WS2_32(00000000,00000000), ref: 0000022DA3670139
connect.WS2_32 ref: 0000022DA367014E
recv.WS2_32 ref: 0000022DA3670177
VirtualAlloc.KERNEL32 ref: 0000022DA3670197
recv.WS2_32 ref: 0000022DA36701B1

Strings

ws2_, xrefs: 0000022DA36700D8

Memory Dump Source

Source File: 00000000.00000002.3274357378.0000022DA3670000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA3670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3670000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: recv$AllocLibraryLoadSocketVirtualconnect
String ID: ws2_
API String ID: 2782296289-2545912100
Opcode ID: 1eff5d08a82a5ca81e1e332a23f882c81ad6b54b5f6841b1c7ae4de356901e35
Instruction ID: 98cccc46596f7d1244ca9acfd96f4fc6a3b9a0a3bf9babb84674ade29852f59e
Opcode Fuzzy Hash: 1eff5d08a82a5ca81e1e332a23f882c81ad6b54b5f6841b1c7ae4de356901e35
Instruction Fuzzy Hash: 2921FF3175CD5C0BE21C71AC380F63676C6C799766B25816FE94EC72DAEC908C82018A

Function 00007FF6EF725524 Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6EF72554D
__scrt_release_startup_lock.LIBCMT ref: 00007FF6EF7255BB
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6EF725609
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6EF72560E
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6EF725616
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6EF72561E
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6EF725640
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF6EF72569A

Memory Dump Source

Source File: 00000000.00000002.3274803182.00007FF6EF711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF710000, based on PE: true

Associated: 00000000.00000002.3274791073.00007FF6EF710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274835833.00007FF6EF730000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274847356.00007FF6EF731000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef710000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1133592946-0
Opcode ID: a77b8d06c39953ec2f905393d1e87070c28b5c3a114c2bc481b25ed10bb50813
Instruction ID: 66cc5c28319e02d6335487ee8171a30a3a767e2b459f660ba93b66ef6107079a
Opcode Fuzzy Hash: a77b8d06c39953ec2f905393d1e87070c28b5c3a114c2bc481b25ed10bb50813
Instruction Fuzzy Hash: 9C313FABA1C10383FE50AB61B4557B91352AF84784F444439E60DC72D7EE7FE864860B

Function 0000022DA5452460 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000022DA54523C0: GetCurrentThread.KERNEL32 ref: 0000022DA54523D7
Part of subcall function 0000022DA54523C0: OpenThreadToken.ADVAPI32 ref: 0000022DA54523EC
Part of subcall function 0000022DA54523C0: GetCurrentProcess.KERNEL32 ref: 0000022DA54523F6
Part of subcall function 0000022DA54523C0: OpenProcessToken.ADVAPI32 ref: 0000022DA5452409
Part of subcall function 0000022DA54523C0: GetLastError.KERNEL32 ref: 0000022DA5452413

LookupAccountSidW.ADVAPI32 ref: 0000022DA545252A
GetLastError.KERNEL32 ref: 0000022DA5452534
_snprintf.LIBCMT ref: 0000022DA545259C
free.LIBCMT ref: 0000022DA54525A4
free.LIBCMT ref: 0000022DA54525AC

Strings

%s\%s, xrefs: 0000022DA5452580

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: CurrentErrorLastOpenProcessThreadTokenfree$AccountLookup_snprintf
String ID: %s\%s
API String ID: 240425499-4073750446
Opcode ID: 3bde376433857be3971c65d39a71eaedc432fe96cc2290403f52ff7102b1fa64
Instruction ID: 28ead4df3f190f16eb8a77611607e35e4cc8139d0d647f8eec5779b1ffb78847
Opcode Fuzzy Hash: 3bde376433857be3971c65d39a71eaedc432fe96cc2290403f52ff7102b1fa64
Instruction Fuzzy Hash: 54314172658AC591FB30DBA5F458BDA63A1F785784F400022E78D53B89DF7CC156CB40

Function 0000022DA54523C0 Relevance: 9.0, APIs: 6, Instructions: 40
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThread.KERNEL32 ref: 0000022DA54523D7
OpenThreadToken.ADVAPI32 ref: 0000022DA54523EC
GetCurrentProcess.KERNEL32 ref: 0000022DA54523F6
OpenProcessToken.ADVAPI32 ref: 0000022DA5452409
GetLastError.KERNEL32 ref: 0000022DA5452413
GetTokenInformation.KERNELBASE ref: 0000022DA545243E

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Token$CurrentOpenProcessThread$ErrorInformationLast
String ID:
API String ID: 632756016-0
Opcode ID: 8228bee465ae78f6f26b624ec4de8fd4440b32671b84e53bdd42698b240db5fa
Instruction ID: f192cd7cc653f9f143d269695fb0f5f3034e49d6482f0ffc95658b7df42913bb
Opcode Fuzzy Hash: 8228bee465ae78f6f26b624ec4de8fd4440b32671b84e53bdd42698b240db5fa
Instruction Fuzzy Hash: DA017531F08B8192EB408FD1F848B5AA3A0F785BD4F444066EE4963B65DFB8C4499B40

Function 00007FF6EF713000 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 169
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AddVectoredExceptionHandler.KERNEL32 ref: 00007FF6EF71302E
SetThreadStackGuarantee.KERNEL32 ref: 00007FF6EF71303F
GetCurrentThread.KERNEL32 ref: 00007FF6EF713045
SetThreadDescription.KERNELBASE ref: 00007FF6EF71305C

Strings

main, xrefs: 00007FF6EF713052

Memory Dump Source

Source File: 00000000.00000002.3274803182.00007FF6EF711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF710000, based on PE: true

Associated: 00000000.00000002.3274791073.00007FF6EF710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274835833.00007FF6EF730000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274847356.00007FF6EF731000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef710000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Thread$CurrentDescriptionExceptionGuaranteeHandlerStackVectored
String ID: main
API String ID: 3663057573-3207122276
Opcode ID: 386aaddc8df7cbd856297037b5197bfc094bcec0330ccf33105a57b1275b4e8c
Instruction ID: 7a361f07cf23b94364c58fa045a923ce231f53fb322e3727570c8e30b0e62f42
Opcode Fuzzy Hash: 386aaddc8df7cbd856297037b5197bfc094bcec0330ccf33105a57b1275b4e8c
Instruction Fuzzy Hash: 8D816C6BA04B4586EF40CF15E8903A937A0FB48B98F148235DE0D877A4DF7ED5A98345

Function 0000022DA3828514 Relevance: 6.1, APIs: 4, Instructions: 66
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.LIBCMT ref: 0000022DA3828549

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 9501c7bca73ed4046e31c18e84c64c0496150e5e6f9b36b3e1cf3515f7a5841b
Instruction ID: 30c93315d34d92dab3cfeb193dcb1f9c29251bc6457151d3c4c5a29f7123414e
Opcode Fuzzy Hash: 9501c7bca73ed4046e31c18e84c64c0496150e5e6f9b36b3e1cf3515f7a5841b
Instruction Fuzzy Hash: BA31EC32228B8496DBD0DFA5E488B1EB3A1F7C8B94F505515FA9E87B98CF78C154CB01

Function 00007FF6EF7113D0 Relevance: 4.6, APIs: 3, Instructions: 75
memorysynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32 ref: 00007FF6EF71141F
CreateThread.KERNEL32 ref: 00007FF6EF711529
WaitForSingleObject.KERNEL32 ref: 00007FF6EF71159F

Memory Dump Source

Source File: 00000000.00000002.3274803182.00007FF6EF711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF710000, based on PE: true

Associated: 00000000.00000002.3274791073.00007FF6EF710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274835833.00007FF6EF730000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274847356.00007FF6EF731000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef710000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: AllocCreateObjectSingleThreadVirtualWait
String ID:
API String ID: 2947710671-0
Opcode ID: 21ece5bcbeed1b0d8a3d4cb93d0680a2f42f75bb03d1a6cd45e6baa7692b501c
Instruction ID: f458c70cc2e9c63e4e7b156e74de9b901069f598cec3493c3a5f006243cee5e0
Opcode Fuzzy Hash: 21ece5bcbeed1b0d8a3d4cb93d0680a2f42f75bb03d1a6cd45e6baa7692b501c
Instruction Fuzzy Hash: 99411976608B8282EB70CB50F4547AA73A4F785384F104136D68D87BA9DFBFC168CB45

Function 0000022DA382199C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA38281F0: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3818FD8), ref: 0000022DA382820E

select.WS2_32 ref: 0000022DA3821A74

Strings

@, xrefs: 0000022DA3821A19

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ObjectSingleWaitselect
String ID: @
API String ID: 3730138947-2766056989
Opcode ID: 1c91baf0b57b28275dfa1c99b752d6f5bb87ae8bfb29e6ba5fe54b5b19bc8fad
Instruction ID: d3ddcb815e8ef3b50714b43c3f3e6f8283fb4dfe4f2afac0a1e587de048e808f
Opcode Fuzzy Hash: 1c91baf0b57b28275dfa1c99b752d6f5bb87ae8bfb29e6ba5fe54b5b19bc8fad
Instruction Fuzzy Hash: 8831DC76228680C7DB90DFA9E094B1AB7B1F3C8754F605116FA9A87B58DB79C440CF01

Function 0000022DA3822518 Relevance: 3.1, APIs: 2, Instructions: 60networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA38281F0: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3818FD8), ref: 0000022DA382820E

send.WS2_32 ref: 0000022DA3822591
GetLastError.KERNEL32 ref: 0000022DA38225BC

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLastObjectSingleWaitsend
String ID:
API String ID: 2747804604-0
Opcode ID: 5e4c5a4aff60329793ad59ddffe2b076d7279dbeb181af91e4248e6049880ce3
Instruction ID: 8be1ba9bae4b0d522a2378eed7ddb3850373ac2295345d822f7ae7a32f00e343
Opcode Fuzzy Hash: 5e4c5a4aff60329793ad59ddffe2b076d7279dbeb181af91e4248e6049880ce3
Instruction Fuzzy Hash: 5421BA722086419BD7E0DFA9F55871AB7E1F78CB88F004225EA9D87B58DB38C940CF05

Function 0000022DA3819A30 Relevance: 3.1, APIs: 2, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 0000022DA3819A7C
VirtualProtect.KERNEL32 ref: 0000022DA3819ABA

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c6df24463a63d4a5d8d3adb4db90d2668296821455cb5ee62475043f914862e2
Instruction ID: baaab75eb47c7f6cda28840adde959eb2f1c281fc940b523f78b8f39685ee691
Opcode Fuzzy Hash: c6df24463a63d4a5d8d3adb4db90d2668296821455cb5ee62475043f914862e2
Instruction Fuzzy Hash: 6811C632314B5097EBA48BB1E00876AA7A2FBC9B90F284525DF494B7D8CF3DC905C780

Function 0000022DA382815C Relevance: 3.0, APIs: 2, Instructions: 19synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA3828165

Part of subcall function 0000022DA3837A78: _FF_MSGBANNER.LIBCMT ref: 0000022DA3837AA8
Part of subcall function 0000022DA3837A78: _NMSG_WRITE.LIBCMT ref: 0000022DA3837AB2
Part of subcall function 0000022DA3837A78: HeapAlloc.KERNEL32(?,?,00000000,0000022DA3840CB0,?,?,?,0000022DA3840F14,?,?,?,0000022DA3840E13), ref: 0000022DA3837ACD
Part of subcall function 0000022DA3837A78: _callnewh.LIBCMT ref: 0000022DA3837AE6
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837AF1
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837AFC

CreateMutexExW.KERNEL32 ref: 0000022DA3828190

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _errno$AllocCreateHeapMutex_callnewhmalloc
String ID:
API String ID: 845756553-0
Opcode ID: 862c486525186581acc9f00f5c330525613c010192bdae0743fc55d89bfa3908
Instruction ID: a6ec61e6f388cda8450933b81accccea87da0f4b7810e08f6a9742c95acaea24
Opcode Fuzzy Hash: 862c486525186581acc9f00f5c330525613c010192bdae0743fc55d89bfa3908
Instruction Fuzzy Hash: 71E04836714A9083E7B4EB75E41971E6362F7C8748F508125AACD46BA5CF3DC2158F04

Function 0000022DA38282C8 Relevance: 2.5, APIs: 2, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000022DA38113D7), ref: 0000022DA38282E5
free.LIBCMT ref: 0000022DA38282F0

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: CloseHandlefree
String ID:
API String ID: 3486141430-0
Opcode ID: da68d6a98acd5116d1b07bc87d55e8f4fb6029d08c1973d89e173bb50fa9fb78
Instruction ID: 0bea70a9763f6c0fcc298a11e3c6a46a90273132c3a3bcde685a2bd0dd6ebb45
Opcode Fuzzy Hash: da68d6a98acd5116d1b07bc87d55e8f4fb6029d08c1973d89e173bb50fa9fb78
Instruction Fuzzy Hash: 68E01235A34A80D3EF80ABB1D488B196361F3D8740F905011F95B46794CE2DC4558B01

Function 0000022DA38281B0 Relevance: 2.5, APIs: 2, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000022DA3828220: ReleaseMutex.KERNEL32 ref: 0000022DA3828239

CloseHandle.KERNEL32 ref: 0000022DA38281D3
free.LIBCMT ref: 0000022DA38281DE

Part of subcall function 0000022DA3837A38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA383C20A,?,?,?,0000022DA383C187,?,?,00000000,0000022DA3838A19), ref: 0000022DA3837A4E
Part of subcall function 0000022DA3837A38: _errno.LIBCMT ref: 0000022DA3837A58
Part of subcall function 0000022DA3837A38: GetLastError.KERNEL32(?,?,00000000,0000022DA383C20A,?,?,?,0000022DA383C187,?,?,00000000,0000022DA3838A19), ref: 0000022DA3837A60

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: CloseErrorFreeHandleHeapLastMutexRelease_errnofree
String ID:
API String ID: 1340716177-0
Opcode ID: 4d84ca56601c928dea9da9dbfe6c40fb991b567295e3ac2ffd462ae2c5df7fc7
Instruction ID: dbe4d154a34e4117c0b0c23621732efca45a9fc8f7793d3e0f9ec6b64f1a4f77
Opcode Fuzzy Hash: 4d84ca56601c928dea9da9dbfe6c40fb991b567295e3ac2ffd462ae2c5df7fc7
Instruction Fuzzy Hash: 3FE01272A34A4093DE84ABB1E489B196361F7C4B40F401012FA5A467A9CF3CC444CB01

Function 0000022DA382868C Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

ResumeThread.KERNEL32 ref: 0000022DA38286AA

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2f43028d8f07e5831b27e4063968a2b8956efc5f49df95266945ef244a950e27
Instruction ID: ab0c7c4e2b07044046fd8ba6c4a7b12d8ef927f2029dc9dfb1b46b59a738dfc3
Opcode Fuzzy Hash: 2f43028d8f07e5831b27e4063968a2b8956efc5f49df95266945ef244a950e27
Instruction Fuzzy Hash: 23E05B71B25649E7EFD06BF1D84CF1A7291F398785F504420D967CE750DB78C4945701

Non-executed Functions

Function 0000022DA544BE70 Relevance: 144.2, APIs: 68, Strings: 14, Instructions: 656libraryloaderpipeCOMMON

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000022DA544BFAA
_snprintf.LIBCMT ref: 0000022DA544BFFB
mbstowcs.LIBCMT ref: 0000022DA544C020
calloc.LIBCMT ref: 0000022DA544C037
mbstowcs.LIBCMT ref: 0000022DA544C04A
malloc.LIBCMT ref: 0000022DA544C07E
CreatePipe.KERNEL32 ref: 0000022DA544C155
CreatePipe.KERNEL32 ref: 0000022DA544C175
LoadLibraryA.KERNEL32 ref: 0000022DA544C214
GetProcAddress.KERNEL32 ref: 0000022DA544C22B
GetProcAddress.KERNEL32 ref: 0000022DA544C23F
OpenProcess.KERNEL32 ref: 0000022DA544C27F
malloc.LIBCMT ref: 0000022DA544C2D0
CloseHandle.KERNEL32 ref: 0000022DA544C8B6
CloseHandle.KERNEL32 ref: 0000022DA544C8C5
free.LIBCMT ref: 0000022DA544C8D8
free.LIBCMT ref: 0000022DA544C8E9
free.LIBCMT ref: 0000022DA544C8F6
free.LIBCMT ref: 0000022DA544C909
free.LIBCMT ref: 0000022DA544C917

Part of subcall function 0000022DA544CEF0: malloc.LIBCMT ref: 0000022DA544CFB8

Strings

DestroyEnvironmentBlock, xrefs: 0000022DA544C4AE
CreateEnvironmentBlock, xrefs: 0000022DA544C49E
[execute] InitializeProcThreadAttributeList: [%d], xrefs: 0000022DA544C2F6
[execute] UpdateProcThreadAttribute: [%d], xrefs: 0000022DA544C36A
%s\%s, xrefs: 0000022DA544BFDF
process, xrefs: 0000022DA544C136
wtsapi32.dll, xrefs: 0000022DA544C6CB
userenv.dll, xrefs: 0000022DA544C489
WTSQueryUserToken, xrefs: 0000022DA544C714
InitializeProcThreadAttributeList, xrefs: 0000022DA544C21A
UpdateProcThreadAttribute, xrefs: 0000022DA544C231
advapi32.dll, xrefs: 0000022DA544C54A
kernel32.dll, xrefs: 0000022DA544C20D
CreateProcessWithTokenW, xrefs: 0000022DA544C563

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: free$malloc$AddressCloseCreateHandlePipeProccallocmbstowcs$LibraryLoadOpenProcess_snprintf
String ID: %s\%s$CreateEnvironmentBlock$CreateProcessWithTokenW$DestroyEnvironmentBlock$InitializeProcThreadAttributeList$UpdateProcThreadAttribute$WTSQueryUserToken$[execute] InitializeProcThreadAttributeList: [%d]$[execute] UpdateProcThreadAttribute: [%d]$advapi32.dll$kernel32.dll$process$userenv.dll$wtsapi32.dll
API String ID: 107160605-350882186
Opcode ID: 2423f97204b0a057e8ebd9fd0630213cdab127cd23a79d053cc51357715b5dc7
Instruction ID: c479dfcba3053c9a0beaae91f0f87eaf8d97344a8fd374761192509990630c5b
Opcode Fuzzy Hash: 2423f97204b0a057e8ebd9fd0630213cdab127cd23a79d053cc51357715b5dc7
Instruction Fuzzy Hash: 27627E32A04B40AAEB54DFE1E848B9D37B0FB88B84F544126DE4DA7B59EFB8C544C740

Function 0000022DA5451B90 Relevance: 75.4, APIs: 7, Strings: 36, Instructions: 152COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000022DA5451D74
OpenProcessToken.ADVAPI32 ref: 0000022DA5451D87
GetLastError.KERNEL32 ref: 0000022DA5451D91
LookupPrivilegeValueA.ADVAPI32 ref: 0000022DA5451DC6
AdjustTokenPrivileges.ADVAPI32 ref: 0000022DA5451DF7
GetLastError.KERNEL32 ref: 0000022DA5451E01
CloseHandle.KERNEL32 ref: 0000022DA5451E49

Strings

SeDelegateSessionUserImpersonatePrivilege, xrefs: 0000022DA5451C52
SeIncreaseBasePriorityPrivilege, xrefs: 0000022DA5451C73
SeShutdownPrivilege, xrefs: 0000022DA5451CF7
SeRelabelPrivilege, xrefs: 0000022DA5451CCB
SeCreatePermanentPrivilege, xrefs: 0000022DA5451C24
SeRemoteShutdownPrivilege, xrefs: 0000022DA5451CD6
SeCreateSymbolicLinkPrivilege, xrefs: 0000022DA5451C30
SeAssignPrimaryTokenPrivilege, xrefs: 0000022DA5451BC8
SeSyncAgentPrivilege, xrefs: 0000022DA5451D02
SeChangeNotifyPrivilege, xrefs: 0000022DA5451BF7
SeIncreaseWorkingSetPrivilege, xrefs: 0000022DA5451C89
SeManageVolumePrivilege, xrefs: 0000022DA5451CB5
SeLoadDriverPrivilege, xrefs: 0000022DA5451C94
SeUndockPrivilege, xrefs: 0000022DA5451D5A
SeUnsolicitedInputPrivilege, xrefs: 0000022DA5451D65
SeSecurityPrivilege, xrefs: 0000022DA5451CEC
SeTakeOwnershipPrivilege, xrefs: 0000022DA5451D2E
SeMachineAccountPrivilege, xrefs: 0000022DA5451CAA
SeIncreaseQuotaPrivilege, xrefs: 0000022DA5451C7E
SeCreateTokenPrivilege, xrefs: 0000022DA5451C3C
SeRestorePrivilege, xrefs: 0000022DA5451CE1
SeBackupPrivilege, xrefs: 0000022DA5451BE4
SeAuditPrivilege, xrefs: 0000022DA5451BD8
SeImpersonatePrivilege, xrefs: 0000022DA5451C68
SeSystemEnvironmentPrivilege, xrefs: 0000022DA5451D0D
SeTcbPrivilege, xrefs: 0000022DA5451D39
SeSystemProfilePrivilege, xrefs: 0000022DA5451D18
SeCreatePagefilePrivilege, xrefs: 0000022DA5451C18
SeProfileSingleProcessPrivilege, xrefs: 0000022DA5451CC0
SeLockMemoryPrivilege, xrefs: 0000022DA5451C9F
SeDebugPrivilege, xrefs: 0000022DA5451C47
SeTrustedCredManAccessPrivilege, xrefs: 0000022DA5451D4F
SeCreateGlobalPrivilege, xrefs: 0000022DA5451C07
SeTimeZonePrivilege, xrefs: 0000022DA5451D44
SeSystemtimePrivilege, xrefs: 0000022DA5451D23
SeEnableDelegationPrivilege, xrefs: 0000022DA5451C5D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLastProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID: SeAssignPrimaryTokenPrivilege$SeAuditPrivilege$SeBackupPrivilege$SeChangeNotifyPrivilege$SeCreateGlobalPrivilege$SeCreatePagefilePrivilege$SeCreatePermanentPrivilege$SeCreateSymbolicLinkPrivilege$SeCreateTokenPrivilege$SeDebugPrivilege$SeDelegateSessionUserImpersonatePrivilege$SeEnableDelegationPrivilege$SeImpersonatePrivilege$SeIncreaseBasePriorityPrivilege$SeIncreaseQuotaPrivilege$SeIncreaseWorkingSetPrivilege$SeLoadDriverPrivilege$SeLockMemoryPrivilege$SeMachineAccountPrivilege$SeManageVolumePrivilege$SeProfileSingleProcessPrivilege$SeRelabelPrivilege$SeRemoteShutdownPrivilege$SeRestorePrivilege$SeSecurityPrivilege$SeShutdownPrivilege$SeSyncAgentPrivilege$SeSystemEnvironmentPrivilege$SeSystemProfilePrivilege$SeSystemtimePrivilege$SeTakeOwnershipPrivilege$SeTcbPrivilege$SeTimeZonePrivilege$SeTrustedCredManAccessPrivilege$SeUndockPrivilege$SeUnsolicitedInputPrivilege
API String ID: 1944759421-3792899055
Opcode ID: 81d48b748c43de0ce4928f702a8a3c66826006e640bdb1b8977eb50856ceff39
Instruction ID: b5b407e3bee6fedcf9df5427150408df90fc8a8240bfb8a21b69b3d23771bf46
Opcode Fuzzy Hash: 81d48b748c43de0ce4928f702a8a3c66826006e640bdb1b8977eb50856ceff39
Instruction Fuzzy Hash: 2081B836A05F40E9EB118FA1F8886CA77F8F758754F501266EA8D63B24EF78C159C780

Function 0000022DA3813EE4 Relevance: 70.4, APIs: 37, Strings: 3, Instructions: 362sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA3818F74: malloc.LIBCMT ref: 0000022DA3818F7D

SetLastError.KERNEL32 ref: 0000022DA3813FF5
GetLastError.KERNEL32 ref: 0000022DA3813FFB
Sleep.KERNEL32 ref: 0000022DA3814509
ResumeThread.KERNEL32 ref: 0000022DA381453C
CloseHandle.KERNEL32 ref: 0000022DA3814547
CloseHandle.KERNEL32 ref: 0000022DA3814566
FreeLibrary.KERNEL32 ref: 0000022DA3814579
SetLastError.KERNEL32 ref: 0000022DA3814583

Strings

NtQueueApcThread, xrefs: 0000022DA3814265
ntdll, xrefs: 0000022DA3814236
@, xrefs: 0000022DA38142FA

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$CloseHandle$FreeLibraryResumeSleepThreadmalloc
String ID: @$NtQueueApcThread$ntdll
API String ID: 4258157543-2122203831
Opcode ID: d0e4bf74456b638bac0fc8aab38f9c685da134fe5546be86c485a251389b3401
Instruction ID: eac71dc28979c952f467978ec08d7dee570d99be88afe3e42a10862d23dd69aa
Opcode Fuzzy Hash: d0e4bf74456b638bac0fc8aab38f9c685da134fe5546be86c485a251389b3401
Instruction Fuzzy Hash: 0E123131218B8197E7E0DBB1E459B5AA3F6F794B84F504025EA8A8BBD8DF7DC444DB00

Function 0000022DA54B5E30 Relevance: 61.6, APIs: 33, Strings: 2, Instructions: 304COMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA54B13F0: LoadLibraryA.KERNEL32 ref: 0000022DA54B142A
Part of subcall function 0000022DA54B13F0: GetProcAddress.KERNEL32 ref: 0000022DA54B1442
Part of subcall function 0000022DA54B13F0: FreeLibrary.KERNEL32 ref: 0000022DA54B1477

GetVersionExA.KERNEL32 ref: 0000022DA54B5EEA
GetLastError.KERNEL32 ref: 0000022DA54B5EF4
SetLastError.KERNEL32 ref: 0000022DA54B6304

Strings

/t:0x%08X, xrefs: 0000022DA54B6115
SeDebugPrivilege, xrefs: 0000022DA54B5F6F

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLastLibrary$AddressFreeLoadProcVersion
String ID: /t:0x%08X$SeDebugPrivilege
API String ID: 3600083760-2625622331
Opcode ID: ee07a1d482c46e70874c924a90dca33d871a91d2ed96c87a41cfbd526d001c3b
Instruction ID: 5e5d7b33c42d24c1da75e674dafd12bd3142d24f56d7cc15acc27d3b312914ab
Opcode Fuzzy Hash: ee07a1d482c46e70874c924a90dca33d871a91d2ed96c87a41cfbd526d001c3b
Instruction Fuzzy Hash: 3BD16232B01B40A6FF65AFA6E848B9D73E4F788B94F054129DE4A63B94DFB8C545C700

Function 0000022DA54B49B0 Relevance: 56.3, APIs: 27, Strings: 5, Instructions: 304synchronizationmemoryinjectionCOMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 0000022DA54B4A38
calloc.LIBCMT ref: 0000022DA54B4A49
CreateEventA.KERNEL32 ref: 0000022DA54B4A6D
CreateEventA.KERNEL32 ref: 0000022DA54B4A83
LoadResource.KERNEL32 ref: 0000022DA54B4AB8
GetLastError.KERNEL32 ref: 0000022DA54B4AC6
SizeofResource.KERNEL32 ref: 0000022DA54B4ADA
LockResource.KERNEL32 ref: 0000022DA54B4AE6
CloseHandle.KERNEL32 ref: 0000022DA54B4B28
CloseHandle.KERNEL32 ref: 0000022DA54B4B3B
VirtualFreeEx.KERNEL32 ref: 0000022DA54B4B58
CloseHandle.KERNEL32 ref: 0000022DA54B4B66
VirtualAllocEx.KERNEL32 ref: 0000022DA54B4BC2
GetLastError.KERNEL32 ref: 0000022DA54B4BD8
WriteProcessMemory.KERNEL32 ref: 0000022DA54B4C06
GetLastError.KERNEL32 ref: 0000022DA54B4C10
GetProcessId.KERNEL32 ref: 0000022DA54B4C42
WaitForSingleObject.KERNEL32 ref: 0000022DA54B4C89
ReadProcessMemory.KERNEL32 ref: 0000022DA54B4CB8
GetLastError.KERNEL32 ref: 0000022DA54B4CC2
SetEvent.KERNEL32 ref: 0000022DA54B4D0C
GetLastError.KERNEL32 ref: 0000022DA54B4D16
WaitForSingleObject.KERNEL32 ref: 0000022DA54B4D30
_snwprintf_s.LIBCMT ref: 0000022DA54B4D9A
_snwprintf_s.LIBCMT ref: 0000022DA54B4DEC
_snwprintf_s.LIBCMT ref: 0000022DA54B4E4C
GetLastError.KERNEL32 ref: 0000022DA54B4E98

Strings

%02x, xrefs: 0000022DA54B4DD8, 0000022DA54B4E38
0, xrefs: 0000022DA54B4CCF
:::, xrefs: 0000022DA54B4E6A
DLL, xrefs: 0000022DA54B4A2C
0, xrefs: 0000022DA54B4C25

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$Resource$CloseEventHandleProcess_snwprintf_s$CreateMemoryObjectSingleVirtualWait$AllocFindFreeLoadLockReadSizeofWritecalloc
String ID: %02x$0$0$:::$DLL
API String ID: 619872185-897774778
Opcode ID: 33c5ec8edd936e19ef5c2e72961b2efc061b80c06f3e00a0822ef222e956fdf3
Instruction ID: 7cec51a79f23a3309ff3c4a09f5d4a734d80e6bae412f31043e56b9501030ec7
Opcode Fuzzy Hash: 33c5ec8edd936e19ef5c2e72961b2efc061b80c06f3e00a0822ef222e956fdf3
Instruction Fuzzy Hash: FED19135B04B80A6EF64DB92A45CB9A73B2F789BC4F454025DE4A63798EFB9C905C700

Function 0000022DA5445660 Relevance: 52.7, APIs: 25, Strings: 5, Instructions: 155stringCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 0000022DA5445676
lstrcmpiW.KERNEL32 ref: 0000022DA54456A2
GetFileAttributesW.KERNEL32 ref: 0000022DA54456AF
SetLastError.KERNEL32 ref: 0000022DA54456C2
RemoveDirectoryW.KERNEL32 ref: 0000022DA54456CB

Strings

\, xrefs: 0000022DA5445798
%s\%s, xrefs: 0000022DA544582C
\*.*, xrefs: 0000022DA5445701
%s*.*, xrefs: 0000022DA5445751
%s\*.*, xrefs: 0000022DA544575A

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$AttributesDirectoryFileRemovelstrcmpi
String ID: %s*.*$%s\%s$%s\*.*$\$\*.*
API String ID: 626095338-4183413870
Opcode ID: 476cbb9af391550a1492c0a7d6f80df1375e92404970ab48f4b9688533e02d8b
Instruction ID: ef2452b8526f6488b9f51acf4cbbba45e67ca53c836adbef3fba18b4cbd8b59b
Opcode Fuzzy Hash: 476cbb9af391550a1492c0a7d6f80df1375e92404970ab48f4b9688533e02d8b
Instruction Fuzzy Hash: 84718F31A04941A6FF649FA4E88CBE923B1FBA0794F841122C55AB25E4EFBCC559C740

Function 0000022DA38128F8 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 427COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000022DA3812AA0
OpenProcessToken.ADVAPI32 ref: 0000022DA3812AB6
LookupPrivilegeValueW.ADVAPI32 ref: 0000022DA3812B1F
AdjustTokenPrivileges.ADVAPI32 ref: 0000022DA3812B50
CloseHandle.KERNEL32 ref: 0000022DA3812B68
OpenProcess.KERNEL32 ref: 0000022DA3812B98
GetLastError.KERNEL32 ref: 0000022DA3812BAB
free.LIBCMT ref: 0000022DA3813014
CloseHandle.KERNEL32 ref: 0000022DA3813069
CloseHandle.KERNEL32 ref: 0000022DA3813088

Strings

@, xrefs: 0000022DA3812D20
SeDebugPrivilege, xrefs: 0000022DA3812B16

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$OpenToken$AdjustCurrentErrorLastLookupPrivilegePrivilegesValuefree
String ID: @$SeDebugPrivilege
API String ID: 1310624317-3223528420
Opcode ID: b9bfb66e13597722efd53f610cecb8fb5c2cbbf8338c398701cb5df2b7c2b290
Instruction ID: 3b4024729fba08a6f0d24e93f4c17925864e603e464d1cf79a2020497dcf9611
Opcode Fuzzy Hash: b9bfb66e13597722efd53f610cecb8fb5c2cbbf8338c398701cb5df2b7c2b290
Instruction Fuzzy Hash: F822B976208B8197E7A0CB65F458B5BB7E2F799784F104125EA898BB98DF7DC444CB00

Function 0000022DA5453E30 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 214keyboardtimethreadCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 0000022DA5453EEC
GetKeyState.USER32 ref: 0000022DA5453EF7
GetKeyState.USER32 ref: 0000022DA5453F02
GetKeyboardState.USER32 ref: 0000022DA5453F0F
GetForegroundWindow.USER32 ref: 0000022DA5453F34
GetWindowThreadProcessId.USER32 ref: 0000022DA5453F47
EnumChildWindows.USER32 ref: 0000022DA5453F6A
OpenProcess.KERNEL32 ref: 0000022DA5453F7E
GetSystemTime.KERNEL32 ref: 0000022DA5454001
GetDateFormatW.KERNEL32 ref: 0000022DA545402C
GetTimeFormatW.KERNEL32 ref: 0000022DA5454057
_snwprintf.LIBCMT ref: 0000022DA54540A4
_snwprintf.LIBCMT ref: 0000022DA54540E1
CloseHandle.KERNEL32 ref: 0000022DA54540E9
GetAsyncKeyState.USER32 ref: 0000022DA5454109

Strings

**-[ %s | PID: %d-[ @ %s %s UTC**, xrefs: 0000022DA5454072
%ls, xrefs: 0000022DA5454266
<%ls>, xrefs: 0000022DA5454287
Logging started, xrefs: 0000022DA5453FA6, 0000022DA5453FBB, 0000022DA5453FC8, 0000022DA545406B, 0000022DA54540C7
<^%ls>, xrefs: 0000022DA545422A

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: State$FormatProcessTimeWindow_snwprintf$AsyncChildCloseDateEnumForegroundHandleKeyboardOpenSystemThreadWindows
String ID: **-[ %s | PID: %d-[ @ %s %s UTC**$%ls$<%ls>$<^%ls>$Logging started
API String ID: 3707447748-1085417204
Opcode ID: f0ad641e1f6927298aa9a305a1c88056d766f274f7cc3736b189703827e4e608
Instruction ID: 62c6d06dae884566d5a4aacaf5a3c74142ddc4a2e1d96a7384c2bd0ebb43b268
Opcode Fuzzy Hash: f0ad641e1f6927298aa9a305a1c88056d766f274f7cc3736b189703827e4e608
Instruction Fuzzy Hash: 8DA1A872A08B85EAEB24CFA1E848BD973B1F785748F840026DA4D67768DFBCC559C740

Function 0000022DA54451C0 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 137stringCOMMON

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000022DA54451FA

Part of subcall function 0000022DA546CB70: _errno.LIBCMT ref: 0000022DA546CBA7
Part of subcall function 0000022DA546CB70: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA546CBB2

strrchr.LIBCMT ref: 0000022DA5445205
_snprintf.LIBCMT ref: 0000022DA5445226

Part of subcall function 0000022DA546CB70: _output_s_l.LIBCMT ref: 0000022DA546CBF1

Part of subcall function 0000022DA546CD10: malloc.LIBCMT ref: 0000022DA546CD33

strrchr.LIBCMT ref: 0000022DA5445255
GetLastError.KERNEL32(?,?,00000000,?,?,0000022DA54441EC), ref: 0000022DA54452BE
free.LIBCMT ref: 0000022DA54453E2
free.LIBCMT ref: 0000022DA54453EA

Strings

%s\%s, xrefs: 0000022DA5445349
%s\*, xrefs: 0000022DA544520F

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: _snprintffreestrrchr$ErrorLast_errno_invalid_parameter_noinfo_output_s_lmalloc
String ID: %s\%s$%s\*
API String ID: 3538828039-2848263008
Opcode ID: 0e5e503c2ea9749f87f8fdec00abdffb142c5a5ece83d42b7bdf2d1f7d9663d5
Instruction ID: f396ebcc138751a1fdd63aa6ea167997d96e19dd5e815c665a1ab6bc48a8b702
Opcode Fuzzy Hash: 0e5e503c2ea9749f87f8fdec00abdffb142c5a5ece83d42b7bdf2d1f7d9663d5
Instruction Fuzzy Hash: F951D835A05B81A2EE64EBD1B41CBED63A0B799BD0F444122DD4E63795EEFCC449C740

Function 0000022DA5448AA0 Relevance: 31.8, APIs: 21, Instructions: 292COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA5448AFD
closesocket.WS2_32 ref: 0000022DA5448EE1
free.LIBCMT ref: 0000022DA5448F03

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: closesocketfreemalloc
String ID:
API String ID: 2077312491-0
Opcode ID: 809cf09e2446c247650c86a72c79830729f1cea75e56cb31d70f0c4aba1e60c0
Instruction ID: e8386d639e39578b24e914ab19e25abbfe17a8498d2dd6c550908dec9e548505
Opcode Fuzzy Hash: 809cf09e2446c247650c86a72c79830729f1cea75e56cb31d70f0c4aba1e60c0
Instruction Fuzzy Hash: 36D1A136A01B40EBE7608FA5E448BAD73F1F758B94F104625DE6AA3B94DFB8C5458340

Function 0000022DA5449E40 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000022DA5449E9C
OpenProcessToken.ADVAPI32 ref: 0000022DA5449EAD
LookupPrivilegeValueA.ADVAPI32 ref: 0000022DA5449EDC
AdjustTokenPrivileges.ADVAPI32 ref: 0000022DA5449EFF
CloseHandle.KERNEL32 ref: 0000022DA5449F0A
LoadLibraryA.KERNEL32 ref: 0000022DA5449F17
GetProcAddress.KERNEL32 ref: 0000022DA5449F33
GetProcAddress.KERNEL32 ref: 0000022DA5449F48
GetProcAddress.KERNEL32 ref: 0000022DA5449F5B
wcsstr.LIBCMT ref: 0000022DA5449FD9
CloseHandle.KERNEL32 ref: 0000022DA544A011
FreeLibrary.KERNEL32 ref: 0000022DA544A022

Strings

csrss.exe, xrefs: 0000022DA5449FCD
Process32FirstW, xrefs: 0000022DA5449F39
CreateToolhelp32Snapshot, xrefs: 0000022DA5449F29
Process32NextW, xrefs: 0000022DA5449F4E
kernel32, xrefs: 0000022DA5449F10
SeDebugPrivilege, xrefs: 0000022DA5449EBE

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: AddressProc$CloseHandleLibraryProcessToken$AdjustCurrentFreeLoadLookupOpenPrivilegePrivilegesValuewcsstr
String ID: CreateToolhelp32Snapshot$Process32FirstW$Process32NextW$SeDebugPrivilege$csrss.exe$kernel32
API String ID: 3269807286-2225489067
Opcode ID: 7bd98f5533653f531789abed5f815f2b2efb55186dfd135e21faa7810a691a61
Instruction ID: 03b33db90ca7dc9717a6eb08513442b00916a47add8e84ea6971d31832237179
Opcode Fuzzy Hash: 7bd98f5533653f531789abed5f815f2b2efb55186dfd135e21faa7810a691a61
Instruction Fuzzy Hash: EC51C531A04B41A2EB54DF92F848B6A73B1F784BD4F045126EE5963B98EFBCC445CB40

Function 0000022DA3814714 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 214memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022DA38147B2

Part of subcall function 0000022DA38370F8: GetModuleHandleA.KERNEL32 ref: 0000022DA3837130
Part of subcall function 0000022DA38370F8: GetProcAddress.KERNEL32 ref: 0000022DA3837140

CreateEventW.KERNEL32 ref: 0000022DA3814842
GetLastError.KERNEL32 ref: 0000022DA3814855

Strings

@, xrefs: 0000022DA38148C7

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: AddressCreateErrorEventHandleHeapLastModuleProcProcess
String ID: @
API String ID: 892381570-2766056989
Opcode ID: e1bb820d47028cb2069285cca36470ddd52aa13666dea84c8504503cf2cf15d0
Instruction ID: c0e30922d6632abc4d6f4bfabf0426fb57ab49d84b8e550d578934afb198d02a
Opcode Fuzzy Hash: e1bb820d47028cb2069285cca36470ddd52aa13666dea84c8504503cf2cf15d0
Instruction Fuzzy Hash: F1B13F32208B8197E7A0CBB5F459B5AB7F2F785B54F204126DA998BBD8DF7DC4448B00

Function 0000022DA5447060 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136fileCOMMON

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000022DA54470D2
swprintf.LIBCMT ref: 0000022DA54470F7
FindFirstFileW.KERNEL32 ref: 0000022DA5447106
calloc.LIBCMT ref: 0000022DA54471B9
swprintf.LIBCMT ref: 0000022DA54471E1
free.LIBCMT ref: 0000022DA544720D
FindNextFileW.KERNEL32 ref: 0000022DA544724E
FindClose.KERNEL32 ref: 0000022DA5447261
free.LIBCMT ref: 0000022DA544726C
GetLastError.KERNEL32 ref: 0000022DA5447275
GetLastError.KERNEL32 ref: 0000022DA5447280
free.LIBCMT ref: 0000022DA544728D

Part of subcall function 0000022DA5446F00: swprintf.LIBCMT ref: 0000022DA5446F46
Part of subcall function 0000022DA5446F00: FindFirstFileW.KERNEL32(00000000,0000022DA544722B), ref: 0000022DA5446F58
Part of subcall function 0000022DA5446F00: FindNextFileW.KERNEL32 ref: 0000022DA5446FFD
Part of subcall function 0000022DA5446F00: FindClose.KERNEL32 ref: 0000022DA544700E

Strings

%s\%s, xrefs: 0000022DA54471CB
, xrefs: 0000022DA54470B2
%s\*.*, xrefs: 0000022DA54470E5

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Find$File$freeswprintf$CloseErrorFirstLastNextcalloc
String ID: $%s\%s$%s\*.*
API String ID: 4266919821-2005348348
Opcode ID: 0a78df3b767c29c7e3524daa176936a6d2187ee3665ed98b6b49c8e10ebeee12
Instruction ID: fc2421b59c9be22c2451a03009df02a049135270c40f1ab1535ec3fd0445b525
Opcode Fuzzy Hash: 0a78df3b767c29c7e3524daa176936a6d2187ee3665ed98b6b49c8e10ebeee12
Instruction Fuzzy Hash: AC51CD32A44940A3EB649B95E448BA973B0F785BA0F545312FA5A63BD4DFBCC847C740

Function 0000022DA544AA20 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 131injectionthreadmemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 0000022DA544AA76
GetThreadContext.KERNEL32 ref: 0000022DA544AA96
ReadProcessMemory.KERNEL32 ref: 0000022DA544AACD
GetModuleHandleA.KERNEL32 ref: 0000022DA544AADA
GetProcAddress.KERNEL32 ref: 0000022DA544AAEA
VirtualAllocEx.KERNEL32 ref: 0000022DA544AB1B
WriteProcessMemory.KERNEL32 ref: 0000022DA544AB47
WriteProcessMemory.KERNEL32 ref: 0000022DA544AB83
WriteProcessMemory.KERNEL32 ref: 0000022DA544ABC1
SetThreadContext.KERNEL32 ref: 0000022DA544ABDA
ResumeThread.KERNEL32 ref: 0000022DA544ABE3
TerminateProcess.KERNEL32 ref: 0000022DA544AC0D

Strings

NtUnmapViewOfSection, xrefs: 0000022DA544AAE0
ntdll.dll, xrefs: 0000022DA544AAD3
@, xrefs: 0000022DA544AB13

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtual$AddressHandleModuleProcReadResumeTerminate
String ID: @$NtUnmapViewOfSection$ntdll.dll
API String ID: 2043341788-1860678162
Opcode ID: ee30b7e2ad91102ce3a034b6296141f3efa41f1d2416c5db9c120aceb0fdb7cd
Instruction ID: 3f4fbbbf4b0640e0ef8009641116b0d92ce07d183a7367e76b0761a5d34f4cac
Opcode Fuzzy Hash: ee30b7e2ad91102ce3a034b6296141f3efa41f1d2416c5db9c120aceb0fdb7cd
Instruction Fuzzy Hash: D8518972B00B8197EB608F96F848B5A73A1F744B88F444015EF8A67B44DFBCD589CB44

Function 0000022DA381A904 Relevance: 25.7, APIs: 17, Instructions: 217encryptionCOMMON

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000022DA381A98A
htonl.WS2_32 ref: 0000022DA381A9B1
htonl.WS2_32 ref: 0000022DA381AA2A
CryptDuplicateKey.ADVAPI32 ref: 0000022DA381AA71
GetLastError.KERNEL32 ref: 0000022DA381AA7B
CryptSetKeyParam.ADVAPI32 ref: 0000022DA381AAAA
GetLastError.KERNEL32 ref: 0000022DA381AAB4
CryptSetKeyParam.ADVAPI32 ref: 0000022DA381AADB
GetLastError.KERNEL32 ref: 0000022DA381AAE5
CryptDecrypt.ADVAPI32 ref: 0000022DA381AB1E
GetLastError.KERNEL32 ref: 0000022DA381AB28
memmove_s.LIBCMT ref: 0000022DA381AB54
htonl.WS2_32 ref: 0000022DA381AB63
htonl.WS2_32 ref: 0000022DA381AB99
malloc.LIBCMT ref: 0000022DA381ABC3
memcpy_s.LIBCMT ref: 0000022DA381AC1E
CryptDestroyKey.ADVAPI32 ref: 0000022DA381AC69

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Crypt$ErrorLasthtonl$Param$DecryptDestroyDuplicatecallocmallocmemcpy_smemmove_s
String ID:
API String ID: 4207261932-0
Opcode ID: b49ab75eeee5ddf2d1dbebc1cbc48ecfaaf27e66fff803f7412bdeede67d8ffd
Instruction ID: 50331bfb9b520b894cafd612242a029ebf853b4a98af95bb22b6f6aabec0a1c6
Opcode Fuzzy Hash: b49ab75eeee5ddf2d1dbebc1cbc48ecfaaf27e66fff803f7412bdeede67d8ffd
Instruction Fuzzy Hash: CDA1FF76218B8197EB94CFB9E458B1A77E2F7D4B94F104025EA8A87BA4DF7DC444CB00

Function 0000022DA5452A00 Relevance: 25.7, APIs: 17, Instructions: 176COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0000022DA5452A71
CloseDesktop.USER32 ref: 0000022DA5452C14
CloseWindowStation.USER32 ref: 0000022DA5452C22
SetProcessWindowStation.USER32 ref: 0000022DA5452C30

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: CloseProcessStationWindow$CurrentDesktop
String ID:
API String ID: 1313067402-0
Opcode ID: 94c626cacce61fbefa3ba524021b30f028923df042d450152af6bf72d7319283
Instruction ID: 376db90c9221c59208154a6cad440d3aee9d48a2a1efcf901ad7406784ac9e34
Opcode Fuzzy Hash: 94c626cacce61fbefa3ba524021b30f028923df042d450152af6bf72d7319283
Instruction Fuzzy Hash: CF618336B08B50A3FB659FE2A84CB2A23A0FB49FD5F144466DD0B67754EFB8C8458340

Function 0000022DA3814D58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 188memoryinjectionCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA38370F8: GetModuleHandleA.KERNEL32 ref: 0000022DA3837130
Part of subcall function 0000022DA38370F8: GetProcAddress.KERNEL32 ref: 0000022DA3837140

OpenProcess.KERNEL32 ref: 0000022DA3814E36
GetLastError.KERNEL32 ref: 0000022DA3814E49
VirtualAllocEx.KERNEL32 ref: 0000022DA3814E99
GetLastError.KERNEL32 ref: 0000022DA3814EAC
WriteProcessMemory.KERNEL32 ref: 0000022DA3814EE4
GetLastError.KERNEL32 ref: 0000022DA3814EEE
VirtualAllocEx.KERNEL32 ref: 0000022DA3814F31
GetLastError.KERNEL32 ref: 0000022DA3814F44
WriteProcessMemory.KERNEL32 ref: 0000022DA3814F7E
GetLastError.KERNEL32 ref: 0000022DA3814F88
GetLastError.KERNEL32 ref: 0000022DA3815077
CloseHandle.KERNEL32 ref: 0000022DA38150A8

Strings

W, xrefs: 0000022DA3814DCC
@, xrefs: 0000022DA3814F19

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$Process$AllocHandleMemoryVirtualWrite$AddressCloseModuleOpenProc
String ID: @$W
API String ID: 4162672949-2335994147
Opcode ID: eb42eeb7f27181eb62335ffe6cee90d7aaa8eab7cad7d62695e460be63da0ed9
Instruction ID: f0201ad6e9aca33be02d9eb7b41bf5b96fc8161ebc5fc4e6e243c004dec5253b
Opcode Fuzzy Hash: eb42eeb7f27181eb62335ffe6cee90d7aaa8eab7cad7d62695e460be63da0ed9
Instruction Fuzzy Hash: 37A1CB76208B8097E7B0DFB5E448B5BB7B2F785B94F104125EA898BB98DF7DC4448B40

Function 0000022DA54B2090 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 138fileCOMMON

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000022DA54B20FC
swprintf.LIBCMT ref: 0000022DA54B2124
FindFirstFileW.KERNEL32 ref: 0000022DA54B2131
calloc.LIBCMT ref: 0000022DA54B21E9
swprintf.LIBCMT ref: 0000022DA54B2211
free.LIBCMT ref: 0000022DA54B2243
FindNextFileW.KERNEL32 ref: 0000022DA54B225C
FindClose.KERNEL32 ref: 0000022DA54B226D
free.LIBCMT ref: 0000022DA54B227B
GetLastError.KERNEL32 ref: 0000022DA54B22B5
GetLastError.KERNEL32 ref: 0000022DA54B22C0
free.LIBCMT ref: 0000022DA54B22CB

Strings

%s\*.*, xrefs: 0000022DA54B2112
%s\%s, xrefs: 0000022DA54B21FB

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: Findfree$ErrorFileLastcallocswprintf$CloseFirstNext
String ID: %s\%s$%s\*.*
API String ID: 3821236099-1665845743
Opcode ID: ddb0a624768e1e93a5f2c1a77af9a665de3d0ca826a354a1b6442d02a6f135c4
Instruction ID: 28af273b1d89586ae336e932271f8cde8cb0932f72b832e10fb2252bf689317c
Opcode Fuzzy Hash: ddb0a624768e1e93a5f2c1a77af9a665de3d0ca826a354a1b6442d02a6f135c4
Instruction Fuzzy Hash: CB51CA31A08684A2FF589B95E449BAD73B0F7C4BA0F454315FAA9637E4EFB8C485C700

Function 0000022DA5457720 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 311comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 0000022DA545775C
CoCreateInstance.OLE32 ref: 0000022DA545777F

Strings

SampleGrabber, xrefs: 0000022DA5457A28
vids, xrefs: 0000022DA5457A9E
WebCam, xrefs: 0000022DA5457918
NullRenderer, xrefs: 0000022DA5457A72

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: CreateInitializeInstance
String ID: NullRenderer$SampleGrabber$WebCam$vids
API String ID: 3519745914-1378241838
Opcode ID: ffc55bd91af28c3805f18e3fc733ac83d97484a42aa0c638f63a7fcf4dabcaef
Instruction ID: 29a265bc3053a43df8be52424a49b0291718e2e518f5615ccc453d38963003dd
Opcode Fuzzy Hash: ffc55bd91af28c3805f18e3fc733ac83d97484a42aa0c638f63a7fcf4dabcaef
Instruction Fuzzy Hash: 1AE15136B04B46E6EB11CFAAE848B9937A1F788B88F404062DF4E53715DFB9D949C340

Function 0000022DA54B6984 Relevance: 22.7, APIs: 15, Instructions: 196COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000022DA54B69A6

Part of subcall function 0000022DA54B7C50: _getptd_noexit.LIBCMT ref: 0000022DA54B7C54

_invalid_parameter_noinfo.LIBCMT ref: 0000022DA54B69B2
_errno.LIBCMT ref: 0000022DA54B69DC
__tzset.LIBCMT ref: 0000022DA54B69F9
_get_daylight.LIBCMT ref: 0000022DA54B6A02

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: _errno$__tzset_get_daylight_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2665896524-0
Opcode ID: 2e55afbc7bd3160bb278a42108840857c901d28fc620b6d15b4d967b9e5f567d
Instruction ID: 41259c57131fa5e8679dd8e9f3ce79488bd2286b7dc1ffc4b51f270bd370ec59
Opcode Fuzzy Hash: 2e55afbc7bd3160bb278a42108840857c901d28fc620b6d15b4d967b9e5f567d
Instruction Fuzzy Hash: B5712673F10A1496FF14DFA0D85ABAC2364FB54798F128126EE1D6ABCAEB79C5018700

Function 0000022DA5444770 Relevance: 22.6, APIs: 15, Instructions: 139encryptionCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA5444D37
CryptAcquireContextA.ADVAPI32 ref: 0000022DA5444D5C
GetLastError.KERNEL32 ref: 0000022DA5444D66
CryptDestroyHash.ADVAPI32 ref: 0000022DA5444E99
CryptReleaseContext.ADVAPI32 ref: 0000022DA5444EAB
fclose.LIBCMT ref: 0000022DA5444EBB

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Crypt$ContextErrorLast$AcquireDestroyHashReleasefclose
String ID:
API String ID: 1196782254-0
Opcode ID: 79dbfd2cacfc3be1d1a50822a5081629bc9f583ac5fb191f04506a8164d47540
Instruction ID: cc13877477aecea65fcfdec362330e171eb103b7461875661055aa6cc4fbd5a9
Opcode Fuzzy Hash: 79dbfd2cacfc3be1d1a50822a5081629bc9f583ac5fb191f04506a8164d47540
Instruction Fuzzy Hash: E8519371B14B81A3EB608FE1E848F9A63B4F788BC4F505426EE4A63B58DFB8C545C740

Function 0000022DA54495B0 Relevance: 21.2, APIs: 14, Instructions: 190COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA544960F
closesocket.WS2_32 ref: 0000022DA544987E
free.LIBCMT ref: 0000022DA54498A0

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: closesocketfreemalloc
String ID:
API String ID: 2077312491-0
Opcode ID: 11e4d250dd96446c17937d603394033e7e42fd1fa2762c549830586213ab93c5
Instruction ID: 223899d619612499c2cb0aec8f02eda6c80a67adf6a0fcabd409a50261da89bd
Opcode Fuzzy Hash: 11e4d250dd96446c17937d603394033e7e42fd1fa2762c549830586213ab93c5
Instruction Fuzzy Hash: 97917C72A11B50A7EB548FA5E448B6E33F0FB89B90F148225CE4D63B50EF78C461D740

Function 0000022DA3814AE8 Relevance: 21.1, APIs: 14, Instructions: 142memoryCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32 ref: 0000022DA3814B4D
GetLastError.KERNEL32 ref: 0000022DA3814B57
SetLastError.KERNEL32 ref: 0000022DA3814B7F
GetLastError.KERNEL32 ref: 0000022DA3814B85
VirtualAlloc.KERNEL32 ref: 0000022DA3814BAD
GetLastError.KERNEL32 ref: 0000022DA3814BC0
VirtualAlloc.KERNEL32 ref: 0000022DA3814BE8
GetLastError.KERNEL32 ref: 0000022DA3814BFB
SetLastError.KERNEL32 ref: 0000022DA3814CA9
GetLastError.KERNEL32 ref: 0000022DA3814CAF
SetLastError.KERNEL32 ref: 0000022DA3814CD2
GetLastError.KERNEL32 ref: 0000022DA3814CD8
VirtualFree.KERNEL32 ref: 0000022DA3814D23
VirtualFree.KERNEL32 ref: 0000022DA3814D3E

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$Virtual$AllocFree$Version
String ID:
API String ID: 2722171286-0
Opcode ID: fba7c4e8b7438935fe2ab70c6a95f08f41d9c765d65b3dad16eb500d3a6ec083
Instruction ID: 1523a0c671b105d9941207911a65a779e7174d106fad86aeaf86d58aa05813ad
Opcode Fuzzy Hash: fba7c4e8b7438935fe2ab70c6a95f08f41d9c765d65b3dad16eb500d3a6ec083
Instruction Fuzzy Hash: EC611232214B4193E7A0DBB5F859B1B77B6F7D8B94F104125EA8A8BBA4DF3DC5448B00

Function 0000022DA5453B00 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 99keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 0000022DA5453B64
GetKeyState.USER32 ref: 0000022DA5453B6F
GetKeyState.USER32 ref: 0000022DA5453B7A
GetKeyboardState.USER32 ref: 0000022DA5453B88
GetAsyncKeyState.USER32 ref: 0000022DA5453BC0
GetKeyNameTextW.USER32 ref: 0000022DA5453CD0
_snwprintf.LIBCMT ref: 0000022DA5453D5D

Strings

%ls, xrefs: 0000022DA5453D1A
<%ls>, xrefs: 0000022DA5453D3A
<^%ls>, xrefs: 0000022DA5453CDE

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: State$AsyncKeyboardNameText_snwprintf
String ID: %ls$<%ls>$<^%ls>
API String ID: 819054474-3418244432
Opcode ID: 68046c5ed62edf608801fb83fb612df9adf8266851809a336e810ef7920cf2cc
Instruction ID: 7e639f722074e31f41d7804796b86c482659d78f77d746a6075e2d175340ce30
Opcode Fuzzy Hash: 68046c5ed62edf608801fb83fb612df9adf8266851809a336e810ef7920cf2cc
Instruction Fuzzy Hash: CE418832604B45E6E724CF91F848B9E73B5F789740F44012AEA8A63794DFBDC559C740

Function 0000022DA54B1F30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 73fileCOMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 0000022DA54B1F5D

Part of subcall function 0000022DA54B6960: _vswprintf_s_l.LIBCMT ref: 0000022DA54B697A

FindFirstFileW.KERNEL32(00000000,0000022DA54B22A5), ref: 0000022DA54B1F6F
CreateFileW.KERNEL32 ref: 0000022DA54B1FF4
CloseHandle.KERNEL32 ref: 0000022DA54B201A
FindNextFileW.KERNEL32 ref: 0000022DA54B2028
FindClose.KERNEL32 ref: 0000022DA54B2039
GetLastError.KERNEL32 ref: 0000022DA54B2062
GetLastError.KERNEL32 ref: 0000022DA54B206D

Strings

%s\*, xrefs: 0000022DA54B1F49

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: FileFind$CloseErrorLast$CreateFirstHandleNext_vswprintf_s_lswprintf
String ID: %s\*
API String ID: 1413818605-766152087
Opcode ID: ec091b89f20d6ef00adf1243fa1b33774a0f9f803ebf6865371f2ba8d57902af
Instruction ID: 1dc144a4f522a60fa854484caab8b1b0e8bce795cd4178f5b5a3b994bad0d32b
Opcode Fuzzy Hash: ec091b89f20d6ef00adf1243fa1b33774a0f9f803ebf6865371f2ba8d57902af
Instruction Fuzzy Hash: 3331B831A08680A6EB615B95F44CBBAB370F7D4790F844115FAD922A98DFFCC585C700

Function 0000022DA54570E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 0000022DA5457123
CoCreateInstance.OLE32 ref: 0000022DA5457149
VariantInit.OLEAUT32 ref: 0000022DA5457206
_Wcsftime.LIBCMT ref: 0000022DA5457252
VariantClear.OLEAUT32 ref: 0000022DA5457273
GetLastError.KERNEL32 ref: 0000022DA545729F
CoUninitialize.OLE32 ref: 0000022DA54572BD

Strings

FriendlyName, xrefs: 0000022DA5457219

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Variant$ClearCreateErrorInitInitializeInstanceLastUninitializeWcsftime
String ID: FriendlyName
API String ID: 958359432-3623505368
Opcode ID: 9701de09f984ee2d88b9a3f1517e209769a395558a2260adc76cce08169f135d
Instruction ID: 9d13a5438aa4e277441f4d68eabd578e4fc0ffff5c262d960d0e2a3261018568
Opcode Fuzzy Hash: 9701de09f984ee2d88b9a3f1517e209769a395558a2260adc76cce08169f135d
Instruction Fuzzy Hash: D9517132704B86E6EB10CFA5E488B9E77B0F789B84F544022EA4E53B28DF78C549C740

Function 0000022DA3820A6C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 95pipeCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA381F018: GetCurrentProcess.KERNEL32 ref: 0000022DA381F02A
Part of subcall function 0000022DA381F018: OpenProcessToken.ADVAPI32 ref: 0000022DA381F03D
Part of subcall function 0000022DA381F018: GetLastError.KERNEL32 ref: 0000022DA381F04D

CreateNamedPipeW.KERNEL32 ref: 0000022DA3820B0C
GetLastError.KERNEL32 ref: 0000022DA3820B17
CreateNamedPipeW.KERNEL32 ref: 0000022DA3820B7A
GetLastError.KERNEL32 ref: 0000022DA3820B85

Part of subcall function 0000022DA381ED28: AllocateAndInitializeSid.ADVAPI32 ref: 0000022DA381EDA9

ConnectNamedPipe.KERNEL32 ref: 0000022DA3820BB6

Part of subcall function 0000022DA381F018: LookupPrivilegeValueW.ADVAPI32 ref: 0000022DA381F067
Part of subcall function 0000022DA381F018: GetLastError.KERNEL32 ref: 0000022DA381F077

GetLastError.KERNEL32 ref: 0000022DA3820BC7
CloseHandle.KERNEL32 ref: 0000022DA3820C13

Strings

SeSecurityPrivilege, xrefs: 0000022DA3820A96, 0000022DA3820B2F

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$NamedPipe$CreateProcess$AllocateCloseConnectCurrentHandleInitializeLookupOpenPrivilegeTokenValue
String ID: SeSecurityPrivilege
API String ID: 3545420818-2333288578
Opcode ID: 7363ed99cd7cb3f9d29511433e3f0182f62cbbc70dc7cbb54a35e6ec27a2a5fb
Instruction ID: 698aae1c8ed6b607500f745fa969999d3f5d769c8405e8e4c0ede1bca022a598
Opcode Fuzzy Hash: 7363ed99cd7cb3f9d29511433e3f0182f62cbbc70dc7cbb54a35e6ec27a2a5fb
Instruction Fuzzy Hash: 67416372108A8197E7A0DBB4E458B5AF7A1F385778F500325F6B94AED8EB7DC444CB00

Function 0000022DA54B2D30 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 89COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA54B2D66

Part of subcall function 0000022DA54B723C: _FF_MSGBANNER.LIBCMT ref: 0000022DA54B726C
Part of subcall function 0000022DA54B723C: _NMSG_WRITE.LIBCMT ref: 0000022DA54B7276
Part of subcall function 0000022DA54B723C: HeapAlloc.KERNEL32(?,?,0000000D,0000022DA54BB5A4,?,?,?,0000022DA54BE3FC,?,?,?,0000022DA54BE2FB,?,?,0000000D,0000022DA54B9763), ref: 0000022DA54B7291
Part of subcall function 0000022DA54B723C: _errno.LIBCMT ref: 0000022DA54B72B5
Part of subcall function 0000022DA54B723C: _errno.LIBCMT ref: 0000022DA54B72C0

_snwprintf_s.LIBCMT ref: 0000022DA54B2DA6
RpcBindingFree.RPCRT4 ref: 0000022DA54B2E58
free.LIBCMT ref: 0000022DA54B2E66

Strings

\\localhost/pipe/%s/\%s\%s, xrefs: 0000022DA54B2D94
localhost, xrefs: 0000022DA54B2DAC
\pipe\lsarpc, xrefs: 0000022DA54B2DD7

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: _errno$AllocBindingFreeHeap_snwprintf_sfreemalloc
String ID: \\localhost/pipe/%s/\%s\%s$\pipe\lsarpc$localhost
API String ID: 1077255598-28946181
Opcode ID: 474c08fd89dba0365cd44054de8b85c13f02dc56e94fa981ab054502f5ad2ab2
Instruction ID: 6592fcae6757bde2bb5ed076ad07daf39288569771b346815f7974597b12accf
Opcode Fuzzy Hash: 474c08fd89dba0365cd44054de8b85c13f02dc56e94fa981ab054502f5ad2ab2
Instruction Fuzzy Hash: 8031B931A08B40A2EE249B96A808B9B72A1F785BF0F564715FD79277E4DBB9C442C300

Function 0000022DA5450C30 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000022DA5450C92
OpenProcessToken.ADVAPI32 ref: 0000022DA5450CA3
LookupPrivilegeValueA.ADVAPI32 ref: 0000022DA5450CBB
AdjustTokenPrivileges.ADVAPI32 ref: 0000022DA5450CEE
ExitWindowsEx.USER32 ref: 0000022DA5450CFC
GetLastError.KERNEL32 ref: 0000022DA5450D06
CloseHandle.KERNEL32 ref: 0000022DA5450D2D

Strings

SeShutdownPrivilege, xrefs: 0000022DA5450CB2

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorExitHandleLastLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 3672536310-3733053543
Opcode ID: 88e43dece8113a7eceb5ca5ed84316068a2b8c1f6a48f99735b721d9d652b503
Instruction ID: fbe6bb7a9595f51962fa5f764894e90e940ece45d6b160407ef66e4e64020bec
Opcode Fuzzy Hash: 88e43dece8113a7eceb5ca5ed84316068a2b8c1f6a48f99735b721d9d652b503
Instruction Fuzzy Hash: C4316476A04B4193EB409FA2F848BAA67A0F789B90F144026DE4EA7754DFBCC445C740

Function 0000022DA54B2E90 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

_snwprintf_s.LIBCMT ref: 0000022DA54B2EC8

Part of subcall function 0000022DA54B693C: _vsnwprintf_s_l.LIBCMT ref: 0000022DA54B6954

RpcStringBindingComposeW.RPCRT4 ref: 0000022DA54B2EF8
DceErrorInqTextA.RPCRT4 ref: 0000022DA54B2F09
RpcBindingFromStringBindingW.RPCRT4 ref: 0000022DA54B2F22
RpcStringFreeW.RPCRT4 ref: 0000022DA54B2F34
RpcBindingSetAuthInfoW.RPCRT4 ref: 0000022DA54B2F5B

Strings

\\%s, xrefs: 0000022DA54B2EB8
ncacn_np, xrefs: 0000022DA54B2EE2

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: Binding$String$AuthComposeErrorFreeFromInfoText_snwprintf_s_vsnwprintf_s_l
String ID: \\%s$ncacn_np
API String ID: 1079777691-3858430495
Opcode ID: 12233bd968acef49d8d39bfe264e85cb5ae9e54bcf419a3b965369d3e67d44de
Instruction ID: 2539bab937c696c5bdb3cbd6eb9159607a6c40625312ca89e81c2be533d3b97c
Opcode Fuzzy Hash: 12233bd968acef49d8d39bfe264e85cb5ae9e54bcf419a3b965369d3e67d44de
Instruction Fuzzy Hash: 64214171608B81A2EB208F61F448B8AB774F784BA4F444315EAAD536E8DF78C505D740

Function 0000022DA381ED28 Relevance: 13.7, APIs: 9, Instructions: 155memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 0000022DA381EDA9
SetEntriesInAclW.ADVAPI32 ref: 0000022DA381EE4E
AllocateAndInitializeSid.ADVAPI32 ref: 0000022DA381EEE8
LocalAlloc.KERNEL32 ref: 0000022DA381EF08
InitializeAcl.ADVAPI32 ref: 0000022DA381EF23
LocalAlloc.KERNEL32 ref: 0000022DA381EF6C
InitializeSecurityDescriptor.ADVAPI32 ref: 0000022DA381EF81
SetSecurityDescriptorDacl.ADVAPI32 ref: 0000022DA381EFA6
SetSecurityDescriptorSacl.ADVAPI32 ref: 0000022DA381EFC8

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Initialize$DescriptorSecurity$AllocAllocateLocal$DaclEntriesSacl
String ID:
API String ID: 1565010709-0
Opcode ID: 0f8951fb75e2927ed412854d149cbf449715b977967668bed34e192075ffaafd
Instruction ID: fac409c6a4bac6ccae19e2f2b791c3c378444c1dedfe686804897ecb1a0b4a12
Opcode Fuzzy Hash: 0f8951fb75e2927ed412854d149cbf449715b977967668bed34e192075ffaafd
Instruction Fuzzy Hash: 33711D322187C197F7A08B75E458B4BBAE1F795788F504025DA898BBD8EB7ED448CB40

Function 0000022DA54B5970 Relevance: 13.6, APIs: 9, Instructions: 50COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,00000000,0000022DA54B30FC), ref: 0000022DA54B5998
GetLastError.KERNEL32(?,?,00000000,0000022DA54B30FC), ref: 0000022DA54B59A6
SetLastError.KERNEL32(?,?,00000000,0000022DA54B30FC), ref: 0000022DA54B5A07

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$ManagerOpen
String ID:
API String ID: 239337868-0
Opcode ID: 0a7b65c65ec24dbd24546dae0cabbc8627d049e3d38ab237962e16c91f5eec01
Instruction ID: ef3cae94567864f513c867d53632ce036695c64ae3b24d8ab26bb4f1c3c491d7
Opcode Fuzzy Hash: 0a7b65c65ec24dbd24546dae0cabbc8627d049e3d38ab237962e16c91f5eec01
Instruction Fuzzy Hash: A8118234F15740A3FF589BE7A49CB6DA3A1BB9DBE0F040428DD0B63754EFA888494B00

Function 0000022DA54B5C10 Relevance: 13.5, APIs: 9, Instructions: 48COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,0000022DA54B2B9A), ref: 0000022DA54B5C38
GetLastError.KERNEL32(?,?,?,0000022DA54B2B9A), ref: 0000022DA54B5C46
SetLastError.KERNEL32(?,?,?,0000022DA54B2B9A), ref: 0000022DA54B5CA2

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$ManagerOpen
String ID:
API String ID: 239337868-0
Opcode ID: a6668828978a52cb829c853aacaaccec968ee5e4bc683db3bd65410f4e1c187d
Instruction ID: d8e3f2fd82198f061e7591ccf9d81aa07bc990f32b084a108f35c83d4327b714
Opcode Fuzzy Hash: a6668828978a52cb829c853aacaaccec968ee5e4bc683db3bd65410f4e1c187d
Instruction Fuzzy Hash: 1B115234F06740A3EF599BE7A59CB6C93B1BB99BD0F040828ED0763754EFA888494700

Function 0000022DA38372FC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 124memoryinjectionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0000022DA383733C

Part of subcall function 0000022DA3837538: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,0000022DA3837240), ref: 0000022DA3837544
Part of subcall function 0000022DA3837538: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,0000022DA3837240), ref: 0000022DA38376CB

HeapAlloc.KERNEL32 ref: 0000022DA38373C6

Part of subcall function 0000022DA38376F0: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3837403), ref: 0000022DA383771F
Part of subcall function 0000022DA38376F0: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3837403), ref: 0000022DA383772A

VirtualAllocEx.KERNEL32 ref: 0000022DA383745B
WriteProcessMemory.KERNEL32 ref: 0000022DA383749F
HeapFree.KERNEL32 ref: 0000022DA3837520

Strings

IoCompletion, xrefs: 0000022DA38373F2
2, xrefs: 0000022DA38374F2

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocFree$CurrentMemoryVirtualWrite
String ID: 2$IoCompletion
API String ID: 3548349751-304311290
Opcode ID: 7ebdce919db8becf1db9f316b5089ad423863689ecabb06c358170e70d436e93
Instruction ID: 1847c15fab648581ac9296c4ccb58aa14274dfed6af13cab3d915126c6590290
Opcode Fuzzy Hash: 7ebdce919db8becf1db9f316b5089ad423863689ecabb06c358170e70d436e93
Instruction Fuzzy Hash: 42515C71218B8193E7E58BB5E848B1AB7E1F7C57A4F100615FA958ABD8DF7DC4448F00

Function 0000022DA5446F00 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79fileCOMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 0000022DA5446F46

Part of subcall function 0000022DA546D0E8: _vswprintf_s_l.LIBCMT ref: 0000022DA546D102

FindFirstFileW.KERNEL32(00000000,0000022DA544722B), ref: 0000022DA5446F58
FindNextFileW.KERNEL32 ref: 0000022DA5446FFD
FindClose.KERNEL32 ref: 0000022DA544700E
GetLastError.KERNEL32 ref: 0000022DA5447038
GetLastError.KERNEL32 ref: 0000022DA5447043

Strings

%s\%s, xrefs: 0000022DA5446F2D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Find$ErrorFileLast$CloseFirstNext_vswprintf_s_lswprintf
String ID: %s\%s
API String ID: 1768775470-4073750446
Opcode ID: 248aaef3886caa72b2d9d56981facd7d1fa5cb528fc77309e03ef3a928677393
Instruction ID: d2a512fc529dc730b07d636089c1d917744216e7383545935154ee6dfb9379b1
Opcode Fuzzy Hash: 248aaef3886caa72b2d9d56981facd7d1fa5cb528fc77309e03ef3a928677393
Instruction Fuzzy Hash: 0B31C831A04680A6EB649F91A44CBAD73B1F784BD0F444212FAD923AD8DFBCC985C740

Function 0000022DA54B3810 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 62COMMON

Download Yara Rule

APIs

RpcStringBindingComposeW.RPCRT4 ref: 0000022DA54B38BB
RpcBindingFromStringBindingW.RPCRT4 ref: 0000022DA54B38EF
RpcStringFreeW.RPCRT4 ref: 0000022DA54B38FF

Strings

\pipe\spoolss, xrefs: 0000022DA54B388A
\, xrefs: 0000022DA54B3845
12345678-1234-ABCD-EF00-0123456789AB, xrefs: 0000022DA54B38AF
ncacn_np, xrefs: 0000022DA54B38A8

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: BindingString$ComposeFreeFrom
String ID: 12345678-1234-ABCD-EF00-0123456789AB$\$\pipe\spoolss$ncacn_np
API String ID: 465755213-1684225170
Opcode ID: 5ff4be422249118a35a099eeb7e61a0a0a438981dad3fff9fd0aec4d44c96434
Instruction ID: fe27777fbe918526c2ddc01ac09705114640793e9f59900273da2d0b9eebc06e
Opcode Fuzzy Hash: 5ff4be422249118a35a099eeb7e61a0a0a438981dad3fff9fd0aec4d44c96434
Instruction Fuzzy Hash: DC218236A14A80E2DF709F86F888BAA73F0F784784F855119DB4953654DFBCC145C704

Function 0000022DA54B45E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00000000,0000022DA54B4AF4), ref: 0000022DA54B45ED
OpenProcessToken.ADVAPI32(?,?,?,?,?,?,00000000,0000022DA54B4AF4), ref: 0000022DA54B45FE
LookupPrivilegeValueA.ADVAPI32 ref: 0000022DA54B4616
AdjustTokenPrivileges.ADVAPI32 ref: 0000022DA54B4649
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,0000022DA54B4AF4), ref: 0000022DA54B4653
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,0000022DA54B4AF4), ref: 0000022DA54B4665

Strings

SeDebugPrivilege, xrefs: 0000022DA54B460D

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 3398352648-2896544425
Opcode ID: 06a7beff0cfccf4d041f7d7f3e6a4332b90f74f19fcb778a4e1f4d7a6bf5bba0
Instruction ID: 5028d68523b951b45120de94e8edd4c2e3c64152c945fbc26e8eca9d8b1cb47f
Opcode Fuzzy Hash: 06a7beff0cfccf4d041f7d7f3e6a4332b90f74f19fcb778a4e1f4d7a6bf5bba0
Instruction Fuzzy Hash: 71012171A04B45A3EB509FE2F888B5AB3B0FBC8B54F454119EA8A53658DFFCC449CB50

Function 0000022DA381F018 Relevance: 12.1, APIs: 8, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000022DA381F02A
OpenProcessToken.ADVAPI32 ref: 0000022DA381F03D
GetLastError.KERNEL32 ref: 0000022DA381F04D
LookupPrivilegeValueW.ADVAPI32 ref: 0000022DA381F067
GetLastError.KERNEL32 ref: 0000022DA381F077
AdjustTokenPrivileges.ADVAPI32 ref: 0000022DA381F0F0
GetLastError.KERNEL32 ref: 0000022DA381F100
CloseHandle.KERNEL32 ref: 0000022DA381F148

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 917087896-0
Opcode ID: 0cfc3383bac7433545e81286e7cf9ad2375aa63631821ee19201f1c728bdbe70
Instruction ID: 04d0dd8e24b03075c863bf6142fd77e2aa7a577fb7d6a9addde8b7ed3bc16426
Opcode Fuzzy Hash: 0cfc3383bac7433545e81286e7cf9ad2375aa63631821ee19201f1c728bdbe70
Instruction Fuzzy Hash: 48312232218B4197E7D09FB5E848B5BB7A6F784744F500126EA8A8AB94DF3DC5448B40

Function 0000022DA54B6740 Relevance: 12.1, APIs: 8, Instructions: 69COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000,?,0000022DA54B5F80), ref: 0000022DA54B6778
OpenProcessToken.ADVAPI32(?,?,?,?,00000000,00000000,?,0000022DA54B5F80), ref: 0000022DA54B678B
LookupPrivilegeValueA.ADVAPI32 ref: 0000022DA54B67BA
AdjustTokenPrivileges.ADVAPI32 ref: 0000022DA54B67DD
GetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,0000022DA54B5F80), ref: 0000022DA54B67E7
GetHandleInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0000022DA54B5F80), ref: 0000022DA54B67FE
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,0000022DA54B5F80), ref: 0000022DA54B680D
SetLastError.KERNEL32(?,?,?,?,00000000,00000000,?,0000022DA54B5F80), ref: 0000022DA54B681A

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: ErrorHandleLastProcessToken$AdjustCloseCurrentInformationLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 1526621745-0
Opcode ID: 63d616277a6404653c697ffa3010a5e12329fb468d5c94cc14154750edd8ebae
Instruction ID: 61a7ff7a368f74c9b15acb8b9aaa8ea8387c4a603ece0451a1e0b72399694459
Opcode Fuzzy Hash: 63d616277a6404653c697ffa3010a5e12329fb468d5c94cc14154750edd8ebae
Instruction Fuzzy Hash: CA215372A0974097FB509FA6F848B5AB3F4F7C8784F444039EA4A93A54DF78C805CB40

Function 0000022DA54B5B20 Relevance: 12.1, APIs: 8, Instructions: 59serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 0000022DA54B5B58
GetLastError.KERNEL32 ref: 0000022DA54B5B66
CreateServiceA.ADVAPI32 ref: 0000022DA54B5BB1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000022DA54B2AE7), ref: 0000022DA54B5BBC
CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000022DA54B2AE7), ref: 0000022DA54B5BC7
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000022DA54B2AE7), ref: 0000022DA54B5BEA

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$Service$CloseCreateHandleManagerOpen
String ID:
API String ID: 1692906367-0
Opcode ID: 2b0af2ceeb5913fda9b3e7486b5fba0233390429202dadf00cb6cf47de665049
Instruction ID: 3d78bd1d605dd76e95970d56ee6a1c635d5ed44d91a4eac51165738a1fd74db7
Opcode Fuzzy Hash: 2b0af2ceeb5913fda9b3e7486b5fba0233390429202dadf00cb6cf47de665049
Instruction Fuzzy Hash: 55215035B08B4093EB548F92A84CB1DB3B4F799BD0F584938EA9A53B54DFBCC4458700

Function 0000022DA5441260 Relevance: 10.6, APIs: 7, Instructions: 127shareCOMMON

Download Yara Rule

APIs

GetLogicalDriveStringsA.KERNEL32 ref: 0000022DA54412A2
GetLastError.KERNEL32 ref: 0000022DA54412AC
GetDriveTypeA.KERNEL32 ref: 0000022DA54412F4
malloc.LIBCMT ref: 0000022DA5441363
WNetGetUniversalNameA.MPR ref: 0000022DA544137E
free.LIBCMT ref: 0000022DA54413A9
GetDiskFreeSpaceExA.KERNEL32 ref: 0000022DA54413C0

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Drive$DiskErrorFreeLastLogicalNameSpaceStringsTypeUniversalfreemalloc
String ID:
API String ID: 2456301943-0
Opcode ID: ccae92921d5a1553cc09299aafbc17f3b5e33a5978f63057fd8c14b38652351e
Instruction ID: 29b86591002944a7f79d76290784cc80818a25a4f035e29d9009ae0c642718d7
Opcode Fuzzy Hash: ccae92921d5a1553cc09299aafbc17f3b5e33a5978f63057fd8c14b38652351e
Instruction Fuzzy Hash: BA51A272A04B8593EB609FA2E448BAE7761F789FD4F504026CE4A63B99DF7CC446C740

Function 0000022DA544CA70 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000022DA544CAA5
OpenProcessToken.ADVAPI32 ref: 0000022DA544CAB6
LookupPrivilegeValueA.ADVAPI32 ref: 0000022DA544CAE9
AdjustTokenPrivileges.ADVAPI32 ref: 0000022DA544CB0C
CloseHandle.KERNEL32 ref: 0000022DA544CB17

Strings

SeDebugPrivilege, xrefs: 0000022DA544CAC7

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID: SeDebugPrivilege
API String ID: 3038321057-2896544425
Opcode ID: c6b6d43e06d8ba28a8b08f8c20b83eda430b067763666b33fe126ce2f199aabe
Instruction ID: 8edf3c2ca61f5be0e4ebd847b58b6e80ba7ef9bbe494b316d3412227e745d8ec
Opcode Fuzzy Hash: c6b6d43e06d8ba28a8b08f8c20b83eda430b067763666b33fe126ce2f199aabe
Instruction Fuzzy Hash: E7213771B08B8593EB409FA6F84876A77B1F785BC4F085035EA4AA3B59DFB8C405C740

Function 0000022DA544F330 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54memoryinjectionCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?,0000022DA544F1FA), ref: 0000022DA544F367
GetLastError.KERNEL32(?,?,?,?,?,0000022DA544F1FA), ref: 0000022DA544F375
WriteProcessMemory.KERNEL32 ref: 0000022DA544F393
VirtualProtectEx.KERNEL32 ref: 0000022DA544F3BB
GetLastError.KERNEL32 ref: 0000022DA544F3C5

Strings

@, xrefs: 0000022DA544F35F

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLastVirtual$AllocMemoryProcessProtectWrite
String ID: @
API String ID: 3698175283-2766056989
Opcode ID: 5e30b1100322dcd236b3d3deec6b99aa36a4be20d0583ecc1c1f72bd8369be6e
Instruction ID: abea2a829b4e73e094330de575e397d77ca4a19dd03466461e7e6c1624631a29
Opcode Fuzzy Hash: 5e30b1100322dcd236b3d3deec6b99aa36a4be20d0583ecc1c1f72bd8369be6e
Instruction Fuzzy Hash: BF119432B04F81A6E7209F96F848A4AB7A0B749FD4F484026EE8963B54EF78C515C744

Function 0000022DA38216F8 Relevance: 10.5, APIs: 7, Instructions: 44networkCOMMON

Download Yara Rule

APIs

bind.WS2_32 ref: 0000022DA3821727
WSAGetLastError.WS2_32 ref: 0000022DA3821732
listen.WS2_32 ref: 0000022DA3821748
WSAGetLastError.WS2_32 ref: 0000022DA3821753
closesocket.WS2_32 ref: 0000022DA38217A4

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$bindclosesocketlisten
String ID:
API String ID: 1548718142-0
Opcode ID: fe8277ea95e6a61402380fbc271dee7c0d07b285c9eab3e52634fa1f44bccb06
Instruction ID: 244a2c04ed1a887342e34389bfb6b4fc6de754b829c5970dd419327d78453ca2
Opcode Fuzzy Hash: fe8277ea95e6a61402380fbc271dee7c0d07b285c9eab3e52634fa1f44bccb06
Instruction Fuzzy Hash: 7B11F936518A4097D7A09BB5E84861AB7A2F7C97B8F200710EAB946AE8CF3DC5449F04

Function 0000022DA5452050 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA54520B6

Part of subcall function 0000022DA546AF78: _FF_MSGBANNER.LIBCMT ref: 0000022DA546AFA8
Part of subcall function 0000022DA546AF78: _NMSG_WRITE.LIBCMT ref: 0000022DA546AFB2
Part of subcall function 0000022DA546AF78: HeapAlloc.KERNEL32(?,?,0000000D,0000022DA5477AB4,?,?,?,0000022DA5477D9C,?,?,?,0000022DA5477C9B,?,?,0000000D,0000022DA5471C43), ref: 0000022DA546AFCD
Part of subcall function 0000022DA546AF78: _callnewh.LIBCMT ref: 0000022DA546AFE6
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFF1
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFFC

EnumDeviceDrivers.PSAPI ref: 0000022DA54520D4
GetDeviceDriverFileNameW.PSAPI ref: 0000022DA545213D
free.LIBCMT ref: 0000022DA545219E
free.LIBCMT ref: 0000022DA54521D4
free.LIBCMT ref: 0000022DA5452216

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: free$Device_errno$AllocDriverDriversEnumFileHeapName_callnewhmalloc
String ID:
API String ID: 3108112982-0
Opcode ID: d504a8a62a2027359cf706817d8d54aa5907b951b5ee076855b953ebce2ab0e2
Instruction ID: d8186073aab714862979935b506a38893e5b82d5f0be06653d52108dcd502a62
Opcode Fuzzy Hash: d504a8a62a2027359cf706817d8d54aa5907b951b5ee076855b953ebce2ab0e2
Instruction Fuzzy Hash: C941A4B6604BC592EB749B92E8587AE63A0F785FC4F404026DF8E63B45DFB8C545C704

Function 0000022DA383192C Relevance: 7.9, Strings: 5, Instructions: 1636COMMONLIBRARYCODE

Download Yara Rule

Strings

invalid block type, xrefs: 0000022DA3831DDB
invalid bit length repeat, xrefs: 0000022DA3833033
invalid stored block lengths, xrefs: 0000022DA3831FC7
too many length or distance symbols, xrefs: 0000022DA38326A2
, xrefs: 0000022DA3831E92

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID:
String ID: $invalid bit length repeat$invalid block type$invalid stored block lengths$too many length or distance symbols
API String ID: 0-348607807
Opcode ID: 104f780cfa68167cb1bcc1de536b4380374a6ca759010339654cf3f2fb83958a
Instruction ID: df6302a9bb0d88ac9b27c420960cd511aee015f2381a35a3ae73a483f2b5656c
Opcode Fuzzy Hash: 104f780cfa68167cb1bcc1de536b4380374a6ca759010339654cf3f2fb83958a
Instruction Fuzzy Hash: 64138F76209B848ACBA5CF5AE49469EB7B1F3CDB90F104116EB8D87B69CB79D450CF00

Function 0000022DA54463B0 Relevance: 7.8, APIs: 2, Strings: 3, Instructions: 254COMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA546D328: _errno.LIBCMT ref: 0000022DA546D33F
Part of subcall function 0000022DA546D328: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA546D34A

wcsstr.LIBCMT ref: 0000022DA544663D
wcsstr.LIBCMT ref: 0000022DA5446689

Strings

mapi:, xrefs: 0000022DA5446665
file:, xrefs: 0000022DA54466BE
iehistory:, xrefs: 0000022DA5446619

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: wcsstr$_errno_invalid_parameter_noinfo
String ID: file:$iehistory:$mapi:
API String ID: 409387605-1942739989
Opcode ID: e07818d66d1e176b373274aeefc80d9bcbcd8c0a3e8d64927c6b6bbd6033ad03
Instruction ID: 6c2317e0b914023602aecaa938a4fc4a6e010353c6f9d30c742bf64254d200d3
Opcode Fuzzy Hash: e07818d66d1e176b373274aeefc80d9bcbcd8c0a3e8d64927c6b6bbd6033ad03
Instruction Fuzzy Hash: 20C17C32600B8196EB20CFA5E898BDD37B5F788B98F504116DB8D67B99DFB8C245C740

Function 0000022DA5451920 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 0000022DA54519A7
GetLocalTime.KERNEL32 ref: 0000022DA54519B4
_snwprintf_s.LIBCMT ref: 0000022DA5451A78

Part of subcall function 0000022DA546B8CC: _vsnprintf_s_l.LIBCMT ref: 0000022DA546B8E4

Strings

%d-%02d-%02d %02d:%02d:%02d.%d %S (UTC%s%d), xrefs: 0000022DA5451A61

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Time$InformationLocalZone_snwprintf_s_vsnprintf_s_l
String ID: %d-%02d-%02d %02d:%02d:%02d.%d %S (UTC%s%d)
API String ID: 3645815937-3952767286
Opcode ID: 654a11ebd5ada6235566ecadae292fb6f78affb3b0deb05a139ff6c98ee96027
Instruction ID: ca4bced4103ec9d524a9f92207b325126618797ec8794a06bc781d9cba7d8876
Opcode Fuzzy Hash: 654a11ebd5ada6235566ecadae292fb6f78affb3b0deb05a139ff6c98ee96027
Instruction Fuzzy Hash: C8417A72618791D6D760CF66E88479AB7E1F3C8B80F508126EB8993B28EB7CC145CF40

Function 0000022DA3819AE4 Relevance: 6.1, APIs: 4, Instructions: 75injectionmemorythreadCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32 ref: 0000022DA3819B55
WriteProcessMemory.KERNEL32 ref: 0000022DA3819B74
VirtualProtectEx.KERNEL32 ref: 0000022DA3819B95
CreateRemoteThread.KERNEL32 ref: 0000022DA3819BC9

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Virtual$AllocCreateMemoryProcessProtectRemoteThreadWrite
String ID:
API String ID: 1113946311-0
Opcode ID: 10fc5e7f6a62509194f4a45e3198c350bea98cae6c4cdc58543ba5fcaf41585d
Instruction ID: d60483df099f65e0b73d1756889a6828079acf60a3212fb2204446e7da2ae8f9
Opcode Fuzzy Hash: 10fc5e7f6a62509194f4a45e3198c350bea98cae6c4cdc58543ba5fcaf41585d
Instruction Fuzzy Hash: 98216D71305B9092EBA4CB66A588F5AB6EAB748FC4F044129DE4C4BB94DF39C501CB40

Function 0000022DA54B6560 Relevance: 6.1, APIs: 4, Instructions: 73injectionmemorythreadCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000000,0000022DA54B61BA), ref: 0000022DA54B65D2
WriteProcessMemory.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000000,0000022DA54B61BA), ref: 0000022DA54B65F1
VirtualProtectEx.KERNEL32(?,?,?,?,?,?,00000000,00000000,00000000,0000022DA54B61BA), ref: 0000022DA54B6612
CreateRemoteThread.KERNEL32 ref: 0000022DA54B6646

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: Virtual$AllocCreateMemoryProcessProtectRemoteThreadWrite
String ID:
API String ID: 1113946311-0
Opcode ID: f180c3a5bfa9a6539c27fc80602833a55acc816ec66a3861d6d02ed0e1206d69
Instruction ID: b26d3db292e8e7c21b16b2e08542735251b79927ee4e41e9ba47b429589746d3
Opcode Fuzzy Hash: f180c3a5bfa9a6539c27fc80602833a55acc816ec66a3861d6d02ed0e1206d69
Instruction Fuzzy Hash: 33217A72705B8596EF24CF56A949B2AB6A6B798FC0F044128EE9D63B58DF78C1058B00

Function 0000022DA5455A19 Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 7f0aa0525b7165fcf24d7e54f4ea9c602ba1047d22edecf0a50cb36d09ecbbb1
Instruction ID: 93528e73f19d5f224a59386290ffa7f45ecffd53e0f9d0c46827604c60a8fe1d
Opcode Fuzzy Hash: 7f0aa0525b7165fcf24d7e54f4ea9c602ba1047d22edecf0a50cb36d09ecbbb1
Instruction Fuzzy Hash: B431A336605F8486DBA08F69F48074E77A4F388BA8F104126DF8D93B68EF78C494CB50

Function 0000022DA5444790 Relevance: 6.1, APIs: 4, Instructions: 64encryptionCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA5444D37
CryptAcquireContextA.ADVAPI32 ref: 0000022DA5444D5C
GetLastError.KERNEL32 ref: 0000022DA5444D66
CryptDestroyHash.ADVAPI32 ref: 0000022DA5444E99
CryptReleaseContext.ADVAPI32 ref: 0000022DA5444EAB
fclose.LIBCMT ref: 0000022DA5444EBB

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Crypt$ContextErrorLast$AcquireDestroyHashReleasefclose
String ID:
API String ID: 1196782254-0
Opcode ID: ba31048e0eb4758c6aed36fa7f82a9920077cb3a0fd7453b809e904b5d87fb5a
Instruction ID: 626c540ce81f69b04df7c7742f25c1098dd7d27ce0f7866b945aee595db0999f
Opcode Fuzzy Hash: ba31048e0eb4758c6aed36fa7f82a9920077cb3a0fd7453b809e904b5d87fb5a
Instruction Fuzzy Hash: 9E21B076B15B80A2EB50DBA2F858F6A63B4F788BC0F148422EE4A63B54CF78C445C740

Function 0000022DA381A844 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,0000022DA381A8ED,?,?,?,?,0000022DA383A37E), ref: 0000022DA381A85D
SetUnhandledExceptionFilter.KERNEL32(?,?,?,0000022DA381A8ED,?,?,?,?,0000022DA383A37E), ref: 0000022DA381A891
ExitProcess.KERNEL32 ref: 0000022DA381A8A6

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ExceptionExitFilterHandleModuleProcessUnhandled
String ID:
API String ID: 3470424200-0
Opcode ID: 04bb9a9e3b9a2e4ce43640a4552fad1b4fdee3d981589b498bcc59f910ae51c4
Instruction ID: 04d28dcef6fb7ec5f83d3356e079f1ec18d13d81ec8bb7e87c660f59a24f4475
Opcode Fuzzy Hash: 04bb9a9e3b9a2e4ce43640a4552fad1b4fdee3d981589b498bcc59f910ae51c4
Instruction Fuzzy Hash: FEF01231210B40A7EBE45FB5E84DB29B3A2EB48B59F584129D5174D6D1CE3DC899C600

Function 0000022DA37E0D2C Relevance: 5.4, Strings: 3, Instructions: 1636COMMONLIBRARYCODE

Download Yara Rule

Strings

e for thread data, xrefs: 0000022DA37E11DB
, xrefs: 0000022DA37E1292
7- unexpected multithread lock error, xrefs: 0000022DA37E1AA2

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID:
String ID: $7- unexpected multithread lock error$e for thread data
API String ID: 0-529867808
Opcode ID: 9d2ad555cd603ddca3ecd389cd5f4e4cb62492b3c5034ddcfdbf1e8a62fbb2d6
Instruction ID: b1e332dce555bcb772479a3b0a20d98950fa849e7266e39dba087e71aa4ae9d7
Opcode Fuzzy Hash: 9d2ad555cd603ddca3ecd389cd5f4e4cb62492b3c5034ddcfdbf1e8a62fbb2d6
Instruction Fuzzy Hash: 51136176219B848ADBA1CF5AE49469AB7B1F3CDB90F104116EBCD87B69CB39D450CF00

Function 0000022DA381B4A4 Relevance: 4.5, APIs: 3, Instructions: 43encryptionCOMMONLIBRARYCODE

Download Yara Rule

APIs

CryptDestroyKey.ADVAPI32 ref: 0000022DA381B4F7
CryptReleaseContext.ADVAPI32 ref: 0000022DA381B526
free.LIBCMT ref: 0000022DA381B53E

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Crypt$ContextDestroyReleasefree
String ID:
API String ID: 290532017-0
Opcode ID: 6ff03d77cfd066ed519229047be80712f78816b05eed70fb051c2aa62c719004
Instruction ID: e6be2c00304d9592d7095b73d71fa679fb0b060319fac6b42cfcdfb4bc1045fd
Opcode Fuzzy Hash: 6ff03d77cfd066ed519229047be80712f78816b05eed70fb051c2aa62c719004
Instruction Fuzzy Hash: C711EC32304B8993EB918B7AE45876A67F1F785B84F958071DA8D8B7A4DF39C844C700

Function 00007FF6EF7120C0 Relevance: 4.3, APIs: 3, Instructions: 517COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140 ref: 00007FF6EF712158
memcmp.VCRUNTIME140 ref: 00007FF6EF7121B8
memcmp.VCRUNTIME140 ref: 00007FF6EF7121E2

Part of subcall function 00007FF6EF723C20: memcmp.VCRUNTIME140 ref: 00007FF6EF723C9F

Memory Dump Source

Source File: 00000000.00000002.3274803182.00007FF6EF711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF710000, based on PE: true

Associated: 00000000.00000002.3274791073.00007FF6EF710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274835833.00007FF6EF730000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274847356.00007FF6EF731000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef710000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: memcmp
String ID:
API String ID: 1475443563-0
Opcode ID: a4e983365a81458328f3ce7d7dcbab1586c46f81c81de4a894f68fbaebfab3c5
Instruction ID: c0ab43f9cca60303c618096d22209d5e69eb32d585d5e544526c5f0829d96463
Opcode Fuzzy Hash: a4e983365a81458328f3ce7d7dcbab1586c46f81c81de4a894f68fbaebfab3c5
Instruction Fuzzy Hash: AC22366BE1869246FF118B64E421BF83751FB25788F440232DE4D93685EF3AD56DC309

Function 0000022DA54511D0 Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

ClearEventLogA.ADVAPI32 ref: 0000022DA545121A
GetLastError.KERNEL32 ref: 0000022DA5451224

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ClearErrorEventLast
String ID:
API String ID: 1161489092-0
Opcode ID: bc87423c1e615ec629d484a1e8730e392066b762436ac5920715abdb538678a8
Instruction ID: 475783aaa7bdcd971b2550bb8ae458eaa75497cad09eaa23563593366b23997f
Opcode Fuzzy Hash: bc87423c1e615ec629d484a1e8730e392066b762436ac5920715abdb538678a8
Instruction Fuzzy Hash: 4E013676B04B81D2E7449BA3B84866A67A1F7CDFD0F598036DE4A97714DE78C4418740

Function 0000022DA5445940 Relevance: 3.0, APIs: 2, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32 ref: 0000022DA5445951
FindClose.KERNEL32 ref: 0000022DA544596B

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 5078d417909506b462a0303eb0cde5053897394b9c6e5a927d1f1f97af5c8271
Instruction ID: 47590bdc268c5850f3e17bfa7fa29326d17449bebbcaef259ece86e5ec271efb
Opcode Fuzzy Hash: 5078d417909506b462a0303eb0cde5053897394b9c6e5a927d1f1f97af5c8271
Instruction Fuzzy Hash: 72F0C476A16A00CACB60CF65F444749B3E0F348B64F048222EAAC977A8DA7CC9958F00

Function 0000022DA54B2E39 Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

RpcBindingFree.RPCRT4 ref: 0000022DA54B2E58
free.LIBCMT ref: 0000022DA54B2E66

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: BindingFreefree
String ID:
API String ID: 1700084352-0
Opcode ID: ab010c7b038e844a9bb1cbf83f90ef87de35ddfd70f28d8fe2da2bd55d7067ec
Instruction ID: 253f4b6c855d48e73506c9075ce98a72ad9bb7932425fe334e9181d358511bfc
Opcode Fuzzy Hash: ab010c7b038e844a9bb1cbf83f90ef87de35ddfd70f28d8fe2da2bd55d7067ec
Instruction Fuzzy Hash: FCE09233B15A4092DA66DA46B404A9A77A1F389BB0F564712DE79633D8CB7BC8C38700

Function 0000022DA381A140 Relevance: 1.9, APIs: 1, Instructions: 449COMMON

Download Yara Rule

APIs

__CxxFrameHandler2.LIBCMTD ref: 0000022DA381A76F

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: FrameHandler2
String ID:
API String ID: 438124390-0
Opcode ID: 6263d641ec332dac5ed4f08b61926634c6d686e0cac3bee97d0370188f5a9ba6
Instruction ID: 9862e5518f027f2be4f72bf3b12bf826962d46635396dfe82feb2dee997e9001
Opcode Fuzzy Hash: 6263d641ec332dac5ed4f08b61926634c6d686e0cac3bee97d0370188f5a9ba6
Instruction Fuzzy Hash: 35126876601B40DBEB94CFB8D554BAD73E6FB04788F10412ADE4E5BB98EA38D925C700

Function 0000022DA54B5260 Relevance: 1.9, APIs: 1, Instructions: 437COMMON

Download Yara Rule

APIs

__CxxFrameHandler2.LIBCMTD ref: 0000022DA54B588F

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: FrameHandler2
String ID:
API String ID: 438124390-0
Opcode ID: b5c240681e955b447fc7bf8eb3891979a2d5aef16a8a76cb7df7e38ace001278
Instruction ID: 28f14342c3e4178f245fea66626741e4b46885812d69b571b608ac4123ffd97b
Opcode Fuzzy Hash: b5c240681e955b447fc7bf8eb3891979a2d5aef16a8a76cb7df7e38ace001278
Instruction Fuzzy Hash: 0D129972B01B44DAEF608FA8E484BEDB3E5FB24758F414125EE4D67B88EA78D415C700

Function 0000022DA5443A80 Relevance: 1.9, APIs: 1, Instructions: 437COMMON

Download Yara Rule

APIs

__CxxFrameHandler2.LIBCMTD ref: 0000022DA54440AF

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: FrameHandler2
String ID:
API String ID: 438124390-0
Opcode ID: ded8129a0231a52b6a97d285332cd3f418e03d10df9e10029fc08a36bafa33fb
Instruction ID: 747543336c72e4faf2d5780911719bc43feb3b884140885fb21ef77f92a9cfa7
Opcode Fuzzy Hash: ded8129a0231a52b6a97d285332cd3f418e03d10df9e10029fc08a36bafa33fb
Instruction Fuzzy Hash: 51128672B52A44DBEB648FA8E044BAD37F5FB04B98F508129EE4D63B88DB78D455C700

Function 0000022DA54B3940 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

RpcBindingFree.RPCRT4 ref: 0000022DA54B394E

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: BindingFree
String ID:
API String ID: 3284907940-0
Opcode ID: acae53e96e9fc6aa31ab52ecb856e4557d2507c7944642ca7054feea372b1f09
Instruction ID: 8efd7c1231d20108e5e4a2f7919ba298f69210d41bb44ce1648154b7fa0aaf07
Opcode Fuzzy Hash: acae53e96e9fc6aa31ab52ecb856e4557d2507c7944642ca7054feea372b1f09
Instruction Fuzzy Hash: 38B09271A25A80D2CE08EB21E8890196AB0FBD8345FC00864E38A00524CB68C2BA8B04

Function 00007FF6EF723520 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3274803182.00007FF6EF711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF710000, based on PE: true

Associated: 00000000.00000002.3274791073.00007FF6EF710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274835833.00007FF6EF730000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274847356.00007FF6EF731000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef710000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 461ec9fc4d410250812c0571ea337f80e8d0d0decb9976798a79d3b32e64ecf4
Instruction ID: 9e5000b8b36989423eeabb20d160457efffb429780e98cb62451c7997c31974b
Opcode Fuzzy Hash: 461ec9fc4d410250812c0571ea337f80e8d0d0decb9976798a79d3b32e64ecf4
Instruction Fuzzy Hash: D8E149DBF29B9602FB63433964027B457106FA77E4A00D336FDA9B2BD1DF36A2525204

Function 0000022DA545DC10 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05ddf091599fe59af156422c0051f0a862566041c5438f42047b1c2a13c0bca8
Instruction ID: 707d0dac03495e01c9792102043491326543a20012ec9068239fb86fc0ecb62c
Opcode Fuzzy Hash: 05ddf091599fe59af156422c0051f0a862566041c5438f42047b1c2a13c0bca8
Instruction Fuzzy Hash: 45E1CCB3A04B80D6C720CF56E448B9EB7A5F789B94F468126DF8E53B58DB79C841CB00

Function 0000022DA5452600 Relevance: 57.9, APIs: 6, Strings: 27, Instructions: 164libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000022DA5452630
GetLastError.KERNEL32 ref: 0000022DA545263B
GetProcAddress.KERNEL32 ref: 0000022DA545265C
GetLastError.KERNEL32 ref: 0000022DA545266A

Strings

Windows XP, xrefs: 0000022DA5452754
Windows Server 2016, xrefs: 0000022DA54527E9
Windows 11, xrefs: 0000022DA5452814
Unknown, xrefs: 0000022DA545282C
Windows Server 2012 R2, xrefs: 0000022DA54527C7
Windows 2000, xrefs: 0000022DA545273C
Windows Server 2003, xrefs: 0000022DA5452769
ntdll, xrefs: 0000022DA5452629
%s (%u.%u Build %u)., xrefs: 0000022DA545288F
Windows Server 2022, xrefs: 0000022DA5452804
Windows Server 2008 R2, xrefs: 0000022DA545279D
Windows ME, xrefs: 0000022DA5452727
Windows Server 2019, xrefs: 0000022DA54527FB
Windows 10, xrefs: 0000022DA54527D9
Windows NT 4.0, xrefs: 0000022DA5452701
Windows 95, xrefs: 0000022DA54526EC
Windows 7, xrefs: 0000022DA5452796
Windows NT 3.51, xrefs: 0000022DA54526CE
Windows 98, xrefs: 0000022DA5452712
%s (%u.%u Build %u, %S)., xrefs: 0000022DA5452867
Windows Server 2000, xrefs: 0000022DA5452743
Windows 8, xrefs: 0000022DA54527AB
Windows Server 2008, xrefs: 0000022DA5452785
Windows Server 2012, xrefs: 0000022DA54527B2
RtlGetVersion, xrefs: 0000022DA545264A
Windows 8.1, xrefs: 0000022DA54527C0
Windows Vista, xrefs: 0000022DA545277E

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$AddressHandleModuleProc
String ID: %s (%u.%u Build %u).$%s (%u.%u Build %u, %S).$RtlGetVersion$Unknown$Windows 10$Windows 11$Windows 2000$Windows 7$Windows 8$Windows 8.1$Windows 95$Windows 98$Windows ME$Windows NT 3.51$Windows NT 4.0$Windows Server 2000$Windows Server 2003$Windows Server 2008$Windows Server 2008 R2$Windows Server 2012$Windows Server 2012 R2$Windows Server 2016$Windows Server 2019$Windows Server 2022$Windows Vista$Windows XP$ntdll
API String ID: 1762409328-4127402629
Opcode ID: 0151111945498b98d08db5d7b1454304525adc47465ab9f356180115c2e38bd6
Instruction ID: 07a93e651714c87f5c634a9eb7431b6c90aa076f9d7e2eaba1fe951ba6f61899
Opcode Fuzzy Hash: 0151111945498b98d08db5d7b1454304525adc47465ab9f356180115c2e38bd6
Instruction Fuzzy Hash: 15713931E0C945B2FA74CBE4E848FAA73A0F7A4350F944253F95A629D4DBF8CA49C740

Function 0000022DA54B3F10 Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 179libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000022DA54B3F83
GetProcAddress.KERNEL32 ref: 0000022DA54B3F9C
rand.LIBCMT ref: 0000022DA54B3FEC
rand.LIBCMT ref: 0000022DA54B3FF6
rand.LIBCMT ref: 0000022DA54B3FFF
rand.LIBCMT ref: 0000022DA54B4009
_snwprintf_s.LIBCMT ref: 0000022DA54B402D
_snwprintf_s.LIBCMT ref: 0000022DA54B4050
CreateSemaphoreA.KERNEL32 ref: 0000022DA54B4060
WaitForSingleObject.KERNEL32 ref: 0000022DA54B40E3
CloseHandle.KERNEL32 ref: 0000022DA54B41FB
SetLastError.KERNEL32 ref: 0000022DA54B4221
GetLastError.KERNEL32 ref: 0000022DA54B4227

Strings

ntdll, xrefs: 0000022DA54B3F7C
\\localhost\pipe\%08x%08x, xrefs: 0000022DA54B4037
\\.\pipe\%08x%08x, xrefs: 0000022DA54B4015
RtlGetVersion, xrefs: 0000022DA54B3F92

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: rand$ErrorHandleLast_snwprintf_s$AddressCloseCreateModuleObjectProcSemaphoreSingleWait
String ID: RtlGetVersion$\\.\pipe\%08x%08x$\\localhost\pipe\%08x%08x$ntdll
API String ID: 415526046-3272578444
Opcode ID: aaa228892d250201629ea1070e6068b62cf8dab70cf740a9fd360d5385ea744d
Instruction ID: 6a1712879e47d8ffa65f26468b2b778957da67ae4525c2681c214aab50f5ecfc
Opcode Fuzzy Hash: aaa228892d250201629ea1070e6068b62cf8dab70cf740a9fd360d5385ea744d
Instruction Fuzzy Hash: 65818132A04A80A7FF24DFA6E84CF9D73A1F784B98F054115DA4A57B98DFB8CA45C700

Function 0000022DA54589D0 Relevance: 43.8, APIs: 6, Strings: 19, Instructions: 89COMMON

Download Yara Rule

APIs

wprintf.LIBCMT ref: 0000022DA5458ACA

Part of subcall function 0000022DA546D96C: _errno.LIBCMT ref: 0000022DA546D991
Part of subcall function 0000022DA546D96C: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA546D99C

wprintf.LIBCMT ref: 0000022DA5458AE9

Part of subcall function 0000022DA546D96C: _stbuf.LIBCMT ref: 0000022DA546D9C8
Part of subcall function 0000022DA546D96C: _output_s_l.LIBCMT ref: 0000022DA546D9E3
Part of subcall function 0000022DA546D96C: _ftbuf.LIBCMT ref: 0000022DA546D9F5

wprintf.LIBCMT ref: 0000022DA5458AF7
wprintf.LIBCMT ref: 0000022DA5458B1A
wprintf.LIBCMT ref: 0000022DA5458B32
wprintf.LIBCMT ref: 0000022DA5458B3E

Strings

DIGIT, xrefs: 0000022DA5458A59
INV_CHAR_CLASS, xrefs: 0000022DA5458A4E
'%c', xrefs: 0000022DA5458AE2
ALPHA, xrefs: 0000022DA5458A6F
UNUSED, xrefs: 0000022DA54589E3
WHITESPACE, xrefs: 0000022DA5458A85
BEGIN, xrefs: 0000022DA5458A00
PLUS, xrefs: 0000022DA5458A2D
NOT_DIGIT, xrefs: 0000022DA5458A64
NOT_ALPHA, xrefs: 0000022DA5458A7A
STAR, xrefs: 0000022DA5458A22
BRANCH, xrefs: 0000022DA5458A9B
type: %s, xrefs: 0000022DA5458ABE
END, xrefs: 0000022DA5458A0C
DOT, xrefs: 0000022DA54589F4
NOT_WHITESPACE, xrefs: 0000022DA5458A90
CHAR, xrefs: 0000022DA5458A38
CHAR_CLASS, xrefs: 0000022DA5458A43
QUESTIONMARK, xrefs: 0000022DA5458A17

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: wprintf$_errno_ftbuf_invalid_parameter_noinfo_output_s_l_stbuf
String ID: '%c'$ALPHA$BEGIN$BRANCH$CHAR$CHAR_CLASS$DIGIT$DOT$END$INV_CHAR_CLASS$NOT_ALPHA$NOT_DIGIT$NOT_WHITESPACE$PLUS$QUESTIONMARK$STAR$UNUSED$WHITESPACE$type: %s
API String ID: 1178621126-2416194042
Opcode ID: 70e0f48b91672c48a44a903a3214981750684f9985e2e9cc8147a8c3077010bc
Instruction ID: c32d9cf6f7189c6c8343f911574d261c70506cca54de0dedffeb372aacc54584
Opcode Fuzzy Hash: 70e0f48b91672c48a44a903a3214981750684f9985e2e9cc8147a8c3077010bc
Instruction Fuzzy Hash: 89412B36A08F50B4EB11DB90E48CBA933E9F714340F9502B6EA9D23761EFB9C959C344

Function 0000022DA54B2790 Relevance: 42.3, APIs: 20, Strings: 4, Instructions: 261filesleepCOMMON

Download Yara Rule

APIs

GetTempPathA.KERNEL32 ref: 0000022DA54B28AA
GetLastError.KERNEL32 ref: 0000022DA54B28B4
_snwprintf_s.LIBCMT ref: 0000022DA54B290F
_snwprintf_s.LIBCMT ref: 0000022DA54B2939
_snwprintf_s.LIBCMT ref: 0000022DA54B2959
CreateFileA.KERNEL32 ref: 0000022DA54B2983
GetLastError.KERNEL32 ref: 0000022DA54B2991
DeleteFileA.KERNEL32 ref: 0000022DA54B2BC7
Sleep.KERNEL32 ref: 0000022DA54B2BD6
CloseHandle.KERNEL32 ref: 0000022DA54B2C0D

Strings

rundll32.exe %s,a /p:%s, xrefs: 0000022DA54B291E
\\.\pipe\%s, xrefs: 0000022DA54B2943
%s\%s.dll, xrefs: 0000022DA54B2908
%s%s.dll, xrefs: 0000022DA54B28FA

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: _snwprintf_s$ErrorFileLast$CloseCreateDeleteHandlePathSleepTemp
String ID: %s%s.dll$%s\%s.dll$\\.\pipe\%s$rundll32.exe %s,a /p:%s
API String ID: 4190469582-3794227474
Opcode ID: ad4a13f5fedbb658d10b85932f0655b8b941d26370f3b824bcba0aa0f6ad3ea0
Instruction ID: a55439097b23e9cd5fce998b1a83f70f3a34b6027c65777fb6cd38e27e38db72
Opcode Fuzzy Hash: ad4a13f5fedbb658d10b85932f0655b8b941d26370f3b824bcba0aa0f6ad3ea0
Instruction Fuzzy Hash: 6BC1C532B08B81A6EF25DF65D848BED77B4F784B84F454125EA5A27794DFB8C245C300

Function 0000022DA544DE40 Relevance: 40.5, APIs: 16, Strings: 7, Instructions: 218libraryloaderCOMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000022DA544DE94
LoadLibraryA.KERNEL32 ref: 0000022DA544DEBD
GetProcAddress.KERNEL32 ref: 0000022DA544DEE1
LoadLibraryA.KERNEL32 ref: 0000022DA544DF1D
GetProcAddress.KERNEL32 ref: 0000022DA544DF42
FreeLibrary.KERNEL32 ref: 0000022DA544DF74
GetProcAddress.KERNEL32 ref: 0000022DA544DF9D
FreeLibrary.KERNEL32 ref: 0000022DA544DFD4
FreeLibrary.KERNEL32 ref: 0000022DA544DFEA
CloseHandle.KERNEL32 ref: 0000022DA544DFF3
LoadLibraryA.KERNEL32 ref: 0000022DA544E08E
GetProcAddress.KERNEL32 ref: 0000022DA544E0AA
ReadProcessMemory.KERNEL32 ref: 0000022DA544E102
ReadProcessMemory.KERNEL32 ref: 0000022DA544E134
ReadProcessMemory.KERNEL32 ref: 0000022DA544E15E
wcsncpy.LIBCMT ref: 0000022DA544E1A0

Strings

GetModuleFileNameExW, xrefs: 0000022DA544DED7
QueryFullProcessImageNameW, xrefs: 0000022DA544DF38
GetProcessImageFileNameW, xrefs: 0000022DA544DF93
ntdll, xrefs: 0000022DA544E087
psapi, xrefs: 0000022DA544DEA6
NtQueryInformationProcess, xrefs: 0000022DA544E0A0
kernel32, xrefs: 0000022DA544DF0E

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Library$AddressProcProcess$FreeLoadMemoryRead$CloseHandleOpenwcsncpy
String ID: GetModuleFileNameExW$GetProcessImageFileNameW$NtQueryInformationProcess$QueryFullProcessImageNameW$kernel32$ntdll$psapi
API String ID: 3331711018-385265775
Opcode ID: d14fca57e017bcff5754da344d94518dfb53903ded2bd8d019f699870b97544b
Instruction ID: 46ec43fed65d7d1e2d19ca406fb624bf282632de7d451aee4f8e1b0128006440
Opcode Fuzzy Hash: d14fca57e017bcff5754da344d94518dfb53903ded2bd8d019f699870b97544b
Instruction Fuzzy Hash: 1B91B471B05B80A2FB79CB92B848F6AA3E5BB88BC0F445015DD4967B98EFBCC555C700

Function 0000022DA54B3AE0 Relevance: 40.4, APIs: 20, Strings: 3, Instructions: 170threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000022DA54B3B1B

Part of subcall function 0000022DA54B3980: GetCurrentProcess.KERNEL32 ref: 0000022DA54B399F
Part of subcall function 0000022DA54B3980: OpenProcessToken.ADVAPI32 ref: 0000022DA54B39B2
Part of subcall function 0000022DA54B3980: GetLastError.KERNEL32 ref: 0000022DA54B39BC
Part of subcall function 0000022DA54B3980: CloseHandle.KERNEL32 ref: 0000022DA54B3AC0

GetModuleHandleA.KERNEL32 ref: 0000022DA54B3B4E
GetLastError.KERNEL32 ref: 0000022DA54B3B59

Strings

ntdll, xrefs: 0000022DA54B3B47
NtQueryInformationProcess, xrefs: 0000022DA54B3B64
8, xrefs: 0000022DA54B3B10

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: CurrentErrorHandleLastProcess$CloseModuleOpenThreadToken
String ID: 8$NtQueryInformationProcess$ntdll
API String ID: 580099508-531102638
Opcode ID: d88a44817dd1c3a5c2ace7d6417cfea9a23e0f4190742bb8ea4b2fa078c91fb9
Instruction ID: bd2e3af5202c854a16ca747fa684638b80996fecd8eddb9afac300b874440bc3
Opcode Fuzzy Hash: d88a44817dd1c3a5c2ace7d6417cfea9a23e0f4190742bb8ea4b2fa078c91fb9
Instruction Fuzzy Hash: 68719E32A04B81A7EF259B96F84CB6EA3B4F788B94F154425DE4A67754EFB8C844C700

Function 0000022DA54B2F90 Relevance: 38.7, APIs: 16, Strings: 6, Instructions: 228sleeplibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000022DA54B2FFB
GetProcAddress.KERNEL32 ref: 0000022DA54B3010
SetLastError.KERNEL32 ref: 0000022DA54B3032
GetLastError.KERNEL32 ref: 0000022DA54B3038
GetLastError.KERNEL32 ref: 0000022DA54B307A
rand.LIBCMT ref: 0000022DA54B31C7
rand.LIBCMT ref: 0000022DA54B31D1
rand.LIBCMT ref: 0000022DA54B31DA
rand.LIBCMT ref: 0000022DA54B31E4
_snwprintf_s.LIBCMT ref: 0000022DA54B3208
_snwprintf_s.LIBCMT ref: 0000022DA54B322E
CreateSemaphoreA.KERNEL32 ref: 0000022DA54B323E
WaitForSingleObject.KERNEL32 ref: 0000022DA54B32C1
Sleep.KERNEL32 ref: 0000022DA54B32DC

Part of subcall function 0000022DA54B2D30: malloc.LIBCMT ref: 0000022DA54B2D66
Part of subcall function 0000022DA54B2D30: RpcBindingFree.RPCRT4 ref: 0000022DA54B2E58
Part of subcall function 0000022DA54B2D30: free.LIBCMT ref: 0000022DA54B2E66

GetExitCodeThread.KERNEL32 ref: 0000022DA54B3321
CloseHandle.KERNEL32 ref: 0000022DA54B337C

Strings

ntdll, xrefs: 0000022DA54B2FF4
\\.\pipe\%08x%08x\pipe\srvsvc, xrefs: 0000022DA54B31F0
%08x%08x, xrefs: 0000022DA54B320D
\\.\pipe\efsrpc, xrefs: 0000022DA54B30B0, 0000022DA54B3158
RtlGetVersion, xrefs: 0000022DA54B3006
\\.\pipe\lsarpc, xrefs: 0000022DA54B3066, 0000022DA54B309C, 0000022DA54B3178

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: rand$ErrorLast$Handle_snwprintf_s$AddressBindingCloseCodeCreateExitFreeModuleObjectProcSemaphoreSingleSleepThreadWaitfreemalloc
String ID: %08x%08x$RtlGetVersion$\\.\pipe\%08x%08x\pipe\srvsvc$\\.\pipe\efsrpc$\\.\pipe\lsarpc$ntdll
API String ID: 3287662087-908824396
Opcode ID: 98427c97204027ab354b9afd121be21940c96da9cbced9af84c5c453467e33db
Instruction ID: b242d257e099612b561793aea2f945aee1521706fba9cb776fbcd10955518403
Opcode Fuzzy Hash: 98427c97204027ab354b9afd121be21940c96da9cbced9af84c5c453467e33db
Instruction Fuzzy Hash: B8B17032A04681E6FF65DFE6E848F9E33B4FB84784F450425DA09A7698EFB8C545C700

Function 0000022DA54B3550 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 153libraryloadersynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA54B2CE0: CreateFileW.KERNEL32 ref: 0000022DA54B2D09

GetModuleHandleA.KERNEL32 ref: 0000022DA54B35CF
GetProcAddress.KERNEL32 ref: 0000022DA54B35E8
rand.LIBCMT ref: 0000022DA54B3638
rand.LIBCMT ref: 0000022DA54B3642
rand.LIBCMT ref: 0000022DA54B364B
rand.LIBCMT ref: 0000022DA54B3655
_snwprintf_s.LIBCMT ref: 0000022DA54B3679
_snwprintf_s.LIBCMT ref: 0000022DA54B369F
CreateSemaphoreA.KERNEL32 ref: 0000022DA54B36AF
WaitForSingleObject.KERNEL32 ref: 0000022DA54B3737
CloseHandle.KERNEL32 ref: 0000022DA54B37C2
SetLastError.KERNEL32 ref: 0000022DA54B37E7
GetLastError.KERNEL32 ref: 0000022DA54B37ED

Strings

ntdll, xrefs: 0000022DA54B35C8
\\.\pipe\%08x%08x\pipe\spoolss, xrefs: 0000022DA54B3661
\\.\pipe\spoolss, xrefs: 0000022DA54B35B4
%08x%08x, xrefs: 0000022DA54B367E
RtlGetVersion, xrefs: 0000022DA54B35DE

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: rand$CreateErrorHandleLast_snwprintf_s$AddressCloseFileModuleObjectProcSemaphoreSingleWait
String ID: %08x%08x$RtlGetVersion$\\.\pipe\%08x%08x\pipe\spoolss$\\.\pipe\spoolss$ntdll
API String ID: 3964341528-2802406934
Opcode ID: 4a0b83565edc84a9af4bbb254a91e07f0cb79dc73d6188df7e9242fc923f2136
Instruction ID: c64408f5f975fd9a1488b014e8d2928e034b197e1739d4f8a1b19a6d3c0ebd50
Opcode Fuzzy Hash: 4a0b83565edc84a9af4bbb254a91e07f0cb79dc73d6188df7e9242fc923f2136
Instruction Fuzzy Hash: DB619272A04780ABEF64DFA2E848BDE73A1F785784F454125EA0D57798DFB8C549C700

Function 0000022DA3826654 Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 313COMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA38281F0: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3818FD8), ref: 0000022DA382820E

SetLastError.KERNEL32 ref: 0000022DA382671F
GetLastError.KERNEL32 ref: 0000022DA3826AD6
free.LIBCMT ref: 0000022DA3826AF3
free.LIBCMT ref: 0000022DA3826B15

Strings

PACKET RECEIVE, xrefs: 0000022DA38266BD

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLastfree$ObjectSingleWait
String ID: PACKET RECEIVE
API String ID: 142810606-1195290434
Opcode ID: 07f9fef444642629663690db4a4cf7e81b328435c52058d3e77c25889c0c9a4f
Instruction ID: 25a7f78220d9de74accd82735731c84169a66c10bbcdc609e8ba07547bb6363d
Opcode Fuzzy Hash: 07f9fef444642629663690db4a4cf7e81b328435c52058d3e77c25889c0c9a4f
Instruction Fuzzy Hash: 05E11232318A8197EBE09BF5E458B5AB7E1F794784F104125EA9A8BBD4DF7CC844CB01

Function 0000022DA3825D2C Relevance: 33.6, APIs: 17, Strings: 2, Instructions: 302COMMON

Download Yara Rule

APIs

WinHttpOpenRequest.WINHTTP ref: 0000022DA3825DDF
SetLastError.KERNEL32 ref: 0000022DA3825DFD
WinHttpGetIEProxyConfigForCurrentUser.WINHTTP ref: 0000022DA3825E4D
WinHttpGetProxyForUrl.WINHTTP ref: 0000022DA3825F5F
malloc.LIBCMT ref: 0000022DA3825F6E
WinHttpGetProxyForUrl.WINHTTP ref: 0000022DA3826000
malloc.LIBCMT ref: 0000022DA382600F
calloc.LIBCMT ref: 0000022DA3826053
calloc.LIBCMT ref: 0000022DA38260D0
GlobalFree.KERNEL32 ref: 0000022DA3826137
GlobalFree.KERNEL32 ref: 0000022DA382614A
GlobalFree.KERNEL32 ref: 0000022DA382615D
WinHttpSetOption.WINHTTP ref: 0000022DA382619D
WinHttpSetOption.WINHTTP ref: 0000022DA38261F1
WinHttpSetOption.WINHTTP ref: 0000022DA3826240
WinHttpSetOption.WINHTTP ref: 0000022DA382627A
WinHttpSetOption.WINHTTP ref: 0000022DA38262C3

Strings

POST, xrefs: 0000022DA3825D93
GET, xrefs: 0000022DA3825D82

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Http$Option$FreeGlobalProxy$callocmalloc$ConfigCurrentErrorLastOpenRequestUser
String ID: GET$POST
API String ID: 560410134-3192705859
Opcode ID: 8a8d862797690db45a18254d712e114a475a22c00f5285b508c27356ac15cdf8
Instruction ID: 2ebc08431389c3be5d076de6a54b7b13742e53763fef7c550d4dda8af16fda0d
Opcode Fuzzy Hash: 8a8d862797690db45a18254d712e114a475a22c00f5285b508c27356ac15cdf8
Instruction Fuzzy Hash: 5FF14132204BC593EBE08BA5E44879EB7E2F3D4784F404425DA998BBA4DFBDC484CB01

Function 0000022DA5454380 Relevance: 31.6, APIs: 10, Strings: 8, Instructions: 63libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA5454391
LoadLibraryA.KERNEL32 ref: 0000022DA54543A1
LoadLibraryA.KERNEL32 ref: 0000022DA54543B1
GetProcAddress.KERNEL32 ref: 0000022DA54543DC
LoadLibraryA.KERNEL32 ref: 0000022DA54543F5
GetProcAddress.KERNEL32 ref: 0000022DA545440A
GetProcAddress.KERNEL32 ref: 0000022DA5454426
GetProcAddress.KERNEL32 ref: 0000022DA5454442
GetProcAddress.KERNEL32 ref: 0000022DA545445E
FreeLibrary.KERNEL32 ref: 0000022DA5454473

Strings

user32.dll, xrefs: 0000022DA545438A
RegisterRawInputDevices, xrefs: 0000022DA5454457
QueryFullProcessImageNameW, xrefs: 0000022DA54543D2
GetProcessImageFileNameW, xrefs: 0000022DA5454400, 0000022DA545441C
psapi.dll, xrefs: 0000022DA5454397
Psapi.dll, xrefs: 0000022DA54543EE
kernel32.dll, xrefs: 0000022DA54543A7
GetRawInputData, xrefs: 0000022DA5454438

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: AddressLibraryProc$Load$Free
String ID: GetProcessImageFileNameW$GetRawInputData$Psapi.dll$QueryFullProcessImageNameW$RegisterRawInputDevices$kernel32.dll$psapi.dll$user32.dll
API String ID: 3890210519-1542674857
Opcode ID: feb59df147c5473a825ac57dd1b03a0f38ce1f1d4c0bcab3ca1eeeb4ce05e09e
Instruction ID: 8817098ac2948dd48d88080c44f772714c69f190fcea56a79406d82daa3ea01f
Opcode Fuzzy Hash: feb59df147c5473a825ac57dd1b03a0f38ce1f1d4c0bcab3ca1eeeb4ce05e09e
Instruction Fuzzy Hash: EA31F930A96B01B1FE4ADBD5B85CB2823E0BB59B91F482165D94E66360FFBCC449D340

Function 0000022DA544A480 Relevance: 29.9, APIs: 13, Strings: 4, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA544A502
GetLastError.KERNEL32 ref: 0000022DA544A510
GetProcAddress.KERNEL32 ref: 0000022DA544A528
GetLastError.KERNEL32 ref: 0000022DA544A536
free.LIBCMT ref: 0000022DA544A639
FreeLibrary.KERNEL32 ref: 0000022DA544A64E
htonl.WS2_32 ref: 0000022DA544A6F1

Strings

GetModuleFileNameExA, xrefs: 0000022DA544A56C
psapi, xrefs: 0000022DA544A4FB
EnumProcessModules, xrefs: 0000022DA544A51E
GetModuleBaseNameA, xrefs: 0000022DA544A544

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLastLibrary$AddressFreeLoadProcfreehtonl
String ID: EnumProcessModules$GetModuleBaseNameA$GetModuleFileNameExA$psapi
API String ID: 2185136653-4146384186
Opcode ID: 8e41393eec22b54ebdf8f4a96deb0b9a42d068d8aa09ecc381645b8c95c28807
Instruction ID: eb86cf51e53aad1182cd1212a4644c5cefcf7fb91b8eac1e181a7ab074ad25cd
Opcode Fuzzy Hash: 8e41393eec22b54ebdf8f4a96deb0b9a42d068d8aa09ecc381645b8c95c28807
Instruction Fuzzy Hash: 3781C332A05BC0A6EB20CFA2E848BAE77B1F789B94F441115DE5A67794DF78C545C700

Function 0000022DA5441C00 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 213libraryloadernetworkCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,00000000,?,?,0000022DA54423E6), ref: 0000022DA5441C16
GetProcAddress.KERNEL32(?,?,?,?,00000000,?,?,0000022DA54423E6), ref: 0000022DA5441C26
malloc.LIBCMT ref: 0000022DA5441C96
htons.WS2_32 ref: 0000022DA5441D11
free.LIBCMT ref: 0000022DA5441DB4
malloc.LIBCMT ref: 0000022DA5441DEA

Part of subcall function 0000022DA5441A40: malloc.LIBCMT ref: 0000022DA5441A85
Part of subcall function 0000022DA5441A40: GetTcpTable.IPHLPAPI ref: 0000022DA5441A9B
Part of subcall function 0000022DA5441A40: htons.WS2_32 ref: 0000022DA5441AF7
Part of subcall function 0000022DA5441A40: free.LIBCMT ref: 0000022DA5441BAF

Strings

iphlpapi, xrefs: 0000022DA5441C0D
tcp, xrefs: 0000022DA5441D65
tcp6, xrefs: 0000022DA5441EBF
GetExtendedTcpTable, xrefs: 0000022DA5441C1C

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: malloc$freehtons$AddressHandleModuleProcTable
String ID: GetExtendedTcpTable$iphlpapi$tcp$tcp6
API String ID: 1620742851-586099951
Opcode ID: 834124a8a1628376525c60df4e2f0e827e7c31c27fc153db30b4627f7263699c
Instruction ID: d5bfdf111f0b0fe35f144c796bfeb2f92dbb5bf565fae90cd61f643a513f4534
Opcode Fuzzy Hash: 834124a8a1628376525c60df4e2f0e827e7c31c27fc153db30b4627f7263699c
Instruction Fuzzy Hash: 8091F7B2B40641EBEB50DF56E448B6D77B0F784B84F405016EA8A67B98EFBCD545CB00

Function 0000022DA3811B28 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 267COMMON

Download Yara Rule

Strings

tcp, xrefs: 0000022DA3811C56
pipe, xrefs: 0000022DA3811CF0
https, xrefs: 0000022DA3811D8A

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: mbstowcs$calloc
String ID: https$pipe$tcp
API String ID: 2743665075-2240554849
Opcode ID: b927788af72f2bef9049b920d0eacd2589477780c399542063a4b0e3c01bf675
Instruction ID: d2f3de28a1f1ac3115cdc26b77407667388658b791f246bddad92dc4f9a0305f
Opcode Fuzzy Hash: b927788af72f2bef9049b920d0eacd2589477780c399542063a4b0e3c01bf675
Instruction Fuzzy Hash: B6D1D776218B8097EBA0DB65E45479AB7E1F7C4784F004126EACD8BBA9DF3CC4458F44

Function 0000022DA54B3DA0 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 106servicethreadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000022DA54B3DAE
OpenSCManagerA.ADVAPI32 ref: 0000022DA54B3DD0
GetLastError.KERNEL32 ref: 0000022DA54B3DDE
OpenServiceA.ADVAPI32 ref: 0000022DA54B3E01
GetLastError.KERNEL32 ref: 0000022DA54B3E0F
CloseServiceHandle.ADVAPI32 ref: 0000022DA54B3E1A

Strings

rpcss, xrefs: 0000022DA54B3DF1

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLastOpenService$CloseCurrentHandleManagerThread
String ID: rpcss
API String ID: 3906103551-2843778020
Opcode ID: e67824aa28177f17b6e7246a909f3e9673d1fd038dd90d6da0035193d37c218f
Instruction ID: 1b7e0bb1554f22309b605541e29a52785dd2969b1b471b40b90917d51b8cf475
Opcode Fuzzy Hash: e67824aa28177f17b6e7246a909f3e9673d1fd038dd90d6da0035193d37c218f
Instruction Fuzzy Hash: F9315436B01741A7FB659B97B848BA963A0FBC9BA1F454035CE0A16350EF7DC48AC710

Function 0000022DA5446070 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76librarycomloaderCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(?,?,?,?,0000022DA3853710,0000022DA5445D5B), ref: 0000022DA544609C
LoadLibraryA.KERNEL32(?,?,?,?,0000022DA3853710,0000022DA5445D5B), ref: 0000022DA54460B6
GetLastError.KERNEL32(?,?,?,?,0000022DA3853710,0000022DA5445D5B), ref: 0000022DA54460C5
GetProcAddress.KERNEL32(?,?,?,?,0000022DA3853710,0000022DA5445D5B), ref: 0000022DA54460D7
GetLastError.KERNEL32(?,?,?,?,0000022DA3853710,0000022DA5445D5B), ref: 0000022DA54460E6
CoCreateInstance.OLE32(?,?,?,?,0000022DA3853710,0000022DA5445D5B), ref: 0000022DA5446155

Strings

LocateCatalogsW, xrefs: 0000022DA54460CD
query.dll, xrefs: 0000022DA54460AA
CITextToFullTree, xrefs: 0000022DA5446114
SystemIndex, xrefs: 0000022DA5446166
CIMakeICommand, xrefs: 0000022DA54460F2

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$AddressCreateInitializeInstanceLibraryLoadProc
String ID: CIMakeICommand$CITextToFullTree$LocateCatalogsW$SystemIndex$query.dll
API String ID: 3808765035-973766530
Opcode ID: 720d9c328525d2e01154ba9fcf2ad183cbf9d5e9ae928013ab7777fd7446115d
Instruction ID: 646a73366bf1bfa926404c0968d686be6972f57416ef041b80d08fc7c84c930d
Opcode Fuzzy Hash: 720d9c328525d2e01154ba9fcf2ad183cbf9d5e9ae928013ab7777fd7446115d
Instruction Fuzzy Hash: CF311931A01F01E2FB549FA4E848B5833F4F748B88F505566CA4E67364EFB9D55AC380

Function 0000022DA381DC4C Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 351filepipeCOMMON

Download Yara Rule

APIs

ConnectNamedPipe.KERNEL32 ref: 0000022DA381DD03
GetLastError.KERNEL32 ref: 0000022DA381DD09
GetOverlappedResult.KERNEL32 ref: 0000022DA381DD96
GetLastError.KERNEL32 ref: 0000022DA381DDA4
ResetEvent.KERNEL32 ref: 0000022DA381E1FF
ReadFile.KERNEL32 ref: 0000022DA381E258

Strings

m, xrefs: 0000022DA381DDC9

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$ConnectEventFileNamedOverlappedPipeReadResetResult
String ID: m
API String ID: 1955163435-3775001192
Opcode ID: ca9f08458dd51b7eccf077a122f473f0cca9a460bab1f66125aa79992e2a8cc5
Instruction ID: 29ecc0c9e5904a20d1697977b7df68c9131e8fb263f737b68c96585f08b6b249
Opcode Fuzzy Hash: ca9f08458dd51b7eccf077a122f473f0cca9a460bab1f66125aa79992e2a8cc5
Instruction Fuzzy Hash: B8022332225B8197EBD0DB76E458B5BA7A2F7C4B84F105025FA8D8BBD9DF79C4448B00

Function 0000022DA5446AA0 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 304COMMON

Download Yara Rule

Strings

AND DIRECTORY='%s:%s', xrefs: 0000022DA5446BCD
AND SCOPE='%s:%s', xrefs: 0000022DA5446BBC
AND System.DateModified<='%04d-%02d-%02dT%02d:%02d:%02d', xrefs: 0000022DA5446CD1
size,path,write, xrefs: 0000022DA5446B42
AND System.DateModified>='%04d-%02d-%02dT%02d:%02d:%02d', xrefs: 0000022DA5446C50

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID:
String ID: AND System.DateModified<='%04d-%02d-%02dT%02d:%02d:%02d'$ AND System.DateModified>='%04d-%02d-%02dT%02d:%02d:%02d'$AND DIRECTORY='%s:%s'$AND SCOPE='%s:%s'$size,path,write
API String ID: 0-3277289244
Opcode ID: 3a568c6cfaf46a1eb5b14276c9e8e4d2cc9399d0cdfa6a6c51111378daefd5bc
Instruction ID: 9c6015fa72887430f0428c21c7be0de305e3f5de07ecbb499557b1cb38e5e270
Opcode Fuzzy Hash: 3a568c6cfaf46a1eb5b14276c9e8e4d2cc9399d0cdfa6a6c51111378daefd5bc
Instruction Fuzzy Hash: 15D12672B41A51AAFB10CFE5D488BAD63B1FB84F88F108116DE1967B98EF79C509C350

Function 0000022DA37C0F28 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 267COMMON

Download Yara Rule

Strings

stream error, xrefs: 0000022DA37C118A
file error, xrefs: 0000022DA37C10F0

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: mbstowcs$calloc
String ID: file error$stream error
API String ID: 2743665075-348918349
Opcode ID: cbadb7eca36bf48e931c61131647eb502b7fdb7439007cd6ab1eb28008616e5d
Instruction ID: 50881ffa04d9a91d00b82ff5fb22f538ea6167aaba1b690ac613db7d4dfe3d7f
Opcode Fuzzy Hash: cbadb7eca36bf48e931c61131647eb502b7fdb7439007cd6ab1eb28008616e5d
Instruction Fuzzy Hash: F0D1C976218BC496EBA0DB59E494B5AB7A1F7C4784F104126EACD8BB99DF38C841CF40

Function 0000022DA38253F8 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 213COMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA38281F0: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3818FD8), ref: 0000022DA382820E

htonl.WS2_32 ref: 0000022DA382558B
malloc.LIBCMT ref: 0000022DA38255B9
SetLastError.KERNEL32 ref: 0000022DA38255D0
memcpy_s.LIBCMT ref: 0000022DA3825601
SetLastError.KERNEL32 ref: 0000022DA3825668
SetLastError.KERNEL32 ref: 0000022DA38256C4
free.LIBCMT ref: 0000022DA38256FE
free.LIBCMT ref: 0000022DA3825716
SetLastError.KERNEL32 ref: 0000022DA3825731
SetLastError.KERNEL32 ref: 0000022DA3825753
SetLastError.KERNEL32 ref: 0000022DA3825768
SetLastError.KERNEL32 ref: 0000022DA382579E
SetLastError.KERNEL32 ref: 0000022DA38257B9

Strings

aaaa, xrefs: 0000022DA382546F

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$free$ObjectSingleWaithtonlmallocmemcpy_s
String ID: aaaa
API String ID: 1131673111-2912478533
Opcode ID: 0e0c9b63af85f3fcc5815ddc3e706920e569b2340fb7d03e541fac399018d20b
Instruction ID: 3e4447cd97f726c27b77d65b5f13de9a153dc05cac4c4f307df39e38f7d1c907
Opcode Fuzzy Hash: 0e0c9b63af85f3fcc5815ddc3e706920e569b2340fb7d03e541fac399018d20b
Instruction Fuzzy Hash: CCB14172248B81D7EBA09BF5E45876AB7A2F784754F404025DA998BB98EF7CC444CF01

Function 0000022DA54420B0 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181libraryloadernetworkCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,00000000,?,0000022DA5442404), ref: 0000022DA54420C6
GetProcAddress.KERNEL32(?,?,?,?,?,00000000,?,0000022DA5442404), ref: 0000022DA54420D6
malloc.LIBCMT ref: 0000022DA544213B
htons.WS2_32 ref: 0000022DA54421B4
free.LIBCMT ref: 0000022DA544222D
malloc.LIBCMT ref: 0000022DA5442263

Part of subcall function 0000022DA5441F60: malloc.LIBCMT ref: 0000022DA5441F9A
Part of subcall function 0000022DA5441F60: GetUdpTable.IPHLPAPI(?,?,00000000,0000022DA54420EC,?,?,?,?,?,00000000,?,0000022DA5442404), ref: 0000022DA5441FB0
Part of subcall function 0000022DA5441F60: htons.WS2_32 ref: 0000022DA5441FFC
Part of subcall function 0000022DA5441F60: free.LIBCMT ref: 0000022DA544205F

Strings

GetExtendedUdpTable, xrefs: 0000022DA54420CC
iphlpapi, xrefs: 0000022DA54420BD
udp, xrefs: 0000022DA54421DD
udp6, xrefs: 0000022DA544230D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: malloc$freehtons$AddressHandleModuleProcTable
String ID: GetExtendedUdpTable$iphlpapi$udp$udp6
API String ID: 1620742851-3210492192
Opcode ID: 6f7904d43f2903fe83270e59c48226722c8039f2cf8c5a2c395e228ed9d6931c
Instruction ID: 7f938e03abf4027897d203ff67aaf0b1f000b7e2b0bcf1c7836df9de895a214b
Opcode Fuzzy Hash: 6f7904d43f2903fe83270e59c48226722c8039f2cf8c5a2c395e228ed9d6931c
Instruction Fuzzy Hash: 2581E272B04751A7EB20DF65E448B9C37B0F748BC4F40500AEA4A67B99EBBCC645CB80

Function 0000022DA544E990 Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 148threadCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNEL32 ref: 0000022DA544EB37
GetLastError.KERNEL32 ref: 0000022DA544EB41
htonl.WS2_32 ref: 0000022DA544EB87
htonl.WS2_32 ref: 0000022DA544EB95

Strings

esi, xrefs: 0000022DA544EA1D
esp, xrefs: 0000022DA544EA53
eax, xrefs: 0000022DA544E9EE
ebp, xrefs: 0000022DA544EA40
ebx, xrefs: 0000022DA544E9E7
ecx, xrefs: 0000022DA544E9FE
eflags, xrefs: 0000022DA544EAE4
edx, xrefs: 0000022DA544EA0C
edi, xrefs: 0000022DA544EA2D
eip, xrefs: 0000022DA544EA66

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: htonl$ContextErrorLastThread
String ID: eax$ebp$ebx$ecx$edi$edx$eflags$eip$esi$esp
API String ID: 1258935475-2196928098
Opcode ID: 1c01791430a64a393e858c0f0156860ae8d47140e528b6d39dc1d09a848dace4
Instruction ID: 41da0a01d3bbc57ad1bf48c7b94cd1a57a7b38b5573fd90132826f875107650c
Opcode Fuzzy Hash: 1c01791430a64a393e858c0f0156860ae8d47140e528b6d39dc1d09a848dace4
Instruction Fuzzy Hash: 437130B2604B80EAE711CFA1E8487DA77B4F744758F500266EE4D27B68DFB8C559CB40

Function 0000022DA3818930 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 100libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 0000022DA3818940
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3818359), ref: 0000022DA3818964
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3818359), ref: 0000022DA381897B
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3818359), ref: 0000022DA3818992
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3818359), ref: 0000022DA38189A9
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3818359), ref: 0000022DA38189C0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3818359), ref: 0000022DA38189D7

Strings

NtOpenSection, xrefs: 0000022DA38189B4
NtOpenFile, xrefs: 0000022DA3818986
ntdll, xrefs: 0000022DA3818939
NtQueryAttributesFile, xrefs: 0000022DA381896F
NtMapViewOfSection, xrefs: 0000022DA3818958
NtClose, xrefs: 0000022DA38189CB
NtCreateSection, xrefs: 0000022DA381899D

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtClose$NtCreateSection$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryAttributesFile$ntdll
API String ID: 2238633743-2731749698
Opcode ID: f441fef43948bcee7ecb6de3abe3450a42319b97b02b5f1982d09cf86147ee70
Instruction ID: eb8a7cf7bdbd867a0d9a7473723ed726317dae3946815033cd9e2828dca20163
Opcode Fuzzy Hash: f441fef43948bcee7ecb6de3abe3450a42319b97b02b5f1982d09cf86147ee70
Instruction Fuzzy Hash: D3510776615B8493DB80DB69E89579AB3B1F788B84F501122EB8D4BB79CF3CC156CB00

Function 0000022DA5443120 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 98libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 0000022DA5443192

Part of subcall function 0000022DA546BEFC: _errno.LIBCMT ref: 0000022DA546BF14
Part of subcall function 0000022DA546BEFC: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA546BF20

Part of subcall function 0000022DA546BF60: _errno.LIBCMT ref: 0000022DA546BF7E
Part of subcall function 0000022DA546BF60: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA546BF8A

LoadLibraryA.KERNEL32 ref: 0000022DA54431DA
GetProcAddress.KERNEL32 ref: 0000022DA54431EE
FreeLibrary.KERNEL32 ref: 0000022DA54431FC
LoadLibraryA.KERNEL32 ref: 0000022DA5443234
GetProcAddress.KERNEL32 ref: 0000022DA544324C
FreeLibrary.KERNEL32 ref: 0000022DA544325A
GetProcAddress.KERNEL32 ref: 0000022DA5443278
FreeLibrary.KERNEL32 ref: 0000022DA54432BA

Strings

getaddrinfo, xrefs: 0000022DA544313B
freeaddrinfo, xrefs: 0000022DA5443167
getnameinfo, xrefs: 0000022DA5443147
\ws2_32, xrefs: 0000022DA54431BF
\wship6, xrefs: 0000022DA5443219

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Library$AddressFreeProc$Load_errno_invalid_parameter_noinfo$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 3103270816-744132762
Opcode ID: 49a7fb4060bffaa9edbb54fd99750f93a7f2386ba8876c7c90d47abba00b5b16
Instruction ID: c005588d278f218e022030f1f37ce8474da3405b53b5dd6f175a3eb866460fd7
Opcode Fuzzy Hash: 49a7fb4060bffaa9edbb54fd99750f93a7f2386ba8876c7c90d47abba00b5b16
Instruction Fuzzy Hash: 9E416135A09B84A2EB14CB90F84C79A73B4F789B94F544112D98D63B68EFBCC189C740

Function 0000022DA54B3980 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000022DA54B399F
OpenProcessToken.ADVAPI32 ref: 0000022DA54B39B2
GetLastError.KERNEL32 ref: 0000022DA54B39BC
GetModuleHandleA.KERNEL32 ref: 0000022DA54B39D0
GetLastError.KERNEL32 ref: 0000022DA54B39DB
CloseHandle.KERNEL32 ref: 0000022DA54B3AC0

Strings

ntdll, xrefs: 0000022DA54B39C9
NtQueryObject, xrefs: 0000022DA54B39E8

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: ErrorHandleLastProcess$CloseCurrentModuleOpenToken
String ID: NtQueryObject$ntdll
API String ID: 2600418564-2921792543
Opcode ID: 3dfc1a726c1db6aac0d5cf7d76c209d85ec83de1d41d5c59ffd11e4f0b629a95
Instruction ID: 4c197ff8a87ca3b0318d97061ffb787f357a52391455d9001104aff0fd2ed54d
Opcode Fuzzy Hash: 3dfc1a726c1db6aac0d5cf7d76c209d85ec83de1d41d5c59ffd11e4f0b629a95
Instruction Fuzzy Hash: 03316D75B04B81A7FB108BE3B498B1A67A0F7CDB94F100028DE4A63B64EFB8D4098710

Function 0000022DA5441900 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 80libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000022DA544192A
GetProcAddress.KERNEL32 ref: 0000022DA544193A
GetModuleHandleA.KERNEL32 ref: 0000022DA544194A
GetProcAddress.KERNEL32 ref: 0000022DA544195A
GetModuleHandleA.KERNEL32 ref: 0000022DA544196A
GetProcAddress.KERNEL32 ref: 0000022DA544197A
CloseHandle.KERNEL32 ref: 0000022DA54419D7
_snwprintf_s.LIBCMT ref: 0000022DA5441A01
CloseHandle.KERNEL32 ref: 0000022DA5441A09

Strings

%d/%s, xrefs: 0000022DA54419EA
Process32Next, xrefs: 0000022DA5441970
CreateToolhelp32Snapshot, xrefs: 0000022DA5441930
Process32First, xrefs: 0000022DA5441950
kernel32, xrefs: 0000022DA544191D, 0000022DA5441940, 0000022DA5441960

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Handle$AddressModuleProc$Close$_snwprintf_s
String ID: %d/%s$CreateToolhelp32Snapshot$Process32First$Process32Next$kernel32
API String ID: 3929803966-2034424418
Opcode ID: 8a433a1a4b0c835391f3d2169e3388e583cd0be05645b0269c1150c8cf7437a2
Instruction ID: c376b42a7ec178355c7b721aa7f3b2197bd5b5b96caa43e48fa559b1a4332ce3
Opcode Fuzzy Hash: 8a433a1a4b0c835391f3d2169e3388e583cd0be05645b0269c1150c8cf7437a2
Instruction Fuzzy Hash: 2831A131A41B42A6EB14DF91F848B5A23A0F748BE1F482262DD6A73794EFB8C045C740

Function 0000022DA3818C0C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA3818C1C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000022DA38183EA), ref: 0000022DA3818C40
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000022DA38183EA), ref: 0000022DA3818C57
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000022DA38183EA), ref: 0000022DA3818C6E
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000022DA38183EA), ref: 0000022DA3818C85
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000022DA38183EA), ref: 0000022DA3818C9C
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000022DA38183EA), ref: 0000022DA3818CB3

Strings

NtOpenSection, xrefs: 0000022DA3818C90
NtOpenFile, xrefs: 0000022DA3818C62
NtQueryAttributesFile, xrefs: 0000022DA3818C4B
ntdll, xrefs: 0000022DA3818C15
NtMapViewOfSection, xrefs: 0000022DA3818C34
NtClose, xrefs: 0000022DA3818CA7
NtCreateSection, xrefs: 0000022DA3818C79

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtClose$NtCreateSection$NtMapViewOfSection$NtOpenFile$NtOpenSection$NtQueryAttributesFile$ntdll
API String ID: 2238633743-2731749698
Opcode ID: 5f969a8ceed3163d91c4df8562a099728c35422755aac9032aca25d32bb0763b
Instruction ID: be3a8fb09f7deb9216c3cfa9aecf4a31cfea631390b7ab7f4d4f5e4edbbd24fa
Opcode Fuzzy Hash: 5f969a8ceed3163d91c4df8562a099728c35422755aac9032aca25d32bb0763b
Instruction Fuzzy Hash: 6F31F876615B8093DA909B69F89575AB3B2F788BC4F501113EA9D4BF79DF3DC1018B00

Function 0000022DA54B24E0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 0000022DA54B2559
SetLastError.KERNEL32 ref: 0000022DA54B2576
GetLastError.KERNEL32 ref: 0000022DA54B257C
_snwprintf_s.LIBCMT ref: 0000022DA54B25CE
_snwprintf_s.LIBCMT ref: 0000022DA54B25F7
CreateSemaphoreA.KERNEL32 ref: 0000022DA54B2607
WaitForSingleObject.KERNEL32 ref: 0000022DA54B268A
CloseHandle.KERNEL32 ref: 0000022DA54B2757

Strings

cmd.exe /c echo %s > %s, xrefs: 0000022DA54B25E1
\\.\pipe\%s, xrefs: 0000022DA54B25B3

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast_snwprintf_s$CloseCreateHandleObjectSemaphoreSingleVersionWait
String ID: \\.\pipe\%s$cmd.exe /c echo %s > %s
API String ID: 93777643-3579833515
Opcode ID: 2c58319facc92b515d418c376bf49d2fb8860339db1a4585df2df4eb4354b47f
Instruction ID: ad00ef00ac48620b3d476b1c7a77337136340f61842e371f5f6f5c731b024552
Opcode Fuzzy Hash: 2c58319facc92b515d418c376bf49d2fb8860339db1a4585df2df4eb4354b47f
Instruction Fuzzy Hash: CF61A536B04B41A6FF24DFA1E858BED73A0F789B84F054025DA4A67B99EFB8C545C700

Function 0000022DA54553A0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 141libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32 ref: 0000022DA545544D
GetLastError.KERNEL32 ref: 0000022DA545545B
malloc.LIBCMT ref: 0000022DA545540B

Part of subcall function 0000022DA546AF78: _FF_MSGBANNER.LIBCMT ref: 0000022DA546AFA8
Part of subcall function 0000022DA546AF78: _NMSG_WRITE.LIBCMT ref: 0000022DA546AFB2
Part of subcall function 0000022DA546AF78: HeapAlloc.KERNEL32(?,?,0000000D,0000022DA5477AB4,?,?,?,0000022DA5477D9C,?,?,?,0000022DA5477C9B,?,?,0000000D,0000022DA5471C43), ref: 0000022DA546AFCD
Part of subcall function 0000022DA546AF78: _callnewh.LIBCMT ref: 0000022DA546AFE6
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFF1
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFFC

LoadLibraryA.KERNEL32 ref: 0000022DA5455425
GetLastError.KERNEL32 ref: 0000022DA5455438
malloc.LIBCMT ref: 0000022DA5455486
free.LIBCMT ref: 0000022DA5456175
SetLastError.KERNEL32 ref: 0000022DA545617D

Strings

stdcall, xrefs: 0000022DA54553A8

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$_errnomalloc$AddressAllocHeapLibraryLoadProc_callnewhfree
String ID: stdcall
API String ID: 3740261583-1361542064
Opcode ID: ffde28508f3c91dd3659c8773025320ffe77338ec712f4009d336d049e2fd25a
Instruction ID: a44b4c4b7e62082df9ac4030c3ec9297ae4f1391c536ee5dbcaaef8d143a3b63
Opcode Fuzzy Hash: ffde28508f3c91dd3659c8773025320ffe77338ec712f4009d336d049e2fd25a
Instruction Fuzzy Hash: BB51AF76A05B40A2FB698F85E458BBD73A0F758B91F005225DE5FA7B91DF78C860C700

Function 0000022DA544CBE0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 116libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA544CC44
GetLastError.KERNEL32 ref: 0000022DA544CC52
GetProcAddress.KERNEL32 ref: 0000022DA544CC6F
GetLastError.KERNEL32 ref: 0000022DA544CC7D
FreeLibrary.KERNEL32 ref: 0000022DA544CDEE

Strings

GetModuleFileNameExW, xrefs: 0000022DA544CCB3
GetModuleBaseNameW, xrefs: 0000022DA544CC88
psapi, xrefs: 0000022DA544CC3D
EnumProcessModules, xrefs: 0000022DA544CC5D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLastLibrary$AddressFreeLoadProc
String ID: EnumProcessModules$GetModuleBaseNameW$GetModuleFileNameExW$psapi
API String ID: 1529210728-3989420880
Opcode ID: a415e83e2cbca05cada1bdad8229326d90125f1cbaa71be728496fe88a2b22f1
Instruction ID: d437a697dd2b344ba4ddc5cc4e850ef590d04d98fb08c63b7a5d05e929d06fab
Opcode Fuzzy Hash: a415e83e2cbca05cada1bdad8229326d90125f1cbaa71be728496fe88a2b22f1
Instruction Fuzzy Hash: 2C519375B08B81A2EB64DF96E848B9967B1FB89FC0F584122DE4963755EF7CC109C700

Function 0000022DA381F388 Relevance: 21.4, APIs: 14, Instructions: 368threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

_time64.LIBCMT ref: 0000022DA381F40C
SetLastError.KERNEL32 ref: 0000022DA381F440

Part of subcall function 0000022DA3819F40: GetSystemTime.KERNEL32 ref: 0000022DA3819F49
Part of subcall function 0000022DA3819F40: SystemTimeToFileTime.KERNEL32 ref: 0000022DA3819F59

SetLastError.KERNEL32 ref: 0000022DA381F4E6
malloc.LIBCMT ref: 0000022DA381F5B9
memcpy_s.LIBCMT ref: 0000022DA381F5E2
OpenThreadToken.ADVAPI32 ref: 0000022DA381F60D
GetCurrentProcess.KERNEL32 ref: 0000022DA381F625
OpenProcessToken.ADVAPI32 ref: 0000022DA381F63B
SetLastError.KERNEL32 ref: 0000022DA381F654

Part of subcall function 0000022DA381F998: LoadLibraryA.KERNEL32 ref: 0000022DA381F9BE
Part of subcall function 0000022DA381F998: GetProcAddress.KERNEL32 ref: 0000022DA381F9DD
Part of subcall function 0000022DA381F998: FreeLibrary.KERNEL32 ref: 0000022DA381FA28

GetProcessWindowStation.USER32 ref: 0000022DA381F68E
GetUserObjectInformationA.USER32 ref: 0000022DA381F6B3

Part of subcall function 0000022DA38386D0: malloc.LIBCMT ref: 0000022DA38386F3

Part of subcall function 0000022DA38386D0: _invoke_watson.LIBCMT ref: 0000022DA383873A

GetCurrentThreadId.KERNEL32 ref: 0000022DA381F6E5
GetThreadDesktop.USER32 ref: 0000022DA381F6ED
GetUserObjectInformationA.USER32 ref: 0000022DA381F712

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLastProcessThreadTime$CurrentInformationLibraryObjectOpenSystemTokenUsermalloc$AddressDesktopFileFreeLoadProcStationWindow_invoke_watson_time64memcpy_s
String ID:
API String ID: 2780990703-0
Opcode ID: 49d4ffad9b4d104ce7ca520689330328ca7888229c12ba54f006dd5b0723343a
Instruction ID: 32f602255e1295f4b5504d306fecacd427957a79237eb40bba4abcb70f9e8a01
Opcode Fuzzy Hash: 49d4ffad9b4d104ce7ca520689330328ca7888229c12ba54f006dd5b0723343a
Instruction Fuzzy Hash: C8021036225B8593EBD0DB79E498B6A77A1F7C4B84F105122EE8E8B7A4DF78C445C700

Function 0000022DA3820338 Relevance: 21.2, APIs: 14, Instructions: 219fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA38281F0: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3818FD8), ref: 0000022DA382820E

ReadFile.KERNEL32 ref: 0000022DA38203F2
SetLastError.KERNEL32 ref: 0000022DA3820401
malloc.LIBCMT ref: 0000022DA3820498
free.LIBCMT ref: 0000022DA38204C0
SetLastError.KERNEL32 ref: 0000022DA38204DC
GetLastError.KERNEL32 ref: 0000022DA3820686
free.LIBCMT ref: 0000022DA382069D

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$free$FileObjectReadSingleWaitmalloc
String ID:
API String ID: 1659679957-0
Opcode ID: e825ee114b39cab299101a6f160a01cdfb3ba9c493e25820364669a2d13321f8
Instruction ID: bfb9e0ed38bde5ca9161aa9d806662a4a0021029219fc8cfb84cc3482832cc9a
Opcode Fuzzy Hash: e825ee114b39cab299101a6f160a01cdfb3ba9c493e25820364669a2d13321f8
Instruction Fuzzy Hash: 64A1007231874197EB90DBB9E458B5BB7A2F7C4784F104025EA998BBA5EF3DC844CB01

Function 0000022DA5453130 Relevance: 21.1, APIs: 14, Instructions: 149pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32 ref: 0000022DA54531AC
GetLastError.KERNEL32 ref: 0000022DA54531BA

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: CreateErrorLastNamedPipe
String ID:
API String ID: 4201769729-0
Opcode ID: 691b40c6b1a78f6856fc8097a292d81d683c53e87015d8029bd5ad61fe9e6c47
Instruction ID: 5c1ac54d1523ad992f076ee4ab5e50ce7c6049170bedeec118bf93c8951c7e60
Opcode Fuzzy Hash: 691b40c6b1a78f6856fc8097a292d81d683c53e87015d8029bd5ad61fe9e6c47
Instruction Fuzzy Hash: FE51A072B05B40A7EB248FA6B488B6EB3E0F784B84F544015EF8663B64DF78CC459B00

Function 0000022DA3826B64 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 138timeCOMMON

Download Yara Rule

APIs

WinHttpOpen.WINHTTP ref: 0000022DA3826BBB
WinHttpSetTimeouts.WINHTTP ref: 0000022DA3826BEC
GetLastError.KERNEL32 ref: 0000022DA3826BF6
GetLastError.KERNEL32 ref: 0000022DA3826C74
WinHttpCrackUrl.WINHTTP ref: 0000022DA3826D15
free.LIBCMT ref: 0000022DA3826D30
WinHttpConnect.WINHTTP ref: 0000022DA3826D8E
GetLastError.KERNEL32 ref: 0000022DA3826DAF

Strings

h, xrefs: 0000022DA3826CC1

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Http$ErrorLast$ConnectCrackOpenTimeoutsfree
String ID: h
API String ID: 3038188542-2439710439
Opcode ID: b89c176b33d8fa98673e77474a46751e061b29d9860c60b19ab8ee44404e3557
Instruction ID: b9cd712978d5897313ce03ae25ecdb5a2f9cd5618c8ca28a1d305e3a253ac7ce
Opcode Fuzzy Hash: b89c176b33d8fa98673e77474a46751e061b29d9860c60b19ab8ee44404e3557
Instruction Fuzzy Hash: E4616032324B8593E7E09BB5E458B5E77A6F7D4B84F404021EA9E8BB94DF79C505CB00

Function 0000022DA54B22F0 Relevance: 21.1, APIs: 14, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9875264fa650dab917d74541518c8323418633a8fa2f5bc5171ff8f8107f930e
Instruction ID: 9f31a5b1568223c40ceb5550d497981f9dd9b1740368f93cf62947de6eba96ff
Opcode Fuzzy Hash: 9875264fa650dab917d74541518c8323418633a8fa2f5bc5171ff8f8107f930e
Instruction Fuzzy Hash: 6751A536B08A8197FF649FA2E848B5D73A0FBC4B80F054525E94A63B54DFB8C4459711

Function 0000022DA54B33B0 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA54B33E3

Part of subcall function 0000022DA54B723C: _FF_MSGBANNER.LIBCMT ref: 0000022DA54B726C
Part of subcall function 0000022DA54B723C: _NMSG_WRITE.LIBCMT ref: 0000022DA54B7276
Part of subcall function 0000022DA54B723C: HeapAlloc.KERNEL32(?,?,0000000D,0000022DA54BB5A4,?,?,?,0000022DA54BE3FC,?,?,?,0000022DA54BE2FB,?,?,0000000D,0000022DA54B9763), ref: 0000022DA54B7291
Part of subcall function 0000022DA54B723C: _errno.LIBCMT ref: 0000022DA54B72B5
Part of subcall function 0000022DA54B723C: _errno.LIBCMT ref: 0000022DA54B72C0

GetComputerNameW.KERNEL32 ref: 0000022DA54B3407
malloc.LIBCMT ref: 0000022DA54B341A

Part of subcall function 0000022DA54B723C: _errno.LIBCMT ref: 0000022DA54B72D5

malloc.LIBCMT ref: 0000022DA54B3435
_snwprintf_s.LIBCMT ref: 0000022DA54B3463

Part of subcall function 0000022DA54B693C: _vsnwprintf_s_l.LIBCMT ref: 0000022DA54B6954

_snwprintf_s.LIBCMT ref: 0000022DA54B3480

Part of subcall function 0000022DA54B11F0: NdrClientCall2.RPCRT4 ref: 0000022DA54B121A

Part of subcall function 0000022DA54B1320: NdrClientCall2.RPCRT4 ref: 0000022DA54B1365

GetLastError.KERNEL32 ref: 0000022DA54B34F2
free.LIBCMT ref: 0000022DA54B3500
free.LIBCMT ref: 0000022DA54B350D
free.LIBCMT ref: 0000022DA54B351A

Strings

\\localhost/pipe/%s, xrefs: 0000022DA54B346D
\\%s, xrefs: 0000022DA54B3450

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: _errnofreemalloc$Call2Client_snwprintf_s$AllocComputerErrorHeapLastName_vsnwprintf_s_l
String ID: \\%s$\\localhost/pipe/%s
API String ID: 2194898439-1768746761
Opcode ID: 7dbba0bd36b181f6a5f43d568556b3d9f366ae2c1c2e95240fce10627b940c37
Instruction ID: adef9d37f567028b3cef55026269aaaffcaafcc23e290af40c782cc5cd494313
Opcode Fuzzy Hash: 7dbba0bd36b181f6a5f43d568556b3d9f366ae2c1c2e95240fce10627b940c37
Instruction Fuzzy Hash: CD311A72A0578062FF25EB91A448B9E72E1F7847A0F060624E9A917BD5DFB8C942C701

Function 0000022DA3837538 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 87memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,0000022DA3837240), ref: 0000022DA3837544
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000022DA3837240), ref: 0000022DA3837576
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000022DA3837240), ref: 0000022DA38375A2
LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000022DA3837240), ref: 0000022DA38375BC
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000022DA3837240), ref: 0000022DA3837601
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000022DA3837240), ref: 0000022DA383761D
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000022DA3837240), ref: 0000022DA3837665
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,0000022DA3837240), ref: 0000022DA38376CB

Strings

ZwSetIoCompletion, xrefs: 0000022DA3837659
NtQueryObject, xrefs: 0000022DA3837611
ntdll.dll, xrefs: 0000022DA383759B, 0000022DA38375B5
NtQueryInformationProcess, xrefs: 0000022DA38375F5

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: AddressHeapProc$AllocFreeHandleLibraryLoadModuleProcess
String ID: NtQueryInformationProcess$NtQueryObject$ZwSetIoCompletion$ntdll.dll
API String ID: 1214976393-420758874
Opcode ID: 605d4673cb5f3103411c7aba26ca9791481e86df32fdcf3d2797515b52ed5af4
Instruction ID: ce1ea860d5049a8c585e193958ca70b9a1ba23e344d5c52f4861490f3022bbb6
Opcode Fuzzy Hash: 605d4673cb5f3103411c7aba26ca9791481e86df32fdcf3d2797515b52ed5af4
Instruction Fuzzy Hash: 8851E931206B04A7FBE4DBB5E89CB5A73E2F788758F504126E5498ABA4EF7DC584C700

Function 0000022DA3828394 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 77libraryloaderthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA38283BD

Part of subcall function 0000022DA3837A78: _FF_MSGBANNER.LIBCMT ref: 0000022DA3837AA8
Part of subcall function 0000022DA3837A78: _NMSG_WRITE.LIBCMT ref: 0000022DA3837AB2
Part of subcall function 0000022DA3837A78: HeapAlloc.KERNEL32(?,?,00000000,0000022DA3840CB0,?,?,?,0000022DA3840F14,?,?,?,0000022DA3840E13), ref: 0000022DA3837ACD
Part of subcall function 0000022DA3837A78: _callnewh.LIBCMT ref: 0000022DA3837AE6
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837AF1
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837AFC

GetCurrentThreadId.KERNEL32 ref: 0000022DA38283E5

Part of subcall function 0000022DA382824C: malloc.LIBCMT ref: 0000022DA382825E

LoadLibraryA.KERNEL32 ref: 0000022DA3828407
GetProcAddress.KERNEL32 ref: 0000022DA382841E
LoadLibraryA.KERNEL32 ref: 0000022DA3828462
GetProcAddress.KERNEL32 ref: 0000022DA3828479
FreeLibrary.KERNEL32 ref: 0000022DA38284EF
FreeLibrary.KERNEL32 ref: 0000022DA38284FA

Strings

kernel32.dll, xrefs: 0000022DA3828400
ntdll.dll, xrefs: 0000022DA382845B
OpenThread, xrefs: 0000022DA3828412
NtOpenThread, xrefs: 0000022DA382846D

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc_errnomalloc$AllocCurrentHeapThread_callnewh
String ID: NtOpenThread$OpenThread$kernel32.dll$ntdll.dll
API String ID: 802756111-1307226884
Opcode ID: 8350347ead97729909e964a6ad1955d052de4c230fbbffee2eae7bf3f25f65e0
Instruction ID: d252226fffc32fe4a922df8814c84f17e7eb53acc5f7d50031eef4c64b20b55a
Opcode Fuzzy Hash: 8350347ead97729909e964a6ad1955d052de4c230fbbffee2eae7bf3f25f65e0
Instruction Fuzzy Hash: 7E413C36215B8493E7A0DBA5F45875AB3A1F7C8794F504126EA8E47B68DF7DC248CB00

Function 00007FF6EF71A0D0 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 220libraryloaderCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,00000001,00000000,?,00007FF6EF719F54), ref: 00007FF6EF71A108
GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF6EF719F54), ref: 00007FF6EF71A140
GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF6EF719F54), ref: 00007FF6EF71A17A
GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF6EF719F54), ref: 00007FF6EF71A1E0
GetProcAddress.KERNEL32(?,?,?,?,00000001,00000000,?,00007FF6EF719F54), ref: 00007FF6EF71A213
memset.VCRUNTIME140(?,?,?,?,00000001,00000000,?,00007FF6EF719F54), ref: 00007FF6EF71A330

Strings

SymQueryInlineTrace, xrefs: 00007FF6EF71A20C
SymAddrIncludeInlineTrace, xrefs: 00007FF6EF71A1D9
SymGetLineFromInlineContextW, xrefs: 00007FF6EF71A173
SymFromInlineContextW, xrefs: 00007FF6EF71A139

Memory Dump Source

Source File: 00000000.00000002.3274803182.00007FF6EF711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF710000, based on PE: true

Associated: 00000000.00000002.3274791073.00007FF6EF710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274835833.00007FF6EF730000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274847356.00007FF6EF731000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef710000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: AddressProc$CurrentProcessmemset
String ID: SymAddrIncludeInlineTrace$SymFromInlineContextW$SymGetLineFromInlineContextW$SymQueryInlineTrace
API String ID: 3017635649-3384281969
Opcode ID: 7f69e8346fb470a11e66eacc1235267606e8904ba24019f08f7e2e4d1fcb8a56
Instruction ID: 0dff9e8696fa78c5c7fa617b748e9518b97f7e402162e1d132a5f2aa402c1864
Opcode Fuzzy Hash: 7f69e8346fb470a11e66eacc1235267606e8904ba24019f08f7e2e4d1fcb8a56
Instruction Fuzzy Hash: 19B18F36909AC19AFB718F25B8457E933A0FF44798F040135EE8C87758DF7A92A9D305

Function 0000022DA3820C2C Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 180pipeCOMMON

Download Yara Rule

APIs

wcsstr.LIBCMT ref: 0000022DA3820CCE
wcschr.LIBCMT ref: 0000022DA3820CF1
wcschr.LIBCMT ref: 0000022DA3820D14
calloc.LIBCMT ref: 0000022DA3820D7F
_snwprintf_s.LIBCMT ref: 0000022DA3820DBF
SetNamedPipeHandleState.KERNEL32 ref: 0000022DA3820DFE
SetHandleInformation.KERNEL32 ref: 0000022DA3820ECA

Part of subcall function 0000022DA3820A6C: CreateNamedPipeW.KERNEL32 ref: 0000022DA3820B0C
Part of subcall function 0000022DA3820A6C: GetLastError.KERNEL32 ref: 0000022DA3820B17
Part of subcall function 0000022DA3820A6C: CreateNamedPipeW.KERNEL32 ref: 0000022DA3820B7A
Part of subcall function 0000022DA3820A6C: GetLastError.KERNEL32 ref: 0000022DA3820B85

Strings

pipe, xrefs: 0000022DA3820CA3
\\.\, xrefs: 0000022DA3820E26
\\%s\pipe\%s, xrefs: 0000022DA3820DA8
W, xrefs: 0000022DA3820E92

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: NamedPipe$CreateErrorHandleLastwcschr$InformationState_snwprintf_scallocwcsstr
String ID: W$\\%s\pipe\%s$\\.\$pipe
API String ID: 3208180658-1635615219
Opcode ID: 620c8e1b58bca11fb51f957a49d7dfca1b6795f404bdba8579dac565fb4a39fa
Instruction ID: d69c7274c0cbd21e258a8497390a5f4be93f3a6b75be8c51244c9bdcf7dc83b4
Opcode Fuzzy Hash: 620c8e1b58bca11fb51f957a49d7dfca1b6795f404bdba8579dac565fb4a39fa
Instruction Fuzzy Hash: 318150B6225B8593EBD09BB5E854B5AA3E2F7C4B84F504121EA5DCBBA4FF38C444C701

Function 0000022DA5446850 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 159COMMON

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000022DA54468FF
sprintf_s.LIBCMTD ref: 0000022DA5446924

Part of subcall function 0000022DA5445B60: _vswprintf_c_l.LIBCMT ref: 0000022DA5445B7B

calloc.LIBCMT ref: 0000022DA54469BC
swprintf.LIBCMT ref: 0000022DA54469E2

Part of subcall function 0000022DA546D0E8: _vswprintf_s_l.LIBCMT ref: 0000022DA546D102

GetSystemDefaultLCID.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000005,?,?,0000022DA544734A), ref: 0000022DA54469E7
free.LIBCMT ref: 0000022DA5446A6E
free.LIBCMT ref: 0000022DA5446A76

Strings

size,path, xrefs: 0000022DA54469ED
#filename = %s, xrefs: 0000022DA54469CE
%s\, xrefs: 0000022DA5446914
System, xrefs: 0000022DA5446952

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: callocfree$DefaultSystem_vswprintf_c_l_vswprintf_s_lsprintf_sswprintf
String ID: #filename = %s$%s\$System$size,path
API String ID: 655534614-3779978915
Opcode ID: a47f6d8417c004511615c0a4f296ac74ec26502eda3269e0356b4e2cb928c628
Instruction ID: 4446af385c746a0bd5d573157200619aaaa29dcea73279742595a332309d6585
Opcode Fuzzy Hash: a47f6d8417c004511615c0a4f296ac74ec26502eda3269e0356b4e2cb928c628
Instruction Fuzzy Hash: 64616B32B01B50A6FB10CFA6E889B9D77B4F748B98F948126DE4D63B84DB78C549C340

Function 0000022DA544DA40 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 138libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,?,0000022DA544CB33), ref: 0000022DA544DA8D
GetProcAddress.KERNEL32(?,?,00000000,?,0000022DA544CB33), ref: 0000022DA544DAC6
GetProcAddress.KERNEL32(?,?,00000000,?,0000022DA544CB33), ref: 0000022DA544DAD9
GetProcAddress.KERNEL32(?,?,00000000,?,0000022DA544CB33), ref: 0000022DA544DAEC
OpenProcess.KERNEL32(?,?,00000000,?,0000022DA544CB33), ref: 0000022DA544DBC5
CloseHandle.KERNEL32(?,?,00000000,?,0000022DA544CB33), ref: 0000022DA544DC0A
FreeLibrary.KERNEL32(?,?,00000000,?,0000022DA544CB33), ref: 0000022DA544DC94

Strings

GetModuleBaseNameW, xrefs: 0000022DA544DADF
EnumProcesses, xrefs: 0000022DA544DAAC
psapi, xrefs: 0000022DA544DA80
EnumProcessModules, xrefs: 0000022DA544DACC

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: AddressProc$Library$CloseFreeHandleLoadOpenProcess
String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$psapi
API String ID: 3215039149-2992890082
Opcode ID: bff92e482877fc0ecc1334491efc711ba193bdf259a56558971da66b3f54dfd5
Instruction ID: c3ef3b7dc7a99c611e37a973ddb22f46553e91e31217f4d86fefa2719715029c
Opcode Fuzzy Hash: bff92e482877fc0ecc1334491efc711ba193bdf259a56558971da66b3f54dfd5
Instruction Fuzzy Hash: E6517F36B04E81A6EB34DF65E808ADA73B1FB89788F404125DE4D17B58DFB8C255CB40

Function 0000022DA544E1D0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 119COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000022DA544E26C
OpenProcessToken.ADVAPI32 ref: 0000022DA544E289
GetTokenInformation.ADVAPI32 ref: 0000022DA544E2B1
malloc.LIBCMT ref: 0000022DA544E2BD

Part of subcall function 0000022DA546AF78: _FF_MSGBANNER.LIBCMT ref: 0000022DA546AFA8
Part of subcall function 0000022DA546AF78: _NMSG_WRITE.LIBCMT ref: 0000022DA546AFB2
Part of subcall function 0000022DA546AF78: HeapAlloc.KERNEL32(?,?,0000000D,0000022DA5477AB4,?,?,?,0000022DA5477D9C,?,?,?,0000022DA5477C9B,?,?,0000000D,0000022DA5471C43), ref: 0000022DA546AFCD
Part of subcall function 0000022DA546AF78: _callnewh.LIBCMT ref: 0000022DA546AFE6
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFF1
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFFC

GetTokenInformation.ADVAPI32 ref: 0000022DA544E2EC
LookupAccountSidW.ADVAPI32 ref: 0000022DA544E339
_snwprintf.LIBCMT ref: 0000022DA544E362

Part of subcall function 0000022DA546DA18: _errno.LIBCMT ref: 0000022DA546DA4F
Part of subcall function 0000022DA546DA18: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA546DA5A

free.LIBCMT ref: 0000022DA544E36F
CloseHandle.KERNEL32 ref: 0000022DA544E37E
CloseHandle.KERNEL32 ref: 0000022DA544E38C

Strings

%s\%s, xrefs: 0000022DA544E353

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Token_errno$CloseHandleInformationOpenProcess$AccountAllocHeapLookup_callnewh_invalid_parameter_noinfo_snwprintffreemalloc
String ID: %s\%s
API String ID: 1082786947-4073750446
Opcode ID: 1f9715dfa579afbc895f1de3a761c3dc12e32bbf97489d67a09c4987683b5d4b
Instruction ID: 0cde1761dc88420784d6d0b28406f8a168d613ca4ca489213e75ae3184f22241
Opcode Fuzzy Hash: 1f9715dfa579afbc895f1de3a761c3dc12e32bbf97489d67a09c4987683b5d4b
Instruction Fuzzy Hash: 7951B332B04B81A6EB21CFA6E844B9A73B0F785788F444126EA8C17F58DF78C245CB41

Function 0000022DA5448070 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 114libraryloaderCOMMON

Download Yara Rule

APIs

inet_addr.WS2_32 ref: 0000022DA5448107
inet_addr.WS2_32 ref: 0000022DA5448114
inet_addr.WS2_32 ref: 0000022DA5448121
GetModuleHandleA.KERNEL32 ref: 0000022DA5448150
GetProcAddress.KERNEL32 ref: 0000022DA5448160
GetModuleHandleA.KERNEL32 ref: 0000022DA544818D
GetProcAddress.KERNEL32 ref: 0000022DA544819D
CreateIpForwardEntry.IPHLPAPI ref: 0000022DA5448236

Strings

GetIpInterfaceEntry, xrefs: 0000022DA5448193
iphlpapi, xrefs: 0000022DA5448127, 0000022DA5448186
GetBestInterface, xrefs: 0000022DA5448156

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: inet_addr$AddressHandleModuleProc$CreateEntryForward
String ID: GetBestInterface$GetIpInterfaceEntry$iphlpapi
API String ID: 2699733871-3963187488
Opcode ID: 95156e8d080c615f3872da4d588bf0f0e962b448d6bf0bd9f1096277d6db9593
Instruction ID: 46445e5db67676186039e8a1d6fa7b2a3f42bfffd6932a844192a30517ef2556
Opcode Fuzzy Hash: 95156e8d080c615f3872da4d588bf0f0e962b448d6bf0bd9f1096277d6db9593
Instruction Fuzzy Hash: 5E518E32A09B40DAE754CFA1F84869E77F4F788784F14412AEA9DA3B58DF78C554CB00

Function 0000022DA5448520 Relevance: 18.1, APIs: 12, Instructions: 145networkCOMMON

Download Yara Rule

APIs

WSASocketA.WS2_32 ref: 0000022DA5448580
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,0000022DA54483BB), ref: 0000022DA5448591
htons.WS2_32 ref: 0000022DA54485A7
inet_addr.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000022DA54483BB), ref: 0000022DA54485B5
gethostbyname.WS2_32 ref: 0000022DA54485C7
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,0000022DA54483BB), ref: 0000022DA54485D2
connect.WS2_32 ref: 0000022DA54485FE
WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000022DA54483BB), ref: 0000022DA5448609
malloc.LIBCMT ref: 0000022DA5448623
closesocket.WS2_32 ref: 0000022DA54486B8
WSACreateEvent.WS2_32(?,?,?,?,?,?,?,?,?,?,00000000,0000022DA54483BB), ref: 0000022DA54486C6
WSAEventSelect.WS2_32 ref: 0000022DA54486E2

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$Event$CreateSelectSocketclosesocketconnectgethostbynamehtonsinet_addrmalloc
String ID:
API String ID: 471021859-0
Opcode ID: 3733ca4a708ad8a4a8fa9b9e523cf3e307f05c70f64900cc74d456c1621f5916
Instruction ID: 6cc84f9e26e2f35e6ca24421f4267543d6123d0a81414ea15eb0872e9f24f204
Opcode Fuzzy Hash: 3733ca4a708ad8a4a8fa9b9e523cf3e307f05c70f64900cc74d456c1621f5916
Instruction Fuzzy Hash: BC517F32A05F40A7E794DFA5E858B5A73F4F748B90F004226EEA963B94EFB8C551C740

Function 0000022DA383A5B8 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,00000000,0000022DA383A20F,?,?,?,0000022DA383A3D3), ref: 0000022DA383A5C9
free.LIBCMT ref: 0000022DA383A5E6

Part of subcall function 0000022DA3837A38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA383C20A,?,?,?,0000022DA383C187,?,?,00000000,0000022DA3838A19), ref: 0000022DA3837A4E
Part of subcall function 0000022DA3837A38: _errno.LIBCMT ref: 0000022DA3837A58
Part of subcall function 0000022DA3837A38: GetLastError.KERNEL32(?,?,00000000,0000022DA383C20A,?,?,?,0000022DA383C187,?,?,00000000,0000022DA3838A19), ref: 0000022DA3837A60

free.LIBCMT ref: 0000022DA383A5FB
free.LIBCMT ref: 0000022DA383A61C
free.LIBCMT ref: 0000022DA383A631
free.LIBCMT ref: 0000022DA383A645
free.LIBCMT ref: 0000022DA383A651
free.LIBCMT ref: 0000022DA383A67C
EncodePointer.KERNEL32(?,?,00000000,0000022DA383A20F,?,?,?,0000022DA383A3D3), ref: 0000022DA383A684
free.LIBCMT ref: 0000022DA383A69D
free.LIBCMT ref: 0000022DA383A6B6
free.LIBCMT ref: 0000022DA383A6E7

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: b3a0e0396639249c71e9aa26cafc735f66f055ef20655c3ad1bc0635891ce98c
Instruction ID: 86a6e5c15ec0ccf86d65c5906c1a4d7d8640ad24b8a0ba218aa39454a244cb34
Opcode Fuzzy Hash: b3a0e0396639249c71e9aa26cafc735f66f055ef20655c3ad1bc0635891ce98c
Instruction Fuzzy Hash: 69311C35641B00A3FED99FF1E89DF6833A2BB94B94F581225E91A0E7A1DF3CC4408350

Function 0000022DA54B9ADC Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,00000000,0000022DA54B79DB,?,?,?,0000022DA54B7B9F), ref: 0000022DA54B9AED
free.LIBCMT ref: 0000022DA54B9B0A

Part of subcall function 0000022DA54B68FC: HeapFree.KERNEL32(?,?,00000000,0000022DA54B98C2,?,?,0000000D,0000022DA54B7C59,?,?,?,?,0000022DA54B72DA,?,?,0000000D), ref: 0000022DA54B6912
Part of subcall function 0000022DA54B68FC: _errno.LIBCMT ref: 0000022DA54B691C
Part of subcall function 0000022DA54B68FC: GetLastError.KERNEL32(?,?,00000000,0000022DA54B98C2,?,?,0000000D,0000022DA54B7C59,?,?,?,?,0000022DA54B72DA,?,?,0000000D), ref: 0000022DA54B6924

free.LIBCMT ref: 0000022DA54B9B1F
free.LIBCMT ref: 0000022DA54B9B40
free.LIBCMT ref: 0000022DA54B9B55
free.LIBCMT ref: 0000022DA54B9B69
free.LIBCMT ref: 0000022DA54B9B75
free.LIBCMT ref: 0000022DA54B9BA0
EncodePointer.KERNEL32(?,?,00000000,0000022DA54B79DB,?,?,?,0000022DA54B7B9F), ref: 0000022DA54B9BA8
free.LIBCMT ref: 0000022DA54B9BC1
free.LIBCMT ref: 0000022DA54B9BDA
free.LIBCMT ref: 0000022DA54B9C0B

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: 7ef4d00cf1373484d145eca789713105cff272003fc2ab18a57462c4f5b4bff1
Instruction ID: 8682a4777160d712e96dfa7bcabd8c411a286956d5705de4d4579060c0c7d35a
Opcode Fuzzy Hash: 7ef4d00cf1373484d145eca789713105cff272003fc2ab18a57462c4f5b4bff1
Instruction Fuzzy Hash: FB31E973F16A41F5FE54ABD5E89DF6972B0BB88B90F091629DE19262E5CFEC84448200

Function 0000022DA546E960 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,00000000,0000022DA546E6FF,?,?,?,0000022DA546E8C3), ref: 0000022DA546E971
free.LIBCMT ref: 0000022DA546E98E

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

free.LIBCMT ref: 0000022DA546E9A3
free.LIBCMT ref: 0000022DA546E9C4
free.LIBCMT ref: 0000022DA546E9D9
free.LIBCMT ref: 0000022DA546E9ED
free.LIBCMT ref: 0000022DA546E9F9
free.LIBCMT ref: 0000022DA546EA24
EncodePointer.KERNEL32(?,?,00000000,0000022DA546E6FF,?,?,?,0000022DA546E8C3), ref: 0000022DA546EA2C
free.LIBCMT ref: 0000022DA546EA45
free.LIBCMT ref: 0000022DA546EA5E
free.LIBCMT ref: 0000022DA546EA8F

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: 6ba2539c76f53d1adbfad5b8b6b185f52b19deab08f80fcf734a4da2d236b371
Instruction ID: ed5f137eec9d6efdc3cdac389ce7941dd1841721a18164848a6b43ace4631ef4
Opcode Fuzzy Hash: 6ba2539c76f53d1adbfad5b8b6b185f52b19deab08f80fcf734a4da2d236b371
Instruction Fuzzy Hash: 283170B5E21B01F1FF54DFD6E85EBA523E0BB86B90F480219A919766D6CFECC4108391

Function 0000022DA381D8C0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 192stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000022DA381D934

Part of subcall function 0000022DA382815C: malloc.LIBCMT ref: 0000022DA3828165
Part of subcall function 0000022DA382815C: CreateMutexExW.KERNEL32 ref: 0000022DA3828190

strchr.LIBCMT ref: 0000022DA381D9BA
malloc.LIBCMT ref: 0000022DA381DA83
_snwprintf_s.LIBCMT ref: 0000022DA381DAFA
calloc.LIBCMT ref: 0000022DA381DB2A
CloseHandle.KERNEL32 ref: 0000022DA381DBEA
CloseHandle.KERNEL32 ref: 0000022DA381DC20
free.LIBCMT ref: 0000022DA381DC2B

Strings

W, xrefs: 0000022DA381D9C4
\\%s\pipe\%s, xrefs: 0000022DA381DAE5

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: CloseHandlecallocmalloc$CreateMutex_snwprintf_sfreestrchr
String ID: W$\\%s\pipe\%s
API String ID: 110335666-3143433832
Opcode ID: 553465560d47cb8b1b4db5094ffc333addb07e77ad577b436cd6a9d095589ff6
Instruction ID: daace5740cc9dbb9b6c7a5dc5076cc6bd25683a19759815a6ef2ce7a183af83f
Opcode Fuzzy Hash: 553465560d47cb8b1b4db5094ffc333addb07e77ad577b436cd6a9d095589ff6
Instruction Fuzzy Hash: CBA12D32218B8193EBD0DBA5E458B6B67A2F7C4794F105125FA8E8BBD9DF7CC4458B00

Function 0000022DA5452C80 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

/s /q:%d /p:0x%08X, xrefs: 0000022DA5452DE9
\\.\pipe\%08X, xrefs: 0000022DA5452DCF

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID:
String ID: /s /q:%d /p:0x%08X$\\.\pipe\%08X
API String ID: 0-3807318313
Opcode ID: 117abb5689a1162f575d2938e7a556432ab1682f49f688ad41d18977c0c4886d
Instruction ID: d96915203d8168fde58bba83ce8a11a7765ac2be246645b9c6a638670c6a66f4
Opcode Fuzzy Hash: 117abb5689a1162f575d2938e7a556432ab1682f49f688ad41d18977c0c4886d
Instruction Fuzzy Hash: 5F718072B08B81D6EB509FA5E858BEA77A1F789B84F444036DE4E57B54EFB8C445C300

Function 0000022DA3827E28 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 149networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET ref: 0000022DA3827E7F
InternetOpenW.WININET ref: 0000022DA3827EA9
GetLastError.KERNEL32 ref: 0000022DA3827ECA
InternetCrackUrlW.WININET ref: 0000022DA3827F6B
free.LIBCMT ref: 0000022DA3827F86
InternetConnectW.WININET ref: 0000022DA3828006
GetLastError.KERNEL32 ref: 0000022DA3828027
InternetSetOptionW.WININET ref: 0000022DA3828072
InternetSetOptionW.WININET ref: 0000022DA38280AC

Strings

h, xrefs: 0000022DA3827F17

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Internet$ErrorLastOpenOption$ConnectCrackfree
String ID: h
API String ID: 705787303-2439710439
Opcode ID: 33c072372aa5e3f7b67a84417e4798b09e3bc52e1f45e5ccf54b372d71b9b0ee
Instruction ID: ddfc3bf0af0d4eae3e263b531b290973f4fb8b5cc2ea4d0823a2f87c42922bfe
Opcode Fuzzy Hash: 33c072372aa5e3f7b67a84417e4798b09e3bc52e1f45e5ccf54b372d71b9b0ee
Instruction Fuzzy Hash: 0E713E76214B8593EBA0DBA6E458B5E77B1F3C5B84F504026EB9D87BA4DF79C804CB00

Function 0000022DA544D840 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 108libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00000000,0000022DA544CB25), ref: 0000022DA544D880
GetProcAddress.KERNEL32(?,?,00000000,0000022DA544CB25), ref: 0000022DA544D8B4
GetProcAddress.KERNEL32(?,?,00000000,0000022DA544CB25), ref: 0000022DA544D8C7
GetProcAddress.KERNEL32(?,?,00000000,0000022DA544CB25), ref: 0000022DA544D8DA
CloseHandle.KERNEL32(?,?,00000000,0000022DA544CB25), ref: 0000022DA544D9FA

Part of subcall function 0000022DA544DE40: OpenProcess.KERNEL32 ref: 0000022DA544DE94
Part of subcall function 0000022DA544DE40: LoadLibraryA.KERNEL32 ref: 0000022DA544DEBD
Part of subcall function 0000022DA544DE40: GetProcAddress.KERNEL32 ref: 0000022DA544DEE1
Part of subcall function 0000022DA544DE40: FreeLibrary.KERNEL32 ref: 0000022DA544DFD4
Part of subcall function 0000022DA544DE40: FreeLibrary.KERNEL32 ref: 0000022DA544DFEA
Part of subcall function 0000022DA544DE40: CloseHandle.KERNEL32 ref: 0000022DA544DFF3

Part of subcall function 0000022DA544E1D0: OpenProcess.KERNEL32 ref: 0000022DA544E26C
Part of subcall function 0000022DA544E1D0: OpenProcessToken.ADVAPI32 ref: 0000022DA544E289
Part of subcall function 0000022DA544E1D0: GetTokenInformation.ADVAPI32 ref: 0000022DA544E2B1
Part of subcall function 0000022DA544E1D0: malloc.LIBCMT ref: 0000022DA544E2BD
Part of subcall function 0000022DA544E1D0: GetTokenInformation.ADVAPI32 ref: 0000022DA544E2EC
Part of subcall function 0000022DA544E1D0: LookupAccountSidW.ADVAPI32 ref: 0000022DA544E339
Part of subcall function 0000022DA544E1D0: _snwprintf.LIBCMT ref: 0000022DA544E362
Part of subcall function 0000022DA544E1D0: free.LIBCMT ref: 0000022DA544E36F
Part of subcall function 0000022DA544E1D0: CloseHandle.KERNEL32 ref: 0000022DA544E37E

Part of subcall function 0000022DA544D690: LoadLibraryA.KERNEL32 ref: 0000022DA544D6CB
Part of subcall function 0000022DA544D690: GetProcAddress.KERNEL32 ref: 0000022DA544D6EC
Part of subcall function 0000022DA544D690: OpenProcess.KERNEL32 ref: 0000022DA544D70B
Part of subcall function 0000022DA544D690: OpenProcess.KERNEL32 ref: 0000022DA544D723
Part of subcall function 0000022DA544D690: CloseHandle.KERNEL32 ref: 0000022DA544D757
Part of subcall function 0000022DA544D690: FreeLibrary.KERNEL32 ref: 0000022DA544D765

Part of subcall function 0000022DA544D3B0: htonl.WS2_32 ref: 0000022DA544D408
Part of subcall function 0000022DA544D3B0: htonl.WS2_32 ref: 0000022DA544D509
Part of subcall function 0000022DA544D3B0: htonl.WS2_32 ref: 0000022DA544D52B

FreeLibrary.KERNEL32(?,?,00000000,0000022DA544CB25), ref: 0000022DA544DA03

Strings

Process32FirstW, xrefs: 0000022DA544D8BA
CreateToolhelp32Snapshot, xrefs: 0000022DA544D89A
Process32NextW, xrefs: 0000022DA544D8CD
kernel32, xrefs: 0000022DA544D879

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Library$AddressOpenProcProcess$CloseFreeHandle$LoadTokenhtonl$Information$AccountLookup_snwprintffreemalloc
String ID: CreateToolhelp32Snapshot$Process32FirstW$Process32NextW$kernel32
API String ID: 1256634252-2095122823
Opcode ID: a3056155ee462b6e1d986dd5dae4f069db05b3049c3b0271eb61a607154bec56
Instruction ID: 57cc3d307b50259578ba1ff198170ac31f868efd987ebf2d4b8988eefbf41c27
Opcode Fuzzy Hash: a3056155ee462b6e1d986dd5dae4f069db05b3049c3b0271eb61a607154bec56
Instruction Fuzzy Hash: 7641B531B08B80A2EB64DF51F448B9AB3B4FB85790F444225DE8957B98EF7CC514CB00

Function 0000022DA5453970 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32 ref: 0000022DA54539A4
free.LIBCMT ref: 0000022DA54539CA
DestroyWindow.USER32 ref: 0000022DA54539D9
UnregisterClassA.USER32 ref: 0000022DA54539ED
GetProcessHeap.KERNEL32 ref: 0000022DA5453A68
HeapAlloc.KERNEL32 ref: 0000022DA5453A76
DestroyWindow.USER32 ref: 0000022DA5453ACA
GetProcessHeap.KERNEL32 ref: 0000022DA5453AD0
HeapFree.KERNEL32 ref: 0000022DA5453ADE

Strings

klwClass, xrefs: 0000022DA54539E6

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Heap$Window$DestroyProcess$AllocClassFreeProcUnregisterfree
String ID: klwClass
API String ID: 3034228609-1480243690
Opcode ID: 8dbb3a2c6a82ea43f11baaa397c940cf2cf00c9ace1c0372393bc7d8e16c5198
Instruction ID: 3ca9217ffb3d424f0c5d7c423927368326cbc61f3e4a35f5bdd472366de24ba6
Opcode Fuzzy Hash: 8dbb3a2c6a82ea43f11baaa397c940cf2cf00c9ace1c0372393bc7d8e16c5198
Instruction Fuzzy Hash: 61419472A04740D2F7508FA6F84CB5A73A1F785BA4F444115EA5A63BA8DFFCC885C740

Function 0000022DA544F1D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA544F330: VirtualAllocEx.KERNEL32(?,?,?,?,?,0000022DA544F1FA), ref: 0000022DA544F367
Part of subcall function 0000022DA544F330: GetLastError.KERNEL32(?,?,?,?,?,0000022DA544F1FA), ref: 0000022DA544F375

Part of subcall function 0000022DA544F330: WriteProcessMemory.KERNEL32 ref: 0000022DA544F393
Part of subcall function 0000022DA544F330: VirtualProtectEx.KERNEL32 ref: 0000022DA544F3BB
Part of subcall function 0000022DA544F330: GetLastError.KERNEL32 ref: 0000022DA544F3C5

GetLastError.KERNEL32 ref: 0000022DA544F265
WaitForSingleObjectEx.KERNEL32 ref: 0000022DA544F289
WaitForSingleObjectEx.KERNEL32 ref: 0000022DA544F2A6
GetExitCodeThread.KERNEL32 ref: 0000022DA544F2C7
VirtualFreeEx.KERNEL32 ref: 0000022DA544F2DE
VirtualFreeEx.KERNEL32 ref: 0000022DA544F2F9
GetLastError.KERNEL32 ref: 0000022DA544F303
CloseHandle.KERNEL32 ref: 0000022DA544F30E

Strings

@, xrefs: 0000022DA544F216

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLastVirtual$FreeObjectSingleWait$AllocCloseCodeExitHandleMemoryProcessProtectThreadWrite
String ID: @
API String ID: 992791723-2766056989
Opcode ID: 9745304e536a44517992c02e6ae44f583c05c5267b49eb1c911084eeea82ab8a
Instruction ID: c5dd50d524299b1ef80f002ab2af89524066aa957b4a6a1c8cf16770d9c3f5cc
Opcode Fuzzy Hash: 9745304e536a44517992c02e6ae44f583c05c5267b49eb1c911084eeea82ab8a
Instruction Fuzzy Hash: 9C318F75B18B40A3FB548BA6B448B5E63A1F789BC4F445112EE8963F98DFBDC405CB40

Function 0000022DA544BA20 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000022DA544BA2B
GetModuleHandleA.KERNEL32 ref: 0000022DA544BA4E
GetProcAddress.KERNEL32 ref: 0000022DA544BA6E

Strings

GetProcAddress, xrefs: 0000022DA544BA67
NtReadVirtualMemory, xrefs: 0000022DA544BAED
ntdll.dll, xrefs: 0000022DA544BA47
VirtualQueryEx, xrefs: 0000022DA544BA91
OpenProcess, xrefs: 0000022DA544BAAD
CloseHandle, xrefs: 0000022DA544BACD
kernel32.dll, xrefs: 0000022DA544BA24

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: HandleModule$AddressProc
String ID: CloseHandle$GetProcAddress$NtReadVirtualMemory$OpenProcess$VirtualQueryEx$kernel32.dll$ntdll.dll
API String ID: 1883125708-309972381
Opcode ID: f2dd72bdfa2d576fbe2b819714bf4892a22e019f6116347ace411b7de699153d
Instruction ID: 16a6e341be8598e0a45290cf44b75fe015c6d7984be3767c8a4b2f4a203e1157
Opcode Fuzzy Hash: f2dd72bdfa2d576fbe2b819714bf4892a22e019f6116347ace411b7de699153d
Instruction Fuzzy Hash: 0C21D5B1E02F01E2FF49DB99E89AB9523A4BB993A0F440465C50EA2370EEBCC546C300

Function 0000022DA381E670 Relevance: 16.8, APIs: 11, Instructions: 335networkCOMMON

Download Yara Rule

APIs

realloc.LIBCMT ref: 0000022DA381E703
htonl.WS2_32 ref: 0000022DA381E7DB
calloc.LIBCMT ref: 0000022DA381E8D4
htonl.WS2_32 ref: 0000022DA381E906
free.LIBCMT ref: 0000022DA381EA62
CoCreateGuid.OLE32 ref: 0000022DA381EA83
htonl.WS2_32 ref: 0000022DA381EA97
htons.WS2_32 ref: 0000022DA381EABA
htons.WS2_32 ref: 0000022DA381EADE
calloc.LIBCMT ref: 0000022DA381EB0F
free.LIBCMT ref: 0000022DA381EBF6

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: htonl$callocfreehtons$CreateGuidrealloc
String ID:
API String ID: 1971261790-0
Opcode ID: 35328afc6ea19eb22ab25f0db4b4a4a5eeef8f9253434140f4e37320bd541843
Instruction ID: a007271856f6eb46e235f56718a267fd83701ffa3d150be4b640f72c031f3925
Opcode Fuzzy Hash: 35328afc6ea19eb22ab25f0db4b4a4a5eeef8f9253434140f4e37320bd541843
Instruction Fuzzy Hash: 0502E176315BC49AEBA0CB6AE49479A77A1F7C8B84F104025EE8D8BB95DF7DC441CB00

Function 0000022DA5449320 Relevance: 16.7, APIs: 11, Instructions: 162networksleepCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 0000022DA5449373
accept.WS2_32 ref: 0000022DA5449395
WSAGetLastError.WS2_32 ref: 0000022DA54493A1
Sleep.KERNEL32 ref: 0000022DA54493B3

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorEventLastResetSleepaccept
String ID:
API String ID: 3917514729-0
Opcode ID: 45f8e4729edac4815a2f6e68c02a4714ce222c2d91d748c8d59c1fef3e5a756f
Instruction ID: 6e969f717d20eb45dc44d9120f95e6db6880c93a85aeddfb8153b76663fc61f8
Opcode Fuzzy Hash: 45f8e4729edac4815a2f6e68c02a4714ce222c2d91d748c8d59c1fef3e5a756f
Instruction Fuzzy Hash: 5F619C76B04B90D3DB10CFA2E448A5E73A1F789B91F504126DE8D53B64EF78C899DB00

Function 0000022DA38376F0 Relevance: 16.7, APIs: 11, Instructions: 161memorystringCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3837403), ref: 0000022DA383771F
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3837403), ref: 0000022DA383772A

Part of subcall function 0000022DA3837538: GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,0000022DA3837240), ref: 0000022DA3837544
Part of subcall function 0000022DA3837538: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,0000022DA3837240), ref: 0000022DA38376CB

HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3837403), ref: 0000022DA383777C
HeapReAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3837403), ref: 0000022DA383780D
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3837403), ref: 0000022DA3837862
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3837403), ref: 0000022DA38378A0
DuplicateHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3837403), ref: 0000022DA3837916
lstrcmpW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3837403), ref: 0000022DA3837963
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3837403), ref: 0000022DA3837974
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3837403), ref: 0000022DA3837994
HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3837403), ref: 0000022DA38379A6

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Heap$Free$AllocProcess$Handle$CloseCurrentDuplicatelstrcmp
String ID:
API String ID: 454806775-0
Opcode ID: 2488a5446417644ff92a72a24b515ad9633fc2793d0f775129e35f4bc9837350
Instruction ID: 1c34ca492dde0cde49f1841f825429160e301b5e82b89a5af72bd29b8c03389d
Opcode Fuzzy Hash: 2488a5446417644ff92a72a24b515ad9633fc2793d0f775129e35f4bc9837350
Instruction Fuzzy Hash: 2B81EF36208B8197E794CBB5E44871AB7A2F7C57A4F100315EAA98BBE8DF7DC445CB40

Function 0000022DA3827330 Relevance: 16.4, APIs: 13, Instructions: 122COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000022DA382738C
free.LIBCMT ref: 0000022DA38273B3
free.LIBCMT ref: 0000022DA38273DA
free.LIBCMT ref: 0000022DA3827401
free.LIBCMT ref: 0000022DA3827428
free.LIBCMT ref: 0000022DA382744F
free.LIBCMT ref: 0000022DA3827476
GlobalFree.KERNEL32 ref: 0000022DA38274B7
GlobalFree.KERNEL32 ref: 0000022DA38274D2
free.LIBCMT ref: 0000022DA38274ED
free.LIBCMT ref: 0000022DA3827514
free.LIBCMT ref: 0000022DA382753B
free.LIBCMT ref: 0000022DA382755A

Part of subcall function 0000022DA3837A38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA383C20A,?,?,?,0000022DA383C187,?,?,00000000,0000022DA3838A19), ref: 0000022DA3837A4E
Part of subcall function 0000022DA3837A38: _errno.LIBCMT ref: 0000022DA3837A58
Part of subcall function 0000022DA3837A38: GetLastError.KERNEL32(?,?,00000000,0000022DA383C20A,?,?,?,0000022DA383C187,?,?,00000000,0000022DA3838A19), ref: 0000022DA3837A60

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free$Free$Global$ErrorHeapLast_errno
String ID:
API String ID: 3612544453-0
Opcode ID: e56d95e6cced8005007d1aa96881f317c93609c1f593c9dfa816aee0a74d4e78
Instruction ID: cd089afaf2eb333cd972b634acf8bd9be0ad98d1f4257702767e151df1634cf3
Opcode Fuzzy Hash: e56d95e6cced8005007d1aa96881f317c93609c1f593c9dfa816aee0a74d4e78
Instruction Fuzzy Hash: 6B61A836204B8892EB649B5AE09875E77B1F3C9B88F510115EA8D4BBB5CF7DC984CB40

Function 0000022DA5454950 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 0000022DA5454AA9

Part of subcall function 0000022DA5455330: malloc.LIBCMT ref: 0000022DA545536C

htonl.WS2_32 ref: 0000022DA5454C07
htonl.WS2_32 ref: 0000022DA5454C1A
htonl.WS2_32 ref: 0000022DA5454C26
free.LIBCMT ref: 0000022DA5454CE7
free.LIBCMT ref: 0000022DA5454CF8
free.LIBCMT ref: 0000022DA5454D07
LocalFree.KERNEL32 ref: 0000022DA5454D16

Strings

stdcall, xrefs: 0000022DA5454A3D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: htonl$free$FreeLocalmalloc
String ID: stdcall
API String ID: 2516199367-1361542064
Opcode ID: f15c183f755dc4f0a415eb9a863517f708337400485c861036c74f7c0c8950ae
Instruction ID: 146ded6d32a9d3d49bb48cfc848a906ec01cbef91fcac0088e31ae7941fcdab9
Opcode Fuzzy Hash: f15c183f755dc4f0a415eb9a863517f708337400485c861036c74f7c0c8950ae
Instruction Fuzzy Hash: D4C16E72B05B549AEB50CFA5E84479E77F4F788788F100129EA8E97B58EF78C505CB00

Function 0000022DA5442BB0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 210COMMON

Download Yara Rule

Strings

tcp, xrefs: 0000022DA5442D18
udp, xrefs: 0000022DA5442CEA

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 8a6a6b2c3d467e265fac096d79c7ce88cb79eecba16b540dbe755735aaa90b4f
Instruction ID: 6c8046ea2aff608da06af37f40a93fc58c71dc30b3cd321003e64acda980063d
Opcode Fuzzy Hash: 8a6a6b2c3d467e265fac096d79c7ce88cb79eecba16b540dbe755735aaa90b4f
Instruction Fuzzy Hash: 2081F77AA48A4063FBB5CB95D448B3A72F1FB94784F148125FD9AA33D1EFB8C8459340

Function 0000022DA37D002C Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 180COMMON

Download Yara Rule

APIs

wcsstr.LIBCMT ref: 0000022DA37D00CE
wcschr.LIBCMT ref: 0000022DA37D00F1
wcschr.LIBCMT ref: 0000022DA37D0114
calloc.LIBCMT ref: 0000022DA37D017F
_snwprintf_s.LIBCMT ref: 0000022DA37D01BF

Strings

th repeat, xrefs: 0000022DA37D0226
W, xrefs: 0000022DA37D0292
file error, xrefs: 0000022DA37D00A3
or distance symbols, xrefs: 0000022DA37D00C2

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: wcschr$_snwprintf_scallocwcsstr
String ID: W$file error$or distance symbols$th repeat
API String ID: 1285598317-45051827
Opcode ID: 0041cb5a921969245a448dec0870fe31d8be99eeb76132152970262b18651a7d
Instruction ID: 59e90836cfabbca60e75e79d571a255a45a4e17120079acc070641b642dd3f14
Opcode Fuzzy Hash: 0041cb5a921969245a448dec0870fe31d8be99eeb76132152970262b18651a7d
Instruction Fuzzy Hash: 39815532325B8593EBD09BA9E454B6EA7E2F784BC4F105121EA5DCB7A4EF39C404CB00

Function 0000022DA5442EB0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

65535, xrefs: 0000022DA5442EBE
udp, xrefs: 0000022DA5442F98

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: bdc2e146fa44cced18160ef7e12183dd69a4a8af94f1715aa0ed718e9f6321dc
Instruction ID: 150caa599f309187f25c63caf57a7a0051796c6d5b182edc7866989579228aa5
Opcode Fuzzy Hash: bdc2e146fa44cced18160ef7e12183dd69a4a8af94f1715aa0ed718e9f6321dc
Instruction Fuzzy Hash: 2361D335A59680A7FF658BD5F10CB7A66E0F744B94F484212EE8927BD8DBB8C8C1D700

Function 0000022DA5442580 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 75libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA54425B6
GetProcAddress.KERNEL32 ref: 0000022DA54425D2
GetLastError.KERNEL32 ref: 0000022DA54425EC
GlobalFree.KERNEL32 ref: 0000022DA5442631
GlobalFree.KERNEL32 ref: 0000022DA5442658
GlobalFree.KERNEL32 ref: 0000022DA544267F
FreeLibrary.KERNEL32 ref: 0000022DA544268A

Strings

WinHttpGetIEProxyConfigForCurrentUser, xrefs: 0000022DA54425C8
Winhttp.dll, xrefs: 0000022DA54425AC

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Free$Global$Library$AddressErrorLastLoadProc
String ID: WinHttpGetIEProxyConfigForCurrentUser$Winhttp.dll
API String ID: 1134048670-1089090160
Opcode ID: 4ab3733783c7517397c3ab6066e0788fcb382b80222af4e0e706d9bb7a6af0d2
Instruction ID: 07731c13f4000898a689cc55f9bba92e607137cf1384ad4dc0d22d713243c0e3
Opcode Fuzzy Hash: 4ab3733783c7517397c3ab6066e0788fcb382b80222af4e0e706d9bb7a6af0d2
Instruction Fuzzy Hash: DC315E75B04B80D3EB449B92E948A6E6761FBC9FD0F445066EE4E63B24DFB8C445C740

Function 0000022DA546DB80 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000022DA546DB9D
_errno.LIBCMT ref: 0000022DA546DB92

Part of subcall function 0000022DA546F970: _getptd_noexit.LIBCMT ref: 0000022DA546F974

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000022DA546DBE5
_errno.LIBCMT ref: 0000022DA546DBF4
_invalid_parameter_noinfo.LIBCMT ref: 0000022DA546DBFF

Strings

eax, xrefs: 0000022DA546DBD2

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID: eax
API String ID: 781512312-2472899377
Opcode ID: aaebb8aec4a04de5942977555aeb765d9ec2d510871fe3df0c9bab814b5452b9
Instruction ID: 622d713994a843c4327c9daa0f072936b97290929e8bf7662a1a41f4241966c0
Opcode Fuzzy Hash: aaebb8aec4a04de5942977555aeb765d9ec2d510871fe3df0c9bab814b5452b9
Instruction Fuzzy Hash: 0B213D71F04BC4B6FF245BE1958CB6962A0A744BD0F144121E6992BFDEDBECC951CB00

Function 0000022DA54B42F0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000022DA54B431D
GetProcAddress.KERNEL32 ref: 0000022DA54B4330
SetLastError.KERNEL32 ref: 0000022DA54B4341
GetProcAddress.KERNEL32 ref: 0000022DA54B4374
SetLastError.KERNEL32 ref: 0000022DA54B4385

Strings

RtlNtStatusToDosError, xrefs: 0000022DA54B436A
ntdll.dll, xrefs: 0000022DA54B430D
NtWow64ReadVirtualMemory64, xrefs: 0000022DA54B4323

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: AddressErrorLastProc$HandleModule
String ID: NtWow64ReadVirtualMemory64$RtlNtStatusToDosError$ntdll.dll
API String ID: 3725234143-3639149031
Opcode ID: eda5e5130f3b9bdebbbc96bdf620070caff5edc733c6bb22cdced1767e66f3df
Instruction ID: 6dbf3187061e4bc2b5d4484a6d65f907f534cba70063115408a71881190ec32d
Opcode Fuzzy Hash: eda5e5130f3b9bdebbbc96bdf620070caff5edc733c6bb22cdced1767e66f3df
Instruction Fuzzy Hash: 99113635B14B41A6EB149BE2F848B6DA3A1F7C8BC4F490929DE4A57794DFBCC9058700

Function 0000022DA3821508 Relevance: 15.1, APIs: 10, Instructions: 106networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 0000022DA382155D
WSAGetLastError.WS2_32 ref: 0000022DA3821567
getaddrinfo.WS2_32 ref: 0000022DA38215BD
WSAGetLastError.WS2_32 ref: 0000022DA38215C7

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$Startupgetaddrinfo
String ID:
API String ID: 54629767-0
Opcode ID: 227d07e7736da2bb0a1f16444392481382468d40b52e13d93a013c90c0eee2ef
Instruction ID: 550a519db886ad99cf2da9aaa3cd9d52f10527a21f7415a87d9b98a37cde5607
Opcode Fuzzy Hash: 227d07e7736da2bb0a1f16444392481382468d40b52e13d93a013c90c0eee2ef
Instruction Fuzzy Hash: DE510072218A8097D7A0DFB5E448B5EB7B1F788794F140215EAAA87BA8DF3DC544CF01

Function 0000022DA5451E90 Relevance: 15.1, APIs: 10, Instructions: 83COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32 ref: 0000022DA5451EEE
GetLastError.KERNEL32 ref: 0000022DA5451EFC
CloseHandle.KERNEL32 ref: 0000022DA5451FAD

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: CloseErrorHandleLastOpenProcess
String ID:
API String ID: 3453201768-0
Opcode ID: 7d3c404eb6caa059cd6b0fd9f879b38e38fb9a643e6d5aa9ce91def77071903c
Instruction ID: 0d37b62ed153b3162b1c9932d87051f9def7f984684425d5cbaf8a43fd347264
Opcode Fuzzy Hash: 7d3c404eb6caa059cd6b0fd9f879b38e38fb9a643e6d5aa9ce91def77071903c
Instruction Fuzzy Hash: 01316336F04B40A6EB409BE2A848B6A63A1F789FD5F045025ED8B63758EFBCD8058740

Function 0000022DA37CCCC0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 192stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000022DA37CCD34

Part of subcall function 0000022DA37D755C: malloc.LIBCMT ref: 0000022DA37D7565

strchr.LIBCMT ref: 0000022DA37CCDBA
malloc.LIBCMT ref: 0000022DA37CCE83
_snwprintf_s.LIBCMT ref: 0000022DA37CCEFA
calloc.LIBCMT ref: 0000022DA37CCF2A
free.LIBCMT ref: 0000022DA37CD02B

Strings

invalid block type, xrefs: 0000022DA37CCDDF
W, xrefs: 0000022DA37CCDC4

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: callocmalloc$_snwprintf_sfreestrchr
String ID: W$invalid block type
API String ID: 1326561468-4266031648
Opcode ID: 8e8b489e526d1fe2fd4891168b032f20f3a221e91aaea9411026d74f6647621a
Instruction ID: f9667fcbe04a9f579e7338a05cff7a3a17a5eb0319c10c0fff42a6f84b2a830b
Opcode Fuzzy Hash: 8e8b489e526d1fe2fd4891168b032f20f3a221e91aaea9411026d74f6647621a
Instruction Fuzzy Hash: BEA15032214B81A3EBD0CB59E498B5A77A2F7C4794F105125FA8E8BBD9DF78C485CB40

Function 0000022DA381F15C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 120pipeCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32 ref: 0000022DA381F1FB
CreateNamedPipeA.KERNEL32 ref: 0000022DA381F27A
GetLastError.KERNEL32 ref: 0000022DA381F2A1
CreateEventW.KERNEL32 ref: 0000022DA381F2CC
GetLastError.KERNEL32 ref: 0000022DA381F2ED
CreateEventW.KERNEL32 ref: 0000022DA381F30C
GetLastError.KERNEL32 ref: 0000022DA381F32D

Strings

SeSecurityPrivilege, xrefs: 0000022DA381F17E, 0000022DA381F21E

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Create$ErrorLast$EventNamedPipe
String ID: SeSecurityPrivilege
API String ID: 791494041-2333288578
Opcode ID: 7238216fa8bfb80d0fb6e22e86afc1dfdafb4e9ad41a8ce211c5c9cfe9337d0c
Instruction ID: d6f4eca69d0612ae840c2c3dddd52e33a696067262a5ecb6434f9f79330d2835
Opcode Fuzzy Hash: 7238216fa8bfb80d0fb6e22e86afc1dfdafb4e9ad41a8ce211c5c9cfe9337d0c
Instruction Fuzzy Hash: 8E518432214A8197E7E0CB74F458B9B77A1F384794F504226EA998BBD4DF7DC545CB00

Function 0000022DA5441A40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112networkCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA5441A85

Part of subcall function 0000022DA546AF78: _FF_MSGBANNER.LIBCMT ref: 0000022DA546AFA8
Part of subcall function 0000022DA546AF78: _NMSG_WRITE.LIBCMT ref: 0000022DA546AFB2
Part of subcall function 0000022DA546AF78: HeapAlloc.KERNEL32(?,?,0000000D,0000022DA5477AB4,?,?,?,0000022DA5477D9C,?,?,?,0000022DA5477C9B,?,?,0000000D,0000022DA5471C43), ref: 0000022DA546AFCD
Part of subcall function 0000022DA546AF78: _callnewh.LIBCMT ref: 0000022DA546AFE6
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFF1
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFFC

GetTcpTable.IPHLPAPI ref: 0000022DA5441A9B
free.LIBCMT ref: 0000022DA5441BAF

Part of subcall function 0000022DA5441890: realloc.LIBCMT ref: 0000022DA54418AC
Part of subcall function 0000022DA5441890: free.LIBCMT ref: 0000022DA54418BC

htons.WS2_32 ref: 0000022DA5441AF7
htons.WS2_32 ref: 0000022DA5441B26
free.LIBCMT ref: 0000022DA5441BB9
GetLastError.KERNEL32(?,00000000,00000000,0000022DA5441C3C,?,?,?,?,00000000,?,?,0000022DA54423E6), ref: 0000022DA5441BC5

Strings

tcp, xrefs: 0000022DA5441B6D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: free$_errnohtons$AllocErrorHeapLastTable_callnewhmallocrealloc
String ID: tcp
API String ID: 3667466247-2993443014
Opcode ID: f61868a484e89f093b37f0acc60c2d6a8b497917efa129030727d4f45dfd85be
Instruction ID: 77325c87191b622096cc3bed2ce19d683714e4cf0d0a7a69ce20c9be04b0d8f3
Opcode Fuzzy Hash: f61868a484e89f093b37f0acc60c2d6a8b497917efa129030727d4f45dfd85be
Instruction Fuzzy Hash: B041D332B40684A7D714DF92E448BAD77B0F344B84F80542ADE5AA3B85EFB8D545CB40

Function 0000022DA3818D78 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 103memoryinjectionlibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 0000022DA3818DCB
VirtualAlloc.KERNEL32 ref: 0000022DA3818E04
GetModuleHandleA.KERNEL32 ref: 0000022DA3818E30
GetProcAddress.KERNEL32 ref: 0000022DA3818E40
WriteProcessMemory.KERNEL32 ref: 0000022DA3818EBE
WriteProcessMemory.KERNEL32 ref: 0000022DA3818F64

Strings

ntdll, xrefs: 0000022DA3818E29
NtLockVirtualMemory, xrefs: 0000022DA3818E36

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: AllocMemoryProcessVirtualWrite$AddressHandleModuleProc
String ID: NtLockVirtualMemory$ntdll
API String ID: 1502369038-2974287352
Opcode ID: ffdf16f4be959fbba581d0a970159e71194f7cce151e50d95d987598bd5584b6
Instruction ID: 20f4e4dc143c59b3b7295606c599be21e24733e98966a13b2752428680d10d98
Opcode Fuzzy Hash: ffdf16f4be959fbba581d0a970159e71194f7cce151e50d95d987598bd5584b6
Instruction Fuzzy Hash: 1451FC76615B84C7CB90CB59E09475AB7A1F3C8BA0F101216EFAE47BA8CF79C445CB00

Function 0000022DA5449B10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92sleepnetworkCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 0000022DA5449B48
recvfrom.WS2_32 ref: 0000022DA5449B80
WSAGetLastError.WS2_32 ref: 0000022DA5449B8D
Sleep.KERNEL32 ref: 0000022DA5449BB4

Strings

0.0.0.0, xrefs: 0000022DA5449C09

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorEventLastResetSleeprecvfrom
String ID: 0.0.0.0
API String ID: 2877576581-3771769585
Opcode ID: e829768a542569bcba86cc34f543e2bdc0c756bbfb874fd027a9c235bc169f16
Instruction ID: 92fe4747a455d8382f3641c10b8da01cf8fab5fdad3f45e32ba5c8a8179486f2
Opcode Fuzzy Hash: e829768a542569bcba86cc34f543e2bdc0c756bbfb874fd027a9c235bc169f16
Instruction Fuzzy Hash: AC416172504B81DAD7208F61F4487AAB7F4F78A794F504226EA8D63B58DFBCC594CB00

Function 0000022DA381CEF8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 89libraryloaderthreadCOMMON

Download Yara Rule

APIs

CreateRemoteThread.KERNEL32 ref: 0000022DA381CF6A
GetLastError.KERNEL32 ref: 0000022DA381CF75
GetModuleHandleA.KERNEL32 ref: 0000022DA381CFAD
GetProcAddress.KERNEL32 ref: 0000022DA381CFBD
SetLastError.KERNEL32 ref: 0000022DA381D081
SetLastError.KERNEL32 ref: 0000022DA381D0AE

Strings

RtlCreateUserThread, xrefs: 0000022DA381CFB3
ntdll, xrefs: 0000022DA381CFA6

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$AddressCreateHandleModuleProcRemoteThread
String ID: RtlCreateUserThread$ntdll
API String ID: 1699155657-687317052
Opcode ID: c8ba533d1ca9a2a55e49f07b6cc1bdd2cf2805416945380d613a0e33ef05ffd3
Instruction ID: 15d2369e17855690db49279f479c1c0e6e479a8d16ac73c7e26e6580b7136640
Opcode Fuzzy Hash: c8ba533d1ca9a2a55e49f07b6cc1bdd2cf2805416945380d613a0e33ef05ffd3
Instruction Fuzzy Hash: 3E510B32108B84DBE7E0CBA5F448B5AB3B6F788754F504125DA8D86BA8DF7DC488CB01

Function 0000022DA54544E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 70windowregistryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32 ref: 0000022DA5454567
CreateWindowExA.USER32 ref: 0000022DA54545AC
GetMessageA.USER32 ref: 0000022DA54545DD
TranslateMessage.USER32 ref: 0000022DA54545F5
DispatchMessageA.USER32 ref: 0000022DA5454600
GetMessageA.USER32 ref: 0000022DA5454613

Strings

P, xrefs: 0000022DA545454C
klwClass, xrefs: 0000022DA545452E

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Message$ClassCreateDispatchRegisterTranslateWindow
String ID: P$klwClass
API String ID: 2143098044-3097189138
Opcode ID: 0c1b0a1ee8904fd3c41a36f6768f220812905632bc2d4d8ac1e0421799b14281
Instruction ID: 8cbac3cbd3f22594ca48f74a05cf5e17d7d68bdd26c8e65503299ce8b1ad9667
Opcode Fuzzy Hash: 0c1b0a1ee8904fd3c41a36f6768f220812905632bc2d4d8ac1e0421799b14281
Instruction Fuzzy Hash: D0316F36A04BC5E2EB608FA4F849B9A73A0F785354F845126D79E63A94DFBCC448CB00

Function 0000022DA544D690 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA544D6CB
GetProcAddress.KERNEL32 ref: 0000022DA544D6EC
OpenProcess.KERNEL32 ref: 0000022DA544D70B
OpenProcess.KERNEL32 ref: 0000022DA544D723
CloseHandle.KERNEL32 ref: 0000022DA544D757
FreeLibrary.KERNEL32 ref: 0000022DA544D765

Part of subcall function 0000022DA544D790: LoadLibraryA.KERNEL32 ref: 0000022DA544D7CA
Part of subcall function 0000022DA544D790: GetProcAddress.KERNEL32 ref: 0000022DA544D7E2
Part of subcall function 0000022DA544D790: FreeLibrary.KERNEL32 ref: 0000022DA544D817

Strings

IsWow64Process, xrefs: 0000022DA544D6DD
kernel32.dll, xrefs: 0000022DA544D6BB

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Library$AddressFreeLoadOpenProcProcess$CloseHandle
String ID: IsWow64Process$kernel32.dll
API String ID: 2823223814-3024904723
Opcode ID: 84a970f75d5c5ef737604439012858902f14e4dd04343173b399e5aff72e2a80
Instruction ID: ad9ff8d7ecf37c1a11445912257df750a327b935d2e89d72ad2dada79acf8da8
Opcode Fuzzy Hash: 84a970f75d5c5ef737604439012858902f14e4dd04343173b399e5aff72e2a80
Instruction Fuzzy Hash: 3D218135B05B00A3FB159BA6A858B16B3F1BB49BE1F444429DE4D63B94EFBCC845C740

Function 0000022DA5453370 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA545339C
GetLastError.KERNEL32 ref: 0000022DA54533AA
GetProcAddress.KERNEL32 ref: 0000022DA54533BE
GetTickCount.KERNEL32 ref: 0000022DA54533E8
FreeLibrary.KERNEL32 ref: 0000022DA545341E

Strings

user32, xrefs: 0000022DA5453390
GetLastInputInfo, xrefs: 0000022DA54533B4

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Library$AddressCountErrorFreeLastLoadProcTick
String ID: GetLastInputInfo$user32
API String ID: 1606095281-2537165897
Opcode ID: 03c13e3c6eb630e53ab5b9de262b23798b5969459d683dd310e89929cd089e05
Instruction ID: 1b85f2d57a159254babbadc27614e8f615baed3f737adba084883b8ba063c751
Opcode Fuzzy Hash: 03c13e3c6eb630e53ab5b9de262b23798b5969459d683dd310e89929cd089e05
Instruction Fuzzy Hash: 60216036A04B50E6EB559FE6F848B6D67A0FB89FD0F484061DD0AA3754EFB8C809C740

Function 0000022DA54B4730 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,?,?,?,0000EA60,0000022DA54B4A5B), ref: 0000022DA54B4747
rand.LIBCMT ref: 0000022DA54B4760
rand.LIBCMT ref: 0000022DA54B4767
_snwprintf_s.LIBCMT ref: 0000022DA54B4786
rand.LIBCMT ref: 0000022DA54B478B
rand.LIBCMT ref: 0000022DA54B4792
_snwprintf_s.LIBCMT ref: 0000022DA54B47B2

Strings

Global\%04x%04x, xrefs: 0000022DA54B4770, 0000022DA54B479F

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: rand$_snwprintf_s$ErrorLast
String ID: Global\%04x%04x
API String ID: 2358640472-448994476
Opcode ID: 644bd0954b7540b35416f8d1993d22ba7b2ed189cd74b5cf0a3f9630fd6cde91
Instruction ID: 87f217ef4ee1b434619ebcbc00509cff1f5be647f97caa9afc6f8e89b6326fa3
Opcode Fuzzy Hash: 644bd0954b7540b35416f8d1993d22ba7b2ed189cd74b5cf0a3f9630fd6cde91
Instruction Fuzzy Hash: DD11BC32E00740A7EB28DFE4E408599B7A0F7893B0F500B22EB7853AD5EB78D121CB04

Function 0000022DA54B4680 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 0000022DA54B4697
rand.LIBCMT ref: 0000022DA54B46B0
rand.LIBCMT ref: 0000022DA54B46B7
_snwprintf_s.LIBCMT ref: 0000022DA54B46D6
rand.LIBCMT ref: 0000022DA54B46DB
rand.LIBCMT ref: 0000022DA54B46E2
_snwprintf_s.LIBCMT ref: 0000022DA54B4702

Strings

Global\%04x%04x, xrefs: 0000022DA54B46C0, 0000022DA54B46EF

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: rand$_snwprintf_s$ErrorLast
String ID: Global\%04x%04x
API String ID: 2358640472-448994476
Opcode ID: 1d9bff088a8ba95a953a715d2d79c325a85283e0cd682b1939a3398df1056525
Instruction ID: 77039f709bf635f872c974021abb020eea695d6e102f83073b99aa0acd1c4dfb
Opcode Fuzzy Hash: 1d9bff088a8ba95a953a715d2d79c325a85283e0cd682b1939a3398df1056525
Instruction Fuzzy Hash: A2119E32E04740A7EB28DFE4E509599B7A0F7893B4F500B22EB7853AD5EB78D521CB04

Function 0000022DA37D6730 Relevance: 13.9, APIs: 11, Instructions: 122COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000022DA37D678C
free.LIBCMT ref: 0000022DA37D67B3
free.LIBCMT ref: 0000022DA37D67DA
free.LIBCMT ref: 0000022DA37D6801
free.LIBCMT ref: 0000022DA37D6828
free.LIBCMT ref: 0000022DA37D684F
free.LIBCMT ref: 0000022DA37D6876
free.LIBCMT ref: 0000022DA37D68ED
free.LIBCMT ref: 0000022DA37D6914
free.LIBCMT ref: 0000022DA37D693B
free.LIBCMT ref: 0000022DA37D695A

Part of subcall function 0000022DA37E6E38: _errno.LIBCMT ref: 0000022DA37E6E58

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: e56d95e6cced8005007d1aa96881f317c93609c1f593c9dfa816aee0a74d4e78
Instruction ID: 330183463e4ae81b0f2a51c659e7c5a376ce0ff94d8f0aece14e207c8f552685
Opcode Fuzzy Hash: e56d95e6cced8005007d1aa96881f317c93609c1f593c9dfa816aee0a74d4e78
Instruction Fuzzy Hash: 7C615937204B8892EBA09B49E098B5E67B1F3C9F98F950115EA8D4B7B5CF7DC944CB40

Function 0000022DA3817C3C Relevance: 13.8, APIs: 9, Instructions: 267COMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 0000022DA3817D2E
htonl.WS2_32 ref: 0000022DA3817D46
htonl.WS2_32 ref: 0000022DA3817E25
htonl.WS2_32 ref: 0000022DA3817E3D
malloc.LIBCMT ref: 0000022DA3817E9C
htonl.WS2_32 ref: 0000022DA3817EC1
malloc.LIBCMT ref: 0000022DA3817EE9
free.LIBCMT ref: 0000022DA3818022
free.LIBCMT ref: 0000022DA3818040

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: htonl$freemalloc
String ID:
API String ID: 1249573706-0
Opcode ID: 2a272634d5d3f3d0f97d8cf137b80c410468859dee72902612bf31cb963d6281
Instruction ID: 997214a07feda7df80e2d926f896f4acedf4c8d18e4b7f2ab90c28a51cbe3ec8
Opcode Fuzzy Hash: 2a272634d5d3f3d0f97d8cf137b80c410468859dee72902612bf31cb963d6281
Instruction Fuzzy Hash: 25D1DD32218B8597EBB0CB79E49471AB7E1F785B88F104515EA8D877A8DF7DC845CB00

Function 0000022DA38217BC Relevance: 13.6, APIs: 9, Instructions: 102networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 0000022DA3821807
WSAGetLastError.WS2_32 ref: 0000022DA3821811
socket.WS2_32 ref: 0000022DA3821834
socket.WS2_32 ref: 0000022DA38218BD
htons.WS2_32 ref: 0000022DA38218F3
htons.WS2_32 ref: 0000022DA3821919

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: htonssocket$ErrorLastStartup
String ID:
API String ID: 115665238-0
Opcode ID: 180ef382919a3d1acd9061d190789caf16d27d410f500d146d518d6bec267e83
Instruction ID: dc1a32ee91b433d572980208b540abff069845a12a7ab5061286f8569ea4faf4
Opcode Fuzzy Hash: 180ef382919a3d1acd9061d190789caf16d27d410f500d146d518d6bec267e83
Instruction Fuzzy Hash: 995174322186C097E7D08FB5F48875AB3A1F784754F504125EAAA8BBE8EF7DC444CB01

Function 0000022DA54B5A20 Relevance: 13.6, APIs: 9, Instructions: 64COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?,?,?,00000000,0000022DA54B2B92), ref: 0000022DA54B5A65
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,0000022DA54B2B92), ref: 0000022DA54B5A73
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,0000022DA54B2B92), ref: 0000022DA54B5AFA

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$ManagerOpen
String ID:
API String ID: 239337868-0
Opcode ID: 95beb3b2230f5ec1893a4063b74f4c1d6fa9daeb2c7f94bb601b3d8c0e38e1e8
Instruction ID: 8b4927c01518f0fcf2bd021f6f01ac20efe83f17c5cddcf15b815bd6a7aa25c2
Opcode Fuzzy Hash: 95beb3b2230f5ec1893a4063b74f4c1d6fa9daeb2c7f94bb601b3d8c0e38e1e8
Instruction Fuzzy Hash: 88215375B05B4097EB549BA7B4887ADA3E1F78DBC0F144428DD4EA3755EEBCC4458B00

Function 0000022DA37CD04C Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 351COMMON

Download Yara Rule

Strings

m, xrefs: 0000022DA37CD1C9

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: ca8c69a8187a3bcae796801e3bab1b2ea4095d4477118f32287b109b45a345bb
Instruction ID: 573a4cffd4b8b5b511f74690e607a57ac9078fd41df8fda671c1dcf0ed3af0e4
Opcode Fuzzy Hash: ca8c69a8187a3bcae796801e3bab1b2ea4095d4477118f32287b109b45a345bb
Instruction Fuzzy Hash: B6023772224B81A3EBD0DB5AE498B5B77A1F7C4B94F105025EE8E8BB95DF79C450CB00

Function 0000022DA37E99B8 Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000022DA37E99E6

Part of subcall function 0000022DA37E6E38: _errno.LIBCMT ref: 0000022DA37E6E58

free.LIBCMT ref: 0000022DA37E99FB
free.LIBCMT ref: 0000022DA37E9A1C
free.LIBCMT ref: 0000022DA37E9A31
free.LIBCMT ref: 0000022DA37E9A45
free.LIBCMT ref: 0000022DA37E9A51
free.LIBCMT ref: 0000022DA37E9A7C
free.LIBCMT ref: 0000022DA37E9A9D
free.LIBCMT ref: 0000022DA37E9AB6
free.LIBCMT ref: 0000022DA37E9AE7

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: b3a0e0396639249c71e9aa26cafc735f66f055ef20655c3ad1bc0635891ce98c
Instruction ID: 39c83936ee8d50721cbb2db46fb5a53853313d54050fbcc3dad824321c6e9fca
Opcode Fuzzy Hash: b3a0e0396639249c71e9aa26cafc735f66f055ef20655c3ad1bc0635891ce98c
Instruction Fuzzy Hash: 7C312172251A00B3FED49BE1E8ADF686393BF56BA1F680225DD190E2D5DF6CC841C350

Function 0000022DA5441F60 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85networkCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA5441F9A

Part of subcall function 0000022DA546AF78: _FF_MSGBANNER.LIBCMT ref: 0000022DA546AFA8
Part of subcall function 0000022DA546AF78: _NMSG_WRITE.LIBCMT ref: 0000022DA546AFB2
Part of subcall function 0000022DA546AF78: HeapAlloc.KERNEL32(?,?,0000000D,0000022DA5477AB4,?,?,?,0000022DA5477D9C,?,?,?,0000022DA5477C9B,?,?,0000000D,0000022DA5471C43), ref: 0000022DA546AFCD
Part of subcall function 0000022DA546AF78: _callnewh.LIBCMT ref: 0000022DA546AFE6
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFF1
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFFC

GetUdpTable.IPHLPAPI(?,?,00000000,0000022DA54420EC,?,?,?,?,?,00000000,?,0000022DA5442404), ref: 0000022DA5441FB0
free.LIBCMT ref: 0000022DA544205F

Part of subcall function 0000022DA5441890: realloc.LIBCMT ref: 0000022DA54418AC
Part of subcall function 0000022DA5441890: free.LIBCMT ref: 0000022DA54418BC

htons.WS2_32 ref: 0000022DA5441FFC
free.LIBCMT ref: 0000022DA5442078
GetLastError.KERNEL32(?,?,00000000,0000022DA54420EC,?,?,?,?,?,00000000,?,0000022DA5442404), ref: 0000022DA5442084

Strings

udp, xrefs: 0000022DA5442025

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: free$_errno$AllocErrorHeapLastTable_callnewhhtonsmallocrealloc
String ID: udp
API String ID: 2504828188-4243565622
Opcode ID: 7c111bcc891aae01d2795fd6a096e7e894eefa60fd81042b3bb89e12185893e1
Instruction ID: 5c552fa16c91515dec86befc3f77d924d94522f1666a0499dcb81a46079f6fd3
Opcode Fuzzy Hash: 7c111bcc891aae01d2795fd6a096e7e894eefa60fd81042b3bb89e12185893e1
Instruction Fuzzy Hash: B3310672B04601A3EB14DFAAD484B6D77B0FB81BC4F504013EB4AA7A95DEBDC582C740

Function 0000022DA3827B9C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 75networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestW.WININET ref: 0000022DA3827C40
SetLastError.KERNEL32 ref: 0000022DA3827C5E
InternetSetOptionW.WININET ref: 0000022DA3827C93
SetLastError.KERNEL32 ref: 0000022DA3827CA8
InternetCloseHandle.WININET ref: 0000022DA3827CCE

Strings

POST, xrefs: 0000022DA3827BF7
GET, xrefs: 0000022DA3827BE9

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorInternetLast$CloseHandleHttpOpenOptionRequest
String ID: GET$POST
API String ID: 4051435859-3192705859
Opcode ID: 18a1c17c92d67c5bc78f73a82bb78b312b9f4e99f9b287d919cf0d77241c95f0
Instruction ID: ee4be3db5fe9a001538339f268cb5d0092ebf25d29088fe465731b5ea4c52697
Opcode Fuzzy Hash: 18a1c17c92d67c5bc78f73a82bb78b312b9f4e99f9b287d919cf0d77241c95f0
Instruction Fuzzy Hash: 7931FD71208B4197E7A09BBAE44871AB7F1F384784F600425FB998BBA5DF7DC444CB01

Function 0000022DA3814010 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 57librarysleeploaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA381423D
GetLastError.KERNEL32 ref: 0000022DA3814250
GetProcAddress.KERNEL32 ref: 0000022DA3814271
GetLastError.KERNEL32 ref: 0000022DA3814284
Sleep.KERNEL32 ref: 0000022DA3814509
ResumeThread.KERNEL32 ref: 0000022DA381453C
CloseHandle.KERNEL32 ref: 0000022DA3814547
CloseHandle.KERNEL32 ref: 0000022DA3814566
FreeLibrary.KERNEL32 ref: 0000022DA3814579
SetLastError.KERNEL32 ref: 0000022DA3814583

Strings

ntdll, xrefs: 0000022DA3814236

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$CloseHandleLibrary$AddressFreeLoadProcResumeSleepThread
String ID: ntdll
API String ID: 3576214877-3337577438
Opcode ID: 403e551419c628f99cc31a171c1a46ec7f9be7557ec6651a45e369247712ff5e
Instruction ID: f55474a93163215b4a2f0a5c0743c53c365ecef6098391110a0c46038af3e61c
Opcode Fuzzy Hash: 403e551419c628f99cc31a171c1a46ec7f9be7557ec6651a45e369247712ff5e
Instruction Fuzzy Hash: 6B31DC32118A80A7F7E1ABB4F45DB9AA3B2F785B51F100425E6564F9E9DF7DC884CB00

Function 0000022DA3824844 Relevance: 12.3, APIs: 8, Instructions: 306synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA38398F8: calloc.LIBCMT ref: 0000022DA3839920

Part of subcall function 0000022DA382346C: malloc.LIBCMT ref: 0000022DA3823489

Part of subcall function 0000022DA38232D4: DnsQuery_W.DNSAPI ref: 0000022DA38233D3
Part of subcall function 0000022DA38232D4: Sleep.KERNEL32 ref: 0000022DA38233FB

calloc.LIBCMT ref: 0000022DA382496A
CreateMutexW.KERNEL32 ref: 0000022DA38249DF

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: calloc$CreateMutexQuery_Sleepmalloc
String ID:
API String ID: 2566062573-0
Opcode ID: 02d003f3f96ad69e172ef291a3a705bbe318c9c5b08e0f1a69475a33c14c482c
Instruction ID: db1b02dd42fdcfc16782bdcf3149e5969904201057d3709b807b99b25774acba
Opcode Fuzzy Hash: 02d003f3f96ad69e172ef291a3a705bbe318c9c5b08e0f1a69475a33c14c482c
Instruction Fuzzy Hash: E5022132218B8482EBA4CBA9F09579AF7A5F7C4784F145126EACD47BA8DF7CC444CB01

Function 0000022DA381F998 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 34libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA381F9BE
GetProcAddress.KERNEL32 ref: 0000022DA381F9DD
GetCurrentProcessId.KERNEL32 ref: 0000022DA381F9F6
ProcessIdToSessionId.KERNEL32 ref: 0000022DA381FA03
FreeLibrary.KERNEL32 ref: 0000022DA381FA28

Strings

kernel32.dll, xrefs: 0000022DA381F9B7
ProcessIdToSessionId, xrefs: 0000022DA381F9D1

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: LibraryProcess$AddressCurrentFreeLoadProcSession
String ID: ProcessIdToSessionId$kernel32.dll
API String ID: 4183634105-3889420803
Opcode ID: 456a6c6571a6df7f83d5e704301de544e869e40563afcb8a3ee8e0387a2ff7e8
Instruction ID: bd5944b7a954e7ed21715839e114478a0968a44cda924e221867b9bcc2fc554a
Opcode Fuzzy Hash: 456a6c6571a6df7f83d5e704301de544e869e40563afcb8a3ee8e0387a2ff7e8
Instruction Fuzzy Hash: 5611C931109A00A3E7F0DBB4E85CB1967A2F7887A8F540216D59A4AAE4DF7DC688CB05

Function 0000022DA37CA084 Relevance: 12.3, APIs: 8, Instructions: 268COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 0000022DA37CA0F0
malloc.LIBCMT ref: 0000022DA37CA27C
memcpy_s.LIBCMT ref: 0000022DA37CA2F9
memcpy_s.LIBCMT ref: 0000022DA37CA3A3
memcpy_s.LIBCMT ref: 0000022DA37CA3C0
malloc.LIBCMT ref: 0000022DA37CA42C
memcpy_s.LIBCMT ref: 0000022DA37CA48B
memcpy_s.LIBCMT ref: 0000022DA37CA4BF

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: memcpy_s$malloc
String ID:
API String ID: 569202530-0
Opcode ID: 791ac2ae2d82ca95529055ff973a2c55020dc980d904afdb92c923bb69812a5e
Instruction ID: aec2117ca39441ca1034eaef3f84807331b2492968a2fc37dfdc3350e33c82be
Opcode Fuzzy Hash: 791ac2ae2d82ca95529055ff973a2c55020dc980d904afdb92c923bb69812a5e
Instruction Fuzzy Hash: 5CD1E836205B8597EBE0CB6AE894B5A77B6F7C8B84F104025DE8D87B64EF39C445CB40

Function 0000022DA3818090 Relevance: 12.1, APIs: 8, Instructions: 123COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA3818110

Part of subcall function 0000022DA3837A78: _FF_MSGBANNER.LIBCMT ref: 0000022DA3837AA8
Part of subcall function 0000022DA3837A78: _NMSG_WRITE.LIBCMT ref: 0000022DA3837AB2
Part of subcall function 0000022DA3837A78: HeapAlloc.KERNEL32(?,?,00000000,0000022DA3840CB0,?,?,?,0000022DA3840F14,?,?,?,0000022DA3840E13), ref: 0000022DA3837ACD
Part of subcall function 0000022DA3837A78: _callnewh.LIBCMT ref: 0000022DA3837AE6
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837AF1
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837AFC

free.LIBCMT ref: 0000022DA38182AB

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _errno$AllocHeap_callnewhfreemalloc
String ID:
API String ID: 3198430600-0
Opcode ID: 9d6147f037978411f4800d7c51e4620988c43bb1becd94e135de29eb6841a8be
Instruction ID: 4285a2b81e43d008750eed88777863123bb40270115888ca7f251adb8303628e
Opcode Fuzzy Hash: 9d6147f037978411f4800d7c51e4620988c43bb1becd94e135de29eb6841a8be
Instruction Fuzzy Hash: F851D876618A808BD794CF69E49871AB7B2F7C8784F105115FB8A87BA8DB7DC841CF00

Function 0000022DA54B7F48 Relevance: 12.1, APIs: 8, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 0000022DA54B7F65

Part of subcall function 0000022DA54BB94C: _errno.LIBCMT ref: 0000022DA54BB955
Part of subcall function 0000022DA54BB94C: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA54BB960

_errno.LIBCMT ref: 0000022DA54B7F75

Part of subcall function 0000022DA54B7C50: _getptd_noexit.LIBCMT ref: 0000022DA54B7C54

_errno.LIBCMT ref: 0000022DA54B7F91
_isatty.LIBCMT ref: 0000022DA54B7FF2
_getbuf.LIBCMT ref: 0000022DA54B7FFE
_write.LIBCMT ref: 0000022DA54B8031
_lseeki64.LIBCMT ref: 0000022DA54B8080
_write.LIBCMT ref: 0000022DA54B80AA

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: _errno$_write$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty_lseeki64
String ID:
API String ID: 2111832858-0
Opcode ID: a3dcbf415939440a01c2dd42564492f14041436682ecc8e408ae045f9c6a1700
Instruction ID: 694048b1d733be316c168e2b837b1b9198091fb01ecd1e3847673db829792419
Opcode Fuzzy Hash: a3dcbf415939440a01c2dd42564492f14041436682ecc8e408ae045f9c6a1700
Instruction Fuzzy Hash: 47413773E00B44AAEF689FB8C449B6D37A0E744F94F164215DA69573CADBF8C842C780

Function 0000022DA546FF88 Relevance: 12.1, APIs: 8, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 0000022DA546FFA5

Part of subcall function 0000022DA5471F6C: _errno.LIBCMT ref: 0000022DA5471F75
Part of subcall function 0000022DA5471F6C: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA5471F80

_errno.LIBCMT ref: 0000022DA546FFB5

Part of subcall function 0000022DA546F970: _getptd_noexit.LIBCMT ref: 0000022DA546F974

_errno.LIBCMT ref: 0000022DA546FFD1
_isatty.LIBCMT ref: 0000022DA5470032
_getbuf.LIBCMT ref: 0000022DA547003E
_write.LIBCMT ref: 0000022DA5470071
_lseeki64.LIBCMT ref: 0000022DA54700C0
_write.LIBCMT ref: 0000022DA54700EA

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: _errno$_write$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty_lseeki64
String ID:
API String ID: 2111832858-0
Opcode ID: 21b63f15d3f5de9f638b1b9050342a8e5a65464ee0539fbe78a82d087f4768c0
Instruction ID: c96630443d2d8cc98cd8a4a39e5155ad5ba3281354dc9ed5426cdf35e34d215e
Opcode Fuzzy Hash: 21b63f15d3f5de9f638b1b9050342a8e5a65464ee0539fbe78a82d087f4768c0
Instruction Fuzzy Hash: 60417DB2E01781A6FB288FB8D459B6D3FA0E744BA4F144506DA59573DAEBF4C841CB80

Function 0000022DA546D328 Relevance: 12.1, APIs: 8, Instructions: 87COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000022DA546D34A
_errno.LIBCMT ref: 0000022DA546D33F

Part of subcall function 0000022DA546F970: _getptd_noexit.LIBCMT ref: 0000022DA546F974

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000022DA546D3A5
_errno.LIBCMT ref: 0000022DA546D3BE
_invalid_parameter_noinfo.LIBCMT ref: 0000022DA546D3C9
__ascii_memicmp.LIBCMT ref: 0000022DA546D3EC

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::___ascii_memicmp_getptd_noexit
String ID:
API String ID: 2223695500-0
Opcode ID: 97b4f2eea6f79403af2afcac34ffac110fbd954abfc93d9417f3026149c9da6a
Instruction ID: 6de98dfdd8a3731770e3f3694b3f748989d32483b3ea19e68b3b0346d005c5c9
Opcode Fuzzy Hash: 97b4f2eea6f79403af2afcac34ffac110fbd954abfc93d9417f3026149c9da6a
Instruction Fuzzy Hash: A6314672F04B80A2FB255FD1954CB697690A755BE0F444121EA992BFDADAF4C881C700

Function 0000022DA54B5CC0 Relevance: 12.1, APIs: 8, Instructions: 62COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,0000022DA54B30D7), ref: 0000022DA54B5D00
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,0000022DA54B30D7), ref: 0000022DA54B5D0E

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLastManagerOpen
String ID:
API String ID: 2571844144-0
Opcode ID: 7df33f87488dc4f949f2feb23e6a6e399e59ce3288290a8b526d959b48c7d65c
Instruction ID: f81833eb761acef2c06a5a71c5818dab7dbff248f23750347214811a6d9ddf79
Opcode Fuzzy Hash: 7df33f87488dc4f949f2feb23e6a6e399e59ce3288290a8b526d959b48c7d65c
Instruction Fuzzy Hash: CC217F35B04B40A3EB64DB93A44CA59A3E5F788BD0F048125EE4E63B54EF78C946CB00

Function 00007FF6EF713910 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF6EF713AC9
GetEnvironmentVariableW.KERNEL32 ref: 00007FF6EF713ADC
GetLastError.KERNEL32 ref: 00007FF6EF713AE8
GetLastError.KERNEL32 ref: 00007FF6EF713B02

Strings

internal error: entered unreachable code/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\alloc\src\vec\mod.rs, xrefs: 00007FF6EF713CA0

Memory Dump Source

Source File: 00000000.00000002.3274803182.00007FF6EF711000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EF710000, based on PE: true

Associated: 00000000.00000002.3274791073.00007FF6EF710000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274820997.00007FF6EF728000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274835833.00007FF6EF730000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3274847356.00007FF6EF731000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ef710000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnvironmentVariable
String ID: internal error: entered unreachable code/rustc/90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf\library\alloc\src\vec\mod.rs
API String ID: 2691138088-2475256114
Opcode ID: 9166a29505e64e3f652031e0a8747539a2815ac7f729185c84f2e6a5a26c7759
Instruction ID: 0265f7c131b8b81052c880ef28e52e07ea9dc02f4f94f39e4d0219dd1d4bbb69
Opcode Fuzzy Hash: 9166a29505e64e3f652031e0a8747539a2815ac7f729185c84f2e6a5a26c7759
Instruction Fuzzy Hash: 2FA1BEABB04AC186EF708F25E8543E97364FB44B98F048135DE5C9B788DF3AD2998305

Function 0000022DA5454D90 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000022DA5455018
free.LIBCMT ref: 0000022DA5455026
free.LIBCMT ref: 0000022DA5455033
LocalFree.KERNEL32 ref: 0000022DA5455040

Strings

The operation completed successfully., xrefs: 0000022DA5454FCA
FormatMessage failed to retrieve the error., xrefs: 0000022DA5454FD1
stdcall, xrefs: 0000022DA5454F03

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: free$FreeLocal
String ID: FormatMessage failed to retrieve the error.$The operation completed successfully.$stdcall
API String ID: 3870799717-2326785561
Opcode ID: a57a6a84259da3e3b4a187ddbe449388bc614ac268b137e907607f846155ba36
Instruction ID: b0dddac2db38a2e953f0110a7c7e0d5957c9b421a283ef2563d7df9745a65b02
Opcode Fuzzy Hash: a57a6a84259da3e3b4a187ddbe449388bc614ac268b137e907607f846155ba36
Instruction Fuzzy Hash: 25813C32B01B41EAEB54CFA6E848BAD33B5F748B88F554025DE0A67B58EF78C915C340

Function 0000022DA546C1DC Relevance: 10.7, APIs: 7, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000022DA546C218

Part of subcall function 0000022DA546F970: _getptd_noexit.LIBCMT ref: 0000022DA546F974

_invalid_parameter_noinfo.LIBCMT ref: 0000022DA546C223
memcpy_s.LIBCMT ref: 0000022DA546C2E8
_fileno.LIBCMT ref: 0000022DA546C353
_read_nolock.LIBCMT ref: 0000022DA546C365
_filbuf.LIBCMT ref: 0000022DA546C381
_errno.LIBCMT ref: 0000022DA546C3D1

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfo_read_nolockmemcpy_s
String ID:
API String ID: 1864104905-0
Opcode ID: e175e0269d499a9dc307894f1e64a10e3b5424bde7628e97d882a694a69ea387
Instruction ID: d20389d924d7f9c5eb781a11b7a08affe2aa3fdec2d674a69dd1a54fe2c39d09
Opcode Fuzzy Hash: e175e0269d499a9dc307894f1e64a10e3b5424bde7628e97d882a694a69ea387
Instruction Fuzzy Hash: FA511631F0C350A2FA689BE65508F6E7691B754BF0F148715AE7963FD6CBB8C8918380

Function 0000022DA38222E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

_Wcsftime.LIBCMT ref: 0000022DA3822348
strstr.LIBCMT ref: 0000022DA382238E
strrchr.LIBCMT ref: 0000022DA38223A6
strrchr.LIBCMT ref: 0000022DA38223D4
SetHandleInformation.KERNEL32 ref: 0000022DA38224ED

Part of subcall function 0000022DA3839BD8: strtoxl.LIBCMT ref: 0000022DA383ED22

Strings

tcp, xrefs: 0000022DA3822369

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: strrchr$HandleInformationWcsftimestrstrstrtoxl
String ID: tcp
API String ID: 2499446636-2993443014
Opcode ID: ac5a7b3bf22963c6c55a7b8110cb3e4a829b79b4f665ff11e6ad51071bdcefb7
Instruction ID: 6d6aab429a0f17c2c3a1eee0abdd05ea26f7618694ecc6ff27ec3857edfc4c31
Opcode Fuzzy Hash: ac5a7b3bf22963c6c55a7b8110cb3e4a829b79b4f665ff11e6ad51071bdcefb7
Instruction Fuzzy Hash: 2A513F36218B8196DBD0DBA9E49875EA7A1F3C5784F504022EA8D8BBA9DF3DC501CB01

Function 0000022DA3822AF8 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 123COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA3822B06

Part of subcall function 0000022DA3837A78: _FF_MSGBANNER.LIBCMT ref: 0000022DA3837AA8
Part of subcall function 0000022DA3837A78: _NMSG_WRITE.LIBCMT ref: 0000022DA3837AB2
Part of subcall function 0000022DA3837A78: HeapAlloc.KERNEL32(?,?,00000000,0000022DA3840CB0,?,?,?,0000022DA3840F14,?,?,?,0000022DA3840E13), ref: 0000022DA3837ACD
Part of subcall function 0000022DA3837A78: _callnewh.LIBCMT ref: 0000022DA3837AE6
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837AF1
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837AFC

malloc.LIBCMT ref: 0000022DA3822B15

Part of subcall function 0000022DA3837A78: _callnewh.LIBCMT ref: 0000022DA3837B0C
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837B11

Part of subcall function 0000022DA3819F40: GetSystemTime.KERNEL32 ref: 0000022DA3819F49
Part of subcall function 0000022DA3819F40: SystemTimeToFileTime.KERNEL32 ref: 0000022DA3819F59

Strings

cli=, xrefs: 0000022DA3822BD5
ns=, xrefs: 0000022DA3822C2B
dns://, xrefs: 0000022DA3822BAA
req=, xrefs: 0000022DA3822C56
sid=, xrefs: 0000022DA3822C00

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Time_errno$System_callnewhmalloc$AllocFileHeap
String ID: cli=$dns://$ns=$req=$sid=
API String ID: 2355090500-3157712289
Opcode ID: a96a5186951360d153b2f89db9aba4dfebfd2983d2da8990e749ac8ea00b17d6
Instruction ID: d15c47d50900f3f6bb16c252a840e4401363a5c9a515864eb2136e3b83e01982
Opcode Fuzzy Hash: a96a5186951360d153b2f89db9aba4dfebfd2983d2da8990e749ac8ea00b17d6
Instruction Fuzzy Hash: DA514D76204F8592DBA0DFA6E49465EB7A2F7CCB98F404116EA9D8B764DF3CC205CB00

Function 0000022DA547C6CC Relevance: 10.6, APIs: 7, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000022DA547C6F7
_errno.LIBCMT ref: 0000022DA547C6EC

Part of subcall function 0000022DA546F970: _getptd_noexit.LIBCMT ref: 0000022DA546F974

_errno.LIBCMT ref: 0000022DA547C79A
_invalid_parameter_noinfo.LIBCMT ref: 0000022DA547C7A5

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: 911eb1c644a15632e93f9d54052e329041cf35298d92e9b3167444eb104fdd5f
Instruction ID: b197e452161d1f1d57429f7b38f1ed18d454746884e9641215bc3e6984761fac
Opcode Fuzzy Hash: 911eb1c644a15632e93f9d54052e329041cf35298d92e9b3167444eb104fdd5f
Instruction Fuzzy Hash: 31413872E08293E5EF64ABA19548BB972E0F740B95F884012EAD477AC6DBA8C941C300

Function 0000022DA54476C0 Relevance: 10.6, APIs: 7, Instructions: 109COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA54476DE

Part of subcall function 0000022DA546AF78: _FF_MSGBANNER.LIBCMT ref: 0000022DA546AFA8
Part of subcall function 0000022DA546AF78: _NMSG_WRITE.LIBCMT ref: 0000022DA546AFB2
Part of subcall function 0000022DA546AF78: HeapAlloc.KERNEL32(?,?,0000000D,0000022DA5477AB4,?,?,?,0000022DA5477D9C,?,?,?,0000022DA5477C9B,?,?,0000000D,0000022DA5471C43), ref: 0000022DA546AFCD
Part of subcall function 0000022DA546AF78: _callnewh.LIBCMT ref: 0000022DA546AFE6
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFF1
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFFC

realloc.LIBCMT ref: 0000022DA5447720
GetIpAddrTable.IPHLPAPI ref: 0000022DA544773E
free.LIBCMT ref: 0000022DA544774A
GetLastError.KERNEL32 ref: 0000022DA544774F

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: _errno$AddrAllocErrorHeapLastTable_callnewhfreemallocrealloc
String ID:
API String ID: 3247216186-0
Opcode ID: 365049d967d77c2c3ac8918f0fbf4aa35973a8c3d2a27438d0569ac3083d7926
Instruction ID: b96624295dda5eb24b70e7ad45336ea69cbe8f1f211174b61840ef3b74b7cb4a
Opcode Fuzzy Hash: 365049d967d77c2c3ac8918f0fbf4aa35973a8c3d2a27438d0569ac3083d7926
Instruction Fuzzy Hash: 1B4190B2B00B95E3EB649B92E408B9E2364F789F94F404021DE4927B58EF7CC647CB00

Function 0000022DA546CF74 Relevance: 10.6, APIs: 7, Instructions: 107COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000022DA546CF9A
_errno.LIBCMT ref: 0000022DA546CF8F

Part of subcall function 0000022DA546F970: _getptd_noexit.LIBCMT ref: 0000022DA546F974

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000022DA546D019
_errno.LIBCMT ref: 0000022DA546D02A
_invalid_parameter_noinfo.LIBCMT ref: 0000022DA546D035

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Locale_errno_invalid_parameter_noinfo$UpdateUpdate::__getptd_noexit
String ID:
API String ID: 781512312-0
Opcode ID: 541cce3268000b5e58aa52ce81f3fb818dd6c461a068b5e465468edd5535fa61
Instruction ID: da2fc882f6be222245b1220d1e3ab6384722708226b1ce7e297059537d70dbdf
Opcode Fuzzy Hash: 541cce3268000b5e58aa52ce81f3fb818dd6c461a068b5e465468edd5535fa61
Instruction Fuzzy Hash: A0415C72E046A2A1FB646B91944CBBD73E0E750BE4FD44026E7D427EC9D7A8C952C700

Function 0000022DA38145A0 Relevance: 10.6, APIs: 7, Instructions: 91sleepthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA381CEF8: CreateRemoteThread.KERNEL32 ref: 0000022DA381CF6A
Part of subcall function 0000022DA381CEF8: GetLastError.KERNEL32 ref: 0000022DA381CF75
Part of subcall function 0000022DA381CEF8: GetModuleHandleA.KERNEL32 ref: 0000022DA381CFAD
Part of subcall function 0000022DA381CEF8: GetProcAddress.KERNEL32 ref: 0000022DA381CFBD
Part of subcall function 0000022DA381CEF8: SetLastError.KERNEL32 ref: 0000022DA381D081

GetLastError.KERNEL32 ref: 0000022DA381464A

Part of subcall function 0000022DA3814AE8: GetVersionExW.KERNEL32 ref: 0000022DA3814B4D
Part of subcall function 0000022DA3814AE8: GetLastError.KERNEL32 ref: 0000022DA3814B57
Part of subcall function 0000022DA3814AE8: VirtualFree.KERNEL32 ref: 0000022DA3814D23
Part of subcall function 0000022DA3814AE8: VirtualFree.KERNEL32 ref: 0000022DA3814D3E

GetLastError.KERNEL32 ref: 0000022DA3814633
Sleep.KERNEL32 ref: 0000022DA38146AD
ResumeThread.KERNEL32 ref: 0000022DA38146BE
GetLastError.KERNEL32 ref: 0000022DA38146C9
CloseHandle.KERNEL32 ref: 0000022DA38146F2
SetLastError.KERNEL32 ref: 0000022DA38146FC

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$FreeHandleThreadVirtual$AddressCloseCreateModuleProcRemoteResumeSleepVersion
String ID:
API String ID: 524593884-0
Opcode ID: 5a06ccf97e586fb4dcebf73232ca85bd4bf35fd509d778f6001f57b17094352d
Instruction ID: b9c17bdc1397ffde5e8a923873defc5ea89594a7deb80b8bb8e88773736041a7
Opcode Fuzzy Hash: 5a06ccf97e586fb4dcebf73232ca85bd4bf35fd509d778f6001f57b17094352d
Instruction Fuzzy Hash: DD413271228A8193F7D0DBB5E459B5B77F2F794B98F101025FA868BAE8DF79C4448B00

Function 0000022DA54C1224 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000022DA54C1258

Part of subcall function 0000022DA54B83BC: _getptd.LIBCMT ref: 0000022DA54B83D2
Part of subcall function 0000022DA54B83BC: __updatetlocinfo.LIBCMT ref: 0000022DA54B8407
Part of subcall function 0000022DA54B83BC: __updatetmbcinfo.LIBCMT ref: 0000022DA54B842E

_errno.LIBCMT ref: 0000022DA54C1273
_invalid_parameter_noinfo.LIBCMT ref: 0000022DA54C127E

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 2eb1a5d47409f490b13a0168d73a488cb434f0b05a52dab723d9dcdc236a4a91
Instruction ID: d3196ce8bf6e78823a8e0218609a88229faae26be4f81fde33fbbc127f07a674
Opcode Fuzzy Hash: 2eb1a5d47409f490b13a0168d73a488cb434f0b05a52dab723d9dcdc236a4a91
Instruction Fuzzy Hash: 03319176B04780A6EB64DF91D488B5DB6A4F788BE0F195121EE99A3BC5CBB4CC42C700

Function 0000022DA5478528 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000022DA547855C

Part of subcall function 0000022DA546BBE4: _getptd.LIBCMT ref: 0000022DA546BBFA
Part of subcall function 0000022DA546BBE4: __updatetlocinfo.LIBCMT ref: 0000022DA546BC2F
Part of subcall function 0000022DA546BBE4: __updatetmbcinfo.LIBCMT ref: 0000022DA546BC56

_errno.LIBCMT ref: 0000022DA5478577
_invalid_parameter_noinfo.LIBCMT ref: 0000022DA5478582

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 3694d185819cc235fc92b525f3dfbcbb81233bc255804af67a5dfebb6cefb064
Instruction ID: 9cd881238a03e24342b549f1a47e9ac7dd0235decccb6cab2b85a8a30bb5b939
Opcode Fuzzy Hash: 3694d185819cc235fc92b525f3dfbcbb81233bc255804af67a5dfebb6cefb064
Instruction Fuzzy Hash: 7631D672B04781BAE7219F91D598B5DB7A4F344FE0F148121EE9467BDACBB4C841C704

Function 0000022DA381C998 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32 ref: 0000022DA381C9E5
wcschr.LIBCMT ref: 0000022DA381CA04
GetVolumeInformationW.KERNEL32 ref: 0000022DA381CA4B
GetComputerNameW.KERNEL32 ref: 0000022DA381CA5E
_snwprintf_s.LIBCMT ref: 0000022DA381CAAF

Strings

%04x-%04x:%s, xrefs: 0000022DA381CA98

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ComputerDirectoryInformationNameSystemVolume_snwprintf_swcschr
String ID: %04x-%04x:%s
API String ID: 2490760115-4041933335
Opcode ID: 53728fefee931a2ebb508c77460470079659acf6498bbc88df63689f9c6ebc03
Instruction ID: 0a825449b426f6701cf84c65599013a8d9acf15255dfb74dffee6ead96df4cbe
Opcode Fuzzy Hash: 53728fefee931a2ebb508c77460470079659acf6498bbc88df63689f9c6ebc03
Instruction Fuzzy Hash: 27314072218A8193E760DFA4E45479BB7B2F7C5344F504426E7C98AA98DF7DC548CB04

Function 0000022DA38213C4 Relevance: 10.6, APIs: 7, Instructions: 68networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 0000022DA3821410
WSAGetLastError.WS2_32 ref: 0000022DA382141A
socket.WS2_32 ref: 0000022DA3821435
gethostbyname.WS2_32 ref: 0000022DA3821448
inet_ntoa.WS2_32 ref: 0000022DA3821461
inet_addr.WS2_32 ref: 0000022DA3821489
htons.WS2_32 ref: 0000022DA38214A5

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLastStartupgethostbynamehtonsinet_addrinet_ntoasocket
String ID:
API String ID: 1867335311-0
Opcode ID: c65c531ffdca6c720613d626d3e0dc5e2288e2160460f4d357a311a5ce442332
Instruction ID: c3615b70d62fe270410775ade70facfc1dd6ccda08a3abeba2fe0f6d12be7c34
Opcode Fuzzy Hash: c65c531ffdca6c720613d626d3e0dc5e2288e2160460f4d357a311a5ce442332
Instruction Fuzzy Hash: 8F31E936218BC497D7909FA5F49875AB7B2F788B80F504025EA9987B68DF7DC544CB00

Function 0000022DA5445A80 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 63COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,?,?,?,?,?,?,?,?,0000022DA544562B), ref: 0000022DA5445A97
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000022DA544562B), ref: 0000022DA5445AA1

Strings

.cmd, xrefs: 0000022DA5445B0B
.bat, xrefs: 0000022DA5445AF8
.exe, xrefs: 0000022DA5445B1E
.com, xrefs: 0000022DA5445B31

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID: .bat$.cmd$.com$.exe
API String ID: 1799206407-4019086052
Opcode ID: 4a2fd66cf3d7451a24e2c0cae718cd39561c63d9a3574c1d0737895d2d99049f
Instruction ID: 956f3b619bd1e4746b44a786ad9e1993b9d50d9b38ab3b853e9b757a6deb01a2
Opcode Fuzzy Hash: 4a2fd66cf3d7451a24e2c0cae718cd39561c63d9a3574c1d0737895d2d99049f
Instruction Fuzzy Hash: C0210531F8478172FF249B9BB84DBD563B1AB967C0F485121DE59A66CADFA8C440C740

Function 0000022DA544A8A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA544A8F7
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,0000022DA544A2E1), ref: 0000022DA544A910
GetProcAddress.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,0000022DA544A2E1), ref: 0000022DA544A920

Part of subcall function 0000022DA546BEFC: _errno.LIBCMT ref: 0000022DA546BF14
Part of subcall function 0000022DA546BEFC: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA546BF20

Part of subcall function 0000022DA544F1D0: GetLastError.KERNEL32 ref: 0000022DA544F265

free.LIBCMT ref: 0000022DA544A95F

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

Strings

GetProcAddress, xrefs: 0000022DA544A916
kernel32, xrefs: 0000022DA544A909

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast_errno$AddressFreeHandleHeapModuleProc_invalid_parameter_noinfofreemalloc
String ID: GetProcAddress$kernel32
API String ID: 3678262004-2374084194
Opcode ID: 08aac1669c96ad59ab5193a0e92938f479efe0f13da1e685e59d027104f00b27
Instruction ID: 2e145a66c94552a62ce203f0ca63a690c659983da586302179c7a24f3b4496b0
Opcode Fuzzy Hash: 08aac1669c96ad59ab5193a0e92938f479efe0f13da1e685e59d027104f00b27
Instruction Fuzzy Hash: 8621F532A04B84A2E714CF92F844A9D73B0F354BE0F545216EFA923B95DBB8D585C740

Function 0000022DA544A7B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59libraryloaderCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA544A810
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,00000000,0000022DA544A194), ref: 0000022DA544A829
GetProcAddress.KERNEL32(?,?,?,?,?,?,00000000,0000022DA544A194), ref: 0000022DA544A839

Part of subcall function 0000022DA546BEFC: _errno.LIBCMT ref: 0000022DA546BF14
Part of subcall function 0000022DA546BEFC: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA546BF20

Part of subcall function 0000022DA544F1D0: GetLastError.KERNEL32 ref: 0000022DA544F265

free.LIBCMT ref: 0000022DA544A874

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

Strings

LoadLibraryA, xrefs: 0000022DA544A82F
kernel32, xrefs: 0000022DA544A822

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast_errno$AddressFreeHandleHeapModuleProc_invalid_parameter_noinfofreemalloc
String ID: LoadLibraryA$kernel32
API String ID: 3678262004-970291620
Opcode ID: a18c84848b337dece58bb931048e8b3ff6047285e7a2630bc65a871a896b92d3
Instruction ID: 3c9eea8461bb13b342224948286b13efb25ece2f0d77508de7c1778432c4c096
Opcode Fuzzy Hash: a18c84848b337dece58bb931048e8b3ff6047285e7a2630bc65a871a896b92d3
Instruction Fuzzy Hash: BB21C531A04B4496E700CF92F84475977B0F755BE4F505216FEAA23B99DB7CD482CB40

Function 0000022DA5450650 Relevance: 10.2, APIs: 8, Instructions: 161COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA54506A5
SetLastError.KERNEL32(?,00000000,00000000,0000022DA545096D,?,?,?,?,?,?,?,?,0000022DA544F8D3), ref: 0000022DA54506B5
free.LIBCMT ref: 0000022DA5450742
calloc.LIBCMT ref: 0000022DA5450774
SetLastError.KERNEL32(?,00000000,00000000,0000022DA545096D,?,?,?,?,?,?,?,?,0000022DA544F8D3), ref: 0000022DA5450784
free.LIBCMT ref: 0000022DA5450828
free.LIBCMT ref: 0000022DA5450851
SetLastError.KERNEL32(?,00000000,00000000,0000022DA545096D,?,?,?,?,?,?,?,?,0000022DA544F8D3), ref: 0000022DA5450878

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLastfree$callocmalloc
String ID:
API String ID: 2740727550-0
Opcode ID: 81b584565fd5d297028227f77da06c0b882853ab048de9ed0f142f170e64cf68
Instruction ID: 68b66c390fa474682355f0f5ff7ec1e36efe6513e30c5576d6e6b709aada077b
Opcode Fuzzy Hash: 81b584565fd5d297028227f77da06c0b882853ab048de9ed0f142f170e64cf68
Instruction Fuzzy Hash: 5651C676E01A8495EF149BA69408BA96BA0E745FF0F4C5321DF3E277D5EBB8C881C340

Function 0000022DA5450420 Relevance: 10.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA5450475
SetLastError.KERNEL32(00000000,00000000,?,0000022DA5450B60,?,?,?,?,?,?,?,?,0000022DA544F923), ref: 0000022DA5450485
free.LIBCMT ref: 0000022DA5450513
calloc.LIBCMT ref: 0000022DA5450545
SetLastError.KERNEL32(00000000,00000000,?,0000022DA5450B60,?,?,?,?,?,?,?,?,0000022DA544F923), ref: 0000022DA5450555
free.LIBCMT ref: 0000022DA54505D7
free.LIBCMT ref: 0000022DA5450601
SetLastError.KERNEL32(00000000,00000000,?,0000022DA5450B60,?,?,?,?,?,?,?,?,0000022DA544F923), ref: 0000022DA5450628

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLastfree$callocmalloc
String ID:
API String ID: 2740727550-0
Opcode ID: 6dbc2973e71f7119dfdd0ef635791dce03aa3bfcd61c41b47fc5d33803883e77
Instruction ID: 1deecb0251108d5dfb50140ee21ba213080f1fa3ae3392a7ea3aebd9eb2a8b27
Opcode Fuzzy Hash: 6dbc2973e71f7119dfdd0ef635791dce03aa3bfcd61c41b47fc5d33803883e77
Instruction Fuzzy Hash: 4E51EA36E01648D6EE15DB9295087AD6BA0F755BF0F585321DE7E277E4EBB8C882C300

Function 0000022DA37CF738 Relevance: 9.2, APIs: 6, Instructions: 219COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA37CF898
free.LIBCMT ref: 0000022DA37CF8C0
free.LIBCMT ref: 0000022DA37CFA9D

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free$malloc
String ID:
API String ID: 2190258309-0
Opcode ID: 2924a211e590096db208adbcee31891b1d165d161d4f9bcb781f0d242ae2354f
Instruction ID: 4bf94913c5fcff71e8ed5bb3de0544b3dd76effea600d9de49e450631d88c70e
Opcode Fuzzy Hash: 2924a211e590096db208adbcee31891b1d165d161d4f9bcb781f0d242ae2354f
Instruction Fuzzy Hash: ABA11532319781A7EB90DB6DE458B5FB7E1F785784F500026EA898B7A5DF78C844CB40

Function 0000022DA381C530 Relevance: 9.2, APIs: 6, Instructions: 168libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA381C554

Part of subcall function 0000022DA3837A78: _FF_MSGBANNER.LIBCMT ref: 0000022DA3837AA8
Part of subcall function 0000022DA3837A78: _NMSG_WRITE.LIBCMT ref: 0000022DA3837AB2
Part of subcall function 0000022DA3837A78: HeapAlloc.KERNEL32(?,?,00000000,0000022DA3840CB0,?,?,?,0000022DA3840F14,?,?,?,0000022DA3840E13), ref: 0000022DA3837ACD
Part of subcall function 0000022DA3837A78: _callnewh.LIBCMT ref: 0000022DA3837AE6
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837AF1
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837AFC

GetProcAddress.KERNEL32 ref: 0000022DA381C611
GetProcAddress.KERNEL32 ref: 0000022DA381C62D
GetProcAddress.KERNEL32 ref: 0000022DA381C649
GetProcAddress.KERNEL32 ref: 0000022DA381C665
free.LIBCMT ref: 0000022DA381C72E

Part of subcall function 0000022DA3837A38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA383C20A,?,?,?,0000022DA383C187,?,?,00000000,0000022DA3838A19), ref: 0000022DA3837A4E
Part of subcall function 0000022DA3837A38: _errno.LIBCMT ref: 0000022DA3837A58
Part of subcall function 0000022DA3837A38: GetLastError.KERNEL32(?,?,00000000,0000022DA383C20A,?,?,?,0000022DA383C187,?,?,00000000,0000022DA3838A19), ref: 0000022DA3837A60

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: AddressProc$_errno$Heap$AllocErrorFreeLast_callnewhfreemalloc
String ID:
API String ID: 430833761-0
Opcode ID: 444a66838d7445301500daaec5c4ac10f076d86f9ef1e6704d6fa196e5327548
Instruction ID: 5b98423b8f01a5ed4cfa9772f2a776727c5d9e33825516663dbf864e7d64931d
Opcode Fuzzy Hash: 444a66838d7445301500daaec5c4ac10f076d86f9ef1e6704d6fa196e5327548
Instruction Fuzzy Hash: 6A91C976218F4492DBA0CB6AE08471A77B5F3C8BD4F144516EA8D4BBB8DF79C581CB00

Function 0000022DA5454700 Relevance: 9.2, APIs: 6, Instructions: 155keyboardCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0000022DA5454815
GetSystemMetrics.USER32 ref: 0000022DA545482A
SendInput.USER32 ref: 0000022DA545488D
SendInput.USER32 ref: 0000022DA54548D4
SendInput.USER32 ref: 0000022DA54548F1
SendInput.USER32 ref: 0000022DA5454911

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: InputSend$MetricsSystem
String ID:
API String ID: 1046123477-0
Opcode ID: c58d8cc90110062565105966792f55e9f177975f02ce3faa13cdd42963eddbb9
Instruction ID: 2cd2e11c6024cab7b80e40b7f045de9cddee5b3fc3e91967715c42025511b119
Opcode Fuzzy Hash: c58d8cc90110062565105966792f55e9f177975f02ce3faa13cdd42963eddbb9
Instruction Fuzzy Hash: 3461EE36F20A50DAFB51CBB9D448B9C33B1B749794F108226CE1BB7784EBB48885CB10

Function 0000022DA5450EC0 Relevance: 9.2, APIs: 6, Instructions: 150COMMON

Download Yara Rule

APIs

ReadEventLogA.ADVAPI32 ref: 0000022DA5450F7D
GetLastError.KERNEL32 ref: 0000022DA5450F87
malloc.LIBCMT ref: 0000022DA5450F9B

Part of subcall function 0000022DA546AF78: _FF_MSGBANNER.LIBCMT ref: 0000022DA546AFA8
Part of subcall function 0000022DA546AF78: _NMSG_WRITE.LIBCMT ref: 0000022DA546AFB2
Part of subcall function 0000022DA546AF78: HeapAlloc.KERNEL32(?,?,0000000D,0000022DA5477AB4,?,?,?,0000022DA5477D9C,?,?,?,0000022DA5477C9B,?,?,0000000D,0000022DA5471C43), ref: 0000022DA546AFCD
Part of subcall function 0000022DA546AF78: _callnewh.LIBCMT ref: 0000022DA546AFE6
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFF1
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFFC

ReadEventLogA.ADVAPI32 ref: 0000022DA5450FDA
GetLastError.KERNEL32 ref: 0000022DA5450FE4
free.LIBCMT ref: 0000022DA54510FA

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorEventLastRead_errno$AllocHeap_callnewhfreemalloc
String ID:
API String ID: 3766589139-0
Opcode ID: f1cbed1f684efea136e6ed17d8ac8dbfb5c67acecf9f3f8172b76b83d9252347
Instruction ID: 19ee106629a16b7f822d7fff16d4b2556507d9817aad971ba74749df4335568f
Opcode Fuzzy Hash: f1cbed1f684efea136e6ed17d8ac8dbfb5c67acecf9f3f8172b76b83d9252347
Instruction Fuzzy Hash: B8517B76B00B90E7DBA08FA2E948B6A6761F789FD0F144022DE8E63B55DF78D855C700

Function 0000022DA5450A20 Relevance: 9.1, APIs: 6, Instructions: 131registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,0000022DA544F923), ref: 0000022DA5450AAB
calloc.LIBCMT ref: 0000022DA5450AD0

Part of subcall function 0000022DA546AEF4: _calloc_impl.LIBCMT ref: 0000022DA546AF04
Part of subcall function 0000022DA546AEF4: _errno.LIBCMT ref: 0000022DA546AF17
Part of subcall function 0000022DA546AEF4: _errno.LIBCMT ref: 0000022DA546AF21

RegQueryValueExW.ADVAPI32(?,?,?,?,?,?,?,?,0000022DA544F923), ref: 0000022DA5450B01
free.LIBCMT ref: 0000022DA5450BD5

Part of subcall function 0000022DA5450420: free.LIBCMT ref: 0000022DA5450513
Part of subcall function 0000022DA5450420: calloc.LIBCMT ref: 0000022DA5450545
Part of subcall function 0000022DA5450420: SetLastError.KERNEL32(00000000,00000000,?,0000022DA5450B60,?,?,?,?,?,?,?,?,0000022DA544F923), ref: 0000022DA5450555
Part of subcall function 0000022DA5450420: free.LIBCMT ref: 0000022DA5450601

free.LIBCMT ref: 0000022DA5450B86

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

free.LIBCMT ref: 0000022DA5450BFC

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: free$_errno$ErrorLastQueryValuecalloc$FreeHeap_calloc_impl
String ID:
API String ID: 3084246691-0
Opcode ID: f75a3c969e001daa7a393804a44f63590950462704e3f5a69417c00f7993bf87
Instruction ID: 996a3caea4793ea957caa76d4963727cf365c2840b75292341a1360a7698eaa1
Opcode Fuzzy Hash: f75a3c969e001daa7a393804a44f63590950462704e3f5a69417c00f7993bf87
Instruction Fuzzy Hash: ED518176A04B81D7EB64DF96A848B6E77A0F789FC0F144025DE4E63B54EE78C845CB00

Function 0000022DA37D1EF8 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 123COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA37D1F06

Part of subcall function 0000022DA37E6E78: _FF_MSGBANNER.LIBCMT ref: 0000022DA37E6EA8
Part of subcall function 0000022DA37E6E78: _NMSG_WRITE.LIBCMT ref: 0000022DA37E6EB2
Part of subcall function 0000022DA37E6E78: _callnewh.LIBCMT ref: 0000022DA37E6EE6
Part of subcall function 0000022DA37E6E78: _errno.LIBCMT ref: 0000022DA37E6EF1
Part of subcall function 0000022DA37E6E78: _errno.LIBCMT ref: 0000022DA37E6EFC

malloc.LIBCMT ref: 0000022DA37D1F15

Part of subcall function 0000022DA37E6E78: _callnewh.LIBCMT ref: 0000022DA37E6F0C
Part of subcall function 0000022DA37E6E78: _errno.LIBCMT ref: 0000022DA37E6F11

Strings

NtQueryObject, xrefs: 0000022DA37D1FD5
eryInformationProcess, xrefs: 0000022DA37D1FA3
ZwSetIoCompletion, xrefs: 0000022DA37D2000
RtlGetVersion, xrefs: 0000022DA37D2056

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _errno$_callnewhmalloc
String ID: NtQueryObject$RtlGetVersion$ZwSetIoCompletion$eryInformationProcess
API String ID: 661295742-4117932401
Opcode ID: c3e2c0a078b40758424f9ad967fb538ecd7246e2e0d4d9e4506b99119c5b4195
Instruction ID: 2f918c7be666353c61679af28f54d766b0d1689f2eedba2e8aa49249a9255148
Opcode Fuzzy Hash: c3e2c0a078b40758424f9ad967fb538ecd7246e2e0d4d9e4506b99119c5b4195
Instruction Fuzzy Hash: 1E510B36204B89D3DBA0DB95E49465E77A2F7C8BD8F504126EE8D8B764DF38C606CB40

Function 0000022DA5450240 Relevance: 9.1, APIs: 6, Instructions: 110registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000022DA54502C8
calloc.LIBCMT ref: 0000022DA54502FD

Part of subcall function 0000022DA546AEF4: _calloc_impl.LIBCMT ref: 0000022DA546AF04
Part of subcall function 0000022DA546AEF4: _errno.LIBCMT ref: 0000022DA546AF17
Part of subcall function 0000022DA546AEF4: _errno.LIBCMT ref: 0000022DA546AF21

RegEnumValueW.ADVAPI32 ref: 0000022DA5450337
free.LIBCMT ref: 0000022DA5450381
RegEnumValueW.ADVAPI32 ref: 0000022DA54503B4
free.LIBCMT ref: 0000022DA54503CD

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: EnumValue_errnofree$InfoQuery_calloc_implcalloc
String ID:
API String ID: 3915807233-0
Opcode ID: 6a2763e74ed5711b130198dbd27d85c688d94f932cbd2809e19751c319e88d1a
Instruction ID: 382b02982211c669710ccaae6a108bb261b971785522e9f251d33c33e5e88b1e
Opcode Fuzzy Hash: 6a2763e74ed5711b130198dbd27d85c688d94f932cbd2809e19751c319e88d1a
Instruction Fuzzy Hash: 20415A36608B8097E760CB66F884B5AB7A9F789B90F544125EFCE53B28DF78C454CB04

Function 0000022DA37D6974 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

wcsncpy.LIBCMT ref: 0000022DA37D69E6
wcsncpy.LIBCMT ref: 0000022DA37D6A1A
wcsncpy.LIBCMT ref: 0000022DA37D6A82
wcsncpy.LIBCMT ref: 0000022DA37D6AB6
wcsncpy.LIBCMT ref: 0000022DA37D6AEA
wcscpy.LIBCMT ref: 0000022DA37D6B18

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: wcsncpy$wcscpy
String ID:
API String ID: 58731003-0
Opcode ID: 3afe515ccca787da4b8cd8b7d803b652c833aa8cc9bb52540bff7f60c8713fc4
Instruction ID: 4a7d8dd62a3c4815627ef5ec8d595e6ce5faf49c94cbc3ab821e968ece72cc93
Opcode Fuzzy Hash: 3afe515ccca787da4b8cd8b7d803b652c833aa8cc9bb52540bff7f60c8713fc4
Instruction Fuzzy Hash: 0651F876704B4582EFA0CB5AE094B1A67A2F7C9BC8F504125EF8D8B7A5DF39C845CB00

Function 0000022DA3827574 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

wcsncpy.LIBCMT ref: 0000022DA38275E6
wcsncpy.LIBCMT ref: 0000022DA382761A
wcsncpy.LIBCMT ref: 0000022DA3827682
wcsncpy.LIBCMT ref: 0000022DA38276B6
wcsncpy.LIBCMT ref: 0000022DA38276EA
wcscpy.LIBCMT ref: 0000022DA3827718

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: wcsncpy$wcscpy
String ID:
API String ID: 58731003-0
Opcode ID: 764537a2a5afd9bfb38099af9eba761009025697c048a1809a03572ce4e2e3b3
Instruction ID: 6dd67efc54c21ba0a6c958922e8212ddd6459ad6ff72d9a40db962dc30986b24
Opcode Fuzzy Hash: 764537a2a5afd9bfb38099af9eba761009025697c048a1809a03572ce4e2e3b3
Instruction Fuzzy Hash: 7A51E876704B4582EBA4DBAED09875A67A2F7C9BC8F100125EF8D8B7A5DF39C441CB40

Function 0000022DA54512F0 Relevance: 9.1, APIs: 6, Instructions: 107COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 0000022DA54513BD
malloc.LIBCMT ref: 0000022DA54513CE
GetEnvironmentVariableW.KERNEL32 ref: 0000022DA54513DF
free.LIBCMT ref: 0000022DA545140A
free.LIBCMT ref: 0000022DA5451412
free.LIBCMT ref: 0000022DA545141A

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: free$EnvironmentVariable$malloc
String ID:
API String ID: 1318801561-0
Opcode ID: 133b088d16df7b7019a12885803ce409e39ee2c3a360c1c40228a5c69d451d67
Instruction ID: 0ca23e99edee8f16a878390f6f7d5bba3d321b7643c2e89517fe9c6ff4ee217d
Opcode Fuzzy Hash: 133b088d16df7b7019a12885803ce409e39ee2c3a360c1c40228a5c69d451d67
Instruction Fuzzy Hash: 2E41F572B00B9092EB549FA3A818B6E67D0F78AFC0F485021DE8B67B55DE7CC442C700

Function 0000022DA544A210 Relevance: 9.1, APIs: 6, Instructions: 106libraryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 0000022DA544A2AB
LoadLibraryA.KERNEL32 ref: 0000022DA544A309
GetLastError.KERNEL32 ref: 0000022DA544A319

Part of subcall function 0000022DA544A7B0: malloc.LIBCMT ref: 0000022DA544A810

Part of subcall function 0000022DA544A8A0: malloc.LIBCMT ref: 0000022DA544A8F7

FreeLibrary.KERNEL32 ref: 0000022DA544A35A

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Librarymalloc$CurrentErrorFreeLastLoadProcess
String ID:
API String ID: 956524601-0
Opcode ID: e05b62aa72fa9048d230cdb91fb37554d1463ff26985787a0f1a9d1a11e3426e
Instruction ID: 8eef272cd5fb36be22993d3d95eebad0b7559d5ba6b466a9610d4826f598deb4
Opcode Fuzzy Hash: e05b62aa72fa9048d230cdb91fb37554d1463ff26985787a0f1a9d1a11e3426e
Instruction Fuzzy Hash: 0941B372A05B40A3FB559BD3A808BAE67B2F789FD0F584021DD4967B54EFB8C481C340

Function 0000022DA54498C0 Relevance: 9.1, APIs: 6, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d53ae265ed818472e7ebf757b5697b586dd8e39efb7bc364705298cd18c0929
Instruction ID: 211ca78d1244e85ad1d1a700504101609a25ce2474620478864c45af15176803
Opcode Fuzzy Hash: 5d53ae265ed818472e7ebf757b5697b586dd8e39efb7bc364705298cd18c0929
Instruction Fuzzy Hash: 3C41C272A05B8097EBA0CFA1E488B5E77B0F789B50F148126DE8963B54DF78C8459B40

Function 0000022DA54B4840 Relevance: 9.1, APIs: 6, Instructions: 102COMMON

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000022DA54B488C

Part of subcall function 0000022DA54B68B8: _calloc_impl.LIBCMT ref: 0000022DA54B68C8
Part of subcall function 0000022DA54B68B8: _errno.LIBCMT ref: 0000022DA54B68DB
Part of subcall function 0000022DA54B68B8: _errno.LIBCMT ref: 0000022DA54B68E5

ReadProcessMemory.KERNEL32 ref: 0000022DA54B48B4
calloc.LIBCMT ref: 0000022DA54B4900
ReadProcessMemory.KERNEL32 ref: 0000022DA54B4924
GetLastError.KERNEL32 ref: 0000022DA54B496D
free.LIBCMT ref: 0000022DA54B499F

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: MemoryProcessRead_errnocalloc$ErrorLast_calloc_implfree
String ID:
API String ID: 2427788749-0
Opcode ID: 7ea07f29334364c2d4685d9aa688f24c38482693598f0f38b5f4dc1d61a76cf3
Instruction ID: 838f2ddf38c67240da01bbbee0f44918ece089e1c32050ed85eddcf5712b7a4f
Opcode Fuzzy Hash: 7ea07f29334364c2d4685d9aa688f24c38482693598f0f38b5f4dc1d61a76cf3
Instruction Fuzzy Hash: 6C417E32A05B40A2FB208F6AF448B5AB7E5F788B94F564125DE8D67764DF78C845CB00

Function 0000022DA54500A0 Relevance: 9.1, APIs: 6, Instructions: 98registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32 ref: 0000022DA5450125
calloc.LIBCMT ref: 0000022DA545015A

Part of subcall function 0000022DA546AEF4: _calloc_impl.LIBCMT ref: 0000022DA546AF04
Part of subcall function 0000022DA546AEF4: _errno.LIBCMT ref: 0000022DA546AF17
Part of subcall function 0000022DA546AEF4: _errno.LIBCMT ref: 0000022DA546AF21

RegEnumKeyW.ADVAPI32 ref: 0000022DA545017A
free.LIBCMT ref: 0000022DA54501C1
RegEnumKeyW.ADVAPI32 ref: 0000022DA54501D8
free.LIBCMT ref: 0000022DA54501F1

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Enum_errnofree$InfoQuery_calloc_implcalloc
String ID:
API String ID: 3908565598-0
Opcode ID: 3c2bc61c779a6dabc6de36b31d91c07013ad77ae4d8a620056ae0c0044b09962
Instruction ID: 4d678db473797fedfd8fa8204ff2834a7bf053152832d6a3f6ece55eab77223c
Opcode Fuzzy Hash: 3c2bc61c779a6dabc6de36b31d91c07013ad77ae4d8a620056ae0c0044b09962
Instruction Fuzzy Hash: 89417236704BC096EB64CBA6B894B6EB7A4F789BC0F544025DE8E63B55EF78C845C700

Function 0000022DA3816E14 Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

realloc.LIBCMT ref: 0000022DA3816EA4

Part of subcall function 0000022DA3818090: malloc.LIBCMT ref: 0000022DA3818110
Part of subcall function 0000022DA3818090: free.LIBCMT ref: 0000022DA38182AB

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: freemallocrealloc
String ID:
API String ID: 197341925-0
Opcode ID: f6daa87061b71052a5e8d7de5c52011f9cda202e2a2ecc8122e233af98821786
Instruction ID: ab47ce8237632d2b9547ff65f6e62fa4692f406ba49f361211e090053776ef17
Opcode Fuzzy Hash: f6daa87061b71052a5e8d7de5c52011f9cda202e2a2ecc8122e233af98821786
Instruction Fuzzy Hash: 6441EBB661864087DB64CFA9E494B1AB7A2F7C8794F104115EB8D87B68CB7CD845CF00

Function 0000022DA54491C0 Relevance: 9.1, APIs: 6, Instructions: 82networkCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA54491FB

Part of subcall function 0000022DA546AF78: _FF_MSGBANNER.LIBCMT ref: 0000022DA546AFA8
Part of subcall function 0000022DA546AF78: _NMSG_WRITE.LIBCMT ref: 0000022DA546AFB2
Part of subcall function 0000022DA546AF78: HeapAlloc.KERNEL32(?,?,0000000D,0000022DA5477AB4,?,?,?,0000022DA5477D9C,?,?,?,0000022DA5477C9B,?,?,0000000D,0000022DA5471C43), ref: 0000022DA546AFCD
Part of subcall function 0000022DA546AF78: _callnewh.LIBCMT ref: 0000022DA546AFE6
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFF1
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFFC

WSACreateEvent.WS2_32 ref: 0000022DA544922B
WSAGetLastError.WS2_32 ref: 0000022DA544923A
WSAEventSelect.WS2_32 ref: 0000022DA5449252
WSAGetLastError.WS2_32 ref: 0000022DA544925D
free.LIBCMT ref: 0000022DA54492F8

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast_errno$EventHeap$AllocCreateFreeSelect_callnewhfreemalloc
String ID:
API String ID: 472862634-0
Opcode ID: a215cec91a7d63ac7f325a131e6027c5252de390ab7df3612c3f1dcb9557ded0
Instruction ID: b4a1b251b44bdddb3f75841095711a558347c4ba9f9978f60e96b7eae67ff5cb
Opcode Fuzzy Hash: a215cec91a7d63ac7f325a131e6027c5252de390ab7df3612c3f1dcb9557ded0
Instruction Fuzzy Hash: F4316A32A15F8092EB84CF65F848B5A73F4F789B84F144129EA9D93B58EF78C460C740

Function 0000022DA544C960 Relevance: 9.1, APIs: 6, Instructions: 71COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 0000022DA544C9D0
OpenProcess.KERNEL32 ref: 0000022DA544C9DE
TerminateProcess.KERNEL32 ref: 0000022DA544C9F1
GetLastError.KERNEL32 ref: 0000022DA544C9FB
CloseHandle.KERNEL32 ref: 0000022DA544CA06
GetLastError.KERNEL32 ref: 0000022DA544CA30

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLastProcess$CloseHandleOpenTerminatehtonl
String ID:
API String ID: 71079760-0
Opcode ID: 2721868255f1aacb77f3d04f4d59bbd12ef2fb55a40fbe540329c80e90f8efdd
Instruction ID: fc57c39af35f390e63b233aabf7da7305bf253f33bf7d0b73731d9e483a9719e
Opcode Fuzzy Hash: 2721868255f1aacb77f3d04f4d59bbd12ef2fb55a40fbe540329c80e90f8efdd
Instruction Fuzzy Hash: E7218E36B04A6097E754DFA2A808B6AA7E1F789FD1F494126DE4AA3724DFB8C105C740

Function 0000022DA546CC24 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000022DA546CC61

Part of subcall function 0000022DA546F970: _getptd_noexit.LIBCMT ref: 0000022DA546F974

_invalid_parameter_noinfo.LIBCMT ref: 0000022DA546CC6C
_getstream.LIBCMT ref: 0000022DA546CC93
_errno.LIBCMT ref: 0000022DA546CCA5
_errno.LIBCMT ref: 0000022DA546CCB8
_wopenfile.LIBCMT ref: 0000022DA546CCE6

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_wopenfile
String ID:
API String ID: 2917438572-0
Opcode ID: 2c1e0e690f0faa1a1be827e41460c57e1209367e6fcff44c2fe0c2915a9e3f53
Instruction ID: b59825d0d8a2c4867feefa4ef6c8015999956a32e6f9af44abb130d8861196a4
Opcode Fuzzy Hash: 2c1e0e690f0faa1a1be827e41460c57e1209367e6fcff44c2fe0c2915a9e3f53
Instruction Fuzzy Hash: 7C212971B08385B1FB105FD6A818B2EB2B17B44BC0F0048216E8977F9BEBBCC8419710

Function 0000022DA37D47F8 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 213COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA37D49B9
memcpy_s.LIBCMT ref: 0000022DA37D4A01
free.LIBCMT ref: 0000022DA37D4AFE
free.LIBCMT ref: 0000022DA37D4B16

Strings

empty distance tree with lengths, xrefs: 0000022DA37D486F

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free$mallocmemcpy_s
String ID: empty distance tree with lengths
API String ID: 3228596553-1599073622
Opcode ID: fdcef176d2e3cd7c2100b21721ec6986f25585f6f17376425f8ddb058785bd5c
Instruction ID: 9058549df1e59b3314917f239499e63e4585424ec7b5bb33da7bf5eae145ad8d
Opcode Fuzzy Hash: fdcef176d2e3cd7c2100b21721ec6986f25585f6f17376425f8ddb058785bd5c
Instruction Fuzzy Hash: C1B14072208BD197EBA08BA5E45975BB7A2F7C4794F004025DA898BB95EF7CC448CF40

Function 0000022DA37D16E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

_Wcsftime.LIBCMT ref: 0000022DA37D1748
strstr.LIBCMT ref: 0000022DA37D178E
strrchr.LIBCMT ref: 0000022DA37D17A6
strrchr.LIBCMT ref: 0000022DA37D17D4

Part of subcall function 0000022DA37E8FD8: strtoxl.LIBCMT ref: 0000022DA37EE122

Strings

oversubscribed dynamic bit lengths tree, xrefs: 0000022DA37D1782

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: strrchr$Wcsftimestrstrstrtoxl
String ID: oversubscribed dynamic bit lengths tree
API String ID: 2674253548-3896287439
Opcode ID: 6f42fd81d3b10d1dc50917501a6ca4722e4fa581d99a151bcdde38ab6bebfcf9
Instruction ID: b617a2fc6b8916d64d7a6ce93a2be8672f63d2bd8d7e1053fc239bd665678f5c
Opcode Fuzzy Hash: 6f42fd81d3b10d1dc50917501a6ca4722e4fa581d99a151bcdde38ab6bebfcf9
Instruction Fuzzy Hash: E1512D36218B8196E7D0DB69E48875EA7A2F7C5BC4F105026EA8D8BBA5DF3DC405CF00

Function 0000022DA545B9A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

_wgetenv.LIBCMT ref: 0000022DA545BAAF
swscanf.LIBCMT ref: 0000022DA545BAD2

Strings

JPEGMEM, xrefs: 0000022DA545BA04
x, xrefs: 0000022DA545BACD
%ld%c, xrefs: 0000022DA545BAC3

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: _wgetenvswscanf
String ID: %ld%c$JPEGMEM$x
API String ID: 2353447129-3402169052
Opcode ID: 53edf71d2590f30500fd9bee9edd56da98a5a7114dc558a95a86df3063b861dd
Instruction ID: a35d8af9e64fc6dfb4d15220652c942dd5495ecd33e1048fe59abdf30287c9e4
Opcode Fuzzy Hash: 53edf71d2590f30500fd9bee9edd56da98a5a7114dc558a95a86df3063b861dd
Instruction Fuzzy Hash: C6416032615B80A6EB41CF65E48479D37F8F748B88F50412AEA8F53768EF78C955C780

Function 0000022DA5449D10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA5449D35
GetProcAddress.KERNEL32 ref: 0000022DA5449D4D
FreeLibrary.KERNEL32 ref: 0000022DA5449D8F

Strings

ProcessIdToSessionId, xrefs: 0000022DA5449D43
kernel32.dll, xrefs: 0000022DA5449D2E

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: ProcessIdToSessionId$kernel32.dll
API String ID: 145871493-3889420803
Opcode ID: f5c07b316afeeaae3df54012d40d518287d5aa9d213152fe4b5eb8805c0c94b0
Instruction ID: f86efd69e6ceabc6a56a152f6d65703650a84a9617a28f81b65797cda4e49cf0
Opcode Fuzzy Hash: f5c07b316afeeaae3df54012d40d518287d5aa9d213152fe4b5eb8805c0c94b0
Instruction Fuzzy Hash: F5115AB1B15740A2FF98CB95F4C8A6973B0E78C7A0F445025EA5F57764DF78C8809700

Function 0000022DA54B13F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA54B142A
GetProcAddress.KERNEL32 ref: 0000022DA54B1442
FreeLibrary.KERNEL32 ref: 0000022DA54B1477

Strings

kernel32.dll, xrefs: 0000022DA54B1404
GetNativeSystemInfo, xrefs: 0000022DA54B1438

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 145871493-192647395
Opcode ID: f9144159a94ecbe2b9332d8ceb7004389a9aec0873ba4f9bd88d8412bde9f250
Instruction ID: 06a57168c35e898912abb7618eeb7e51745876526b495339cbf1228764586d33
Opcode Fuzzy Hash: f9144159a94ecbe2b9332d8ceb7004389a9aec0873ba4f9bd88d8412bde9f250
Instruction Fuzzy Hash: BC115A32B15B0092EB608B51E88866D72F5F788B80F054539DA9D93354EF79CA00CB40

Function 0000022DA544D790 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA544D7CA
GetProcAddress.KERNEL32 ref: 0000022DA544D7E2
FreeLibrary.KERNEL32 ref: 0000022DA544D817

Strings

kernel32.dll, xrefs: 0000022DA544D7A4
GetNativeSystemInfo, xrefs: 0000022DA544D7D8

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 145871493-192647395
Opcode ID: 91b4001e747ae214535c209cc716b75a2d3acc7bdfba024cf91300cd0eecf4a1
Instruction ID: bbe0778ddfdbdb3950f3ed19f5d697ea824c9f96581a26d08c6a8173c39c8387
Opcode Fuzzy Hash: 91b4001e747ae214535c209cc716b75a2d3acc7bdfba024cf91300cd0eecf4a1
Instruction Fuzzy Hash: EE115732B09B0092EB608F95E84872D72E5F74CB80F058136DAADA3350EFB8CA44CB50

Function 0000022DA5449DC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA5449DE1
GetProcAddress.KERNEL32 ref: 0000022DA5449DF9
FreeLibrary.KERNEL32 ref: 0000022DA5449E20

Strings

WTSGetActiveConsoleSessionId, xrefs: 0000022DA5449DEF
kernel32.dll, xrefs: 0000022DA5449DDA

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: WTSGetActiveConsoleSessionId$kernel32.dll
API String ID: 145871493-2743965321
Opcode ID: cb38db8ac66084356a66413303b3f8781eea74fe0e263c13ac51d946d92f83bb
Instruction ID: b9cf85ed696864e2259e48a1f52b1f8d05edc921efa9b0ec51fb22cbe7b8a23b
Opcode Fuzzy Hash: cb38db8ac66084356a66413303b3f8781eea74fe0e263c13ac51d946d92f83bb
Instruction Fuzzy Hash: CBF04F71A42B01B3FF448BD9B848B1553E0AB49B90F589435C90EA63A0EEB8C855C250

Function 0000022DA37C32E4 Relevance: 7.9, APIs: 2, Strings: 3, Instructions: 362COMMON

Download Yara Rule

Strings

mpatible version, xrefs: 0000022DA37C3636
buffer error, xrefs: 0000022DA37C3497
@, xrefs: 0000022DA37C36FA

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: malloc
String ID: @$buffer error$mpatible version
API String ID: 2803490479-928677456
Opcode ID: 1011aa9bef5c62dbc200150169c76b0e372b639647ab671715a595af9ce66285
Instruction ID: 074e07b35644838bcc98dc22157519aa9560a3147548b6518ef269df6d99dc3c
Opcode Fuzzy Hash: 1011aa9bef5c62dbc200150169c76b0e372b639647ab671715a595af9ce66285
Instruction Fuzzy Hash: 0C121431119BC1A7F7E09BA9E458B6BB7E2F784784F504025EA8A8BB94DF7DC444CB40

Function 0000022DA37CDA70 Relevance: 7.8, APIs: 5, Instructions: 335COMMON

Download Yara Rule

APIs

realloc.LIBCMT ref: 0000022DA37CDB03
calloc.LIBCMT ref: 0000022DA37CDCD4
free.LIBCMT ref: 0000022DA37CDE62
calloc.LIBCMT ref: 0000022DA37CDF0F
free.LIBCMT ref: 0000022DA37CDFF6

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: callocfree$realloc
String ID:
API String ID: 3532980479-0
Opcode ID: ed9d0478292aff0bb0ff41c6eb372e2df8ab086baffa9bdd4ca0657a5db33009
Instruction ID: d6ee8741b12befef74b3e840090edb8f227fe68b8e3397101d885c8e23d9713a
Opcode Fuzzy Hash: ed9d0478292aff0bb0ff41c6eb372e2df8ab086baffa9bdd4ca0657a5db33009
Instruction Fuzzy Hash: D6022F76305BC4DAEBA0CB6AE49479A77A1F7C8B84F104025EE8D8BB55DF79C451CB00

Function 0000022DA37D512C Relevance: 7.8, APIs: 4, Strings: 1, Instructions: 302COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA37D536E
malloc.LIBCMT ref: 0000022DA37D540F
calloc.LIBCMT ref: 0000022DA37D5453
calloc.LIBCMT ref: 0000022DA37D54D0

Strings

IoCompletion, xrefs: 0000022DA37D5182

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: callocmalloc
String ID: IoCompletion
API String ID: 1635859522-2167567656
Opcode ID: def9d216b9ea24561024c6f685b2adc64e7dc3bfb9425c4402de36753f1953f2
Instruction ID: dd036ad0ee91268e5de292b497b537e89088e7a693eaa82ef938b58ce0dcc134
Opcode Fuzzy Hash: def9d216b9ea24561024c6f685b2adc64e7dc3bfb9425c4402de36753f1953f2
Instruction Fuzzy Hash: 30F1F132208BC597E7A08B55E45879EB7E6F3C4BD4F504425DA898BBA8DF79C488CF40

Function 0000022DA3826E78 Relevance: 7.8, APIs: 5, Instructions: 291sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA3819F40: GetSystemTime.KERNEL32 ref: 0000022DA3819F49
Part of subcall function 0000022DA3819F40: SystemTimeToFileTime.KERNEL32 ref: 0000022DA3819F59

rand.LIBCMT ref: 0000022DA3827092
rand.LIBCMT ref: 0000022DA38270AD
Sleep.KERNEL32 ref: 0000022DA382711A

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Time$Systemrand$FileSleep
String ID:
API String ID: 3199569092-0
Opcode ID: 5458d583ebc1a2179058ed294e10a48a736a9e4fca760fd71e5d77958432c93c
Instruction ID: e0cf7746e555af57a3c42f465920822953ff8263e4770f5225a139efd2459f32
Opcode Fuzzy Hash: 5458d583ebc1a2179058ed294e10a48a736a9e4fca760fd71e5d77958432c93c
Instruction Fuzzy Hash: CAE10E7221874197EBA0CBBAE45871AB7E1F7C8B94F100525FA9D8BBA5DB78C444CF01

Function 0000022DA37D6B88 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 234COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA37D6B9C

Part of subcall function 0000022DA37E6E78: _FF_MSGBANNER.LIBCMT ref: 0000022DA37E6EA8
Part of subcall function 0000022DA37E6E78: _NMSG_WRITE.LIBCMT ref: 0000022DA37E6EB2
Part of subcall function 0000022DA37E6E78: _callnewh.LIBCMT ref: 0000022DA37E6EE6
Part of subcall function 0000022DA37E6E78: _errno.LIBCMT ref: 0000022DA37E6EF1
Part of subcall function 0000022DA37E6E78: _errno.LIBCMT ref: 0000022DA37E6EFC

malloc.LIBCMT ref: 0000022DA37D6BAB

Part of subcall function 0000022DA37E6E78: _callnewh.LIBCMT ref: 0000022DA37E6F0C
Part of subcall function 0000022DA37E6E78: _errno.LIBCMT ref: 0000022DA37E6F11

free.LIBCMT ref: 0000022DA37D6D98
malloc.LIBCMT ref: 0000022DA37D6DE7

Strings

stream error, xrefs: 0000022DA37D6CED

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$free
String ID: stream error
API String ID: 2522206970-3905021454
Opcode ID: 0dc374131a1903f30db0cb4fcc86ee01ac6b701a5e2c5482a167e838d2151210
Instruction ID: cd01571906d478de22d0749369e09110b166655964b5137325fcb927fa385860
Opcode Fuzzy Hash: 0dc374131a1903f30db0cb4fcc86ee01ac6b701a5e2c5482a167e838d2151210
Instruction Fuzzy Hash: 86C1F532218B4593EB90CB5AE494B6A77E1F3C8B94F544126EA8D8B7A5DF38C545CF00

Function 0000022DA3827788 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 234COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA382779C

Part of subcall function 0000022DA3837A78: _FF_MSGBANNER.LIBCMT ref: 0000022DA3837AA8
Part of subcall function 0000022DA3837A78: _NMSG_WRITE.LIBCMT ref: 0000022DA3837AB2
Part of subcall function 0000022DA3837A78: HeapAlloc.KERNEL32(?,?,00000000,0000022DA3840CB0,?,?,?,0000022DA3840F14,?,?,?,0000022DA3840E13), ref: 0000022DA3837ACD
Part of subcall function 0000022DA3837A78: _callnewh.LIBCMT ref: 0000022DA3837AE6
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837AF1
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837AFC

malloc.LIBCMT ref: 0000022DA38277AB

Part of subcall function 0000022DA3837A78: _callnewh.LIBCMT ref: 0000022DA3837B0C
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837B11

free.LIBCMT ref: 0000022DA3827998
malloc.LIBCMT ref: 0000022DA38279E7

Strings

https, xrefs: 0000022DA38278ED

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$AllocHeapfree
String ID: https
API String ID: 1282991897-1056335270
Opcode ID: fcdadbf60aca2c88c7e86dc93bdc864658fe16372a8526a01dbfb0313e400af8
Instruction ID: 66573ded46d7bc7723df5f71392b6c278a1b44232be56cb188b9d17ed16654c7
Opcode Fuzzy Hash: fcdadbf60aca2c88c7e86dc93bdc864658fe16372a8526a01dbfb0313e400af8
Instruction Fuzzy Hash: AEC12936614B4593EB90CBAAE49476A77E1F3C8B84F104126FE8E8B7A5DF38C541CB00

Function 0000022DA54B8850 Relevance: 7.7, APIs: 5, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 0000022DA54B8874

Part of subcall function 0000022DA54B8484: _errno.LIBCMT ref: 0000022DA54B848D
Part of subcall function 0000022DA54B8484: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA54B8498

cvtdate.LIBCMT ref: 0000022DA54B8959
cvtdate.LIBCMT ref: 0000022DA54B8A5D
_invoke_watson.LIBCMT ref: 0000022DA54B8AF7

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: cvtdate$_errno_get_daylight_invalid_parameter_noinfo_invoke_watson
String ID:
API String ID: 1447642234-0
Opcode ID: c717f58b61fabb93384f06f529ff7be971ac10c0f43f0954e917759a1e431396
Instruction ID: 63e362fd6def7a5af4b77bd81e84579e9358b02db13a25ddbeecb5570c6c7dbd
Opcode Fuzzy Hash: c717f58b61fabb93384f06f529ff7be971ac10c0f43f0954e917759a1e431396
Instruction Fuzzy Hash: B1815FB3E14250EBEB748F85E448E2AFBE5F398744F15511AEA8563AA8D7F8C540CF00

Function 0000022DA54415C0 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA5441608

Part of subcall function 0000022DA546AF78: _FF_MSGBANNER.LIBCMT ref: 0000022DA546AFA8
Part of subcall function 0000022DA546AF78: _NMSG_WRITE.LIBCMT ref: 0000022DA546AFB2
Part of subcall function 0000022DA546AF78: HeapAlloc.KERNEL32(?,?,0000000D,0000022DA5477AB4,?,?,?,0000022DA5477D9C,?,?,?,0000022DA5477C9B,?,?,0000000D,0000022DA5471C43), ref: 0000022DA546AFCD
Part of subcall function 0000022DA546AF78: _callnewh.LIBCMT ref: 0000022DA546AFE6
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFF1
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFFC

GetIpNetTable.IPHLPAPI ref: 0000022DA5441626
swprintf.LIBCMT ref: 0000022DA544176D
free.LIBCMT ref: 0000022DA54417CB
GetLastError.KERNEL32 ref: 0000022DA544180B

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: _errno$AllocErrorHeapLastTable_callnewhfreemallocswprintf
String ID:
API String ID: 1746394769-0
Opcode ID: 5ac1e9e33e70036c5149f37b110cffd040cce6d41ebf7450485b1192e357c043
Instruction ID: d7f0fe3b7e8e542148a98362ea4233b23fad13dda86225e14b3cabbd44974bd7
Opcode Fuzzy Hash: 5ac1e9e33e70036c5149f37b110cffd040cce6d41ebf7450485b1192e357c043
Instruction Fuzzy Hash: C951DF33641AC0ABEB31CF64E844BDA77A4F384368F405115DA9A57B88DB78C646CB00

Function 0000022DA3843C1C Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000022DA3843C7E
_isleadbyte_l.LIBCMT ref: 0000022DA3843CAE
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,0000022DA383E4DA), ref: 0000022DA3843CED
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,0000022DA383E4DA), ref: 0000022DA3843D3B
_errno.LIBCMT ref: 0000022DA3843D45

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: 661c5b9ba275ff4e5bf902f70c604f74e02c38ab4a62dc1d77f1c21cb65c6a9f
Instruction ID: 625b514362f7b572f2b9e558e2fdfc3f476edfb4d79c1b902aec8dea9ee37a1e
Opcode Fuzzy Hash: 661c5b9ba275ff4e5bf902f70c604f74e02c38ab4a62dc1d77f1c21cb65c6a9f
Instruction Fuzzy Hash: 9441C53232478097E7E08F65E548B29BBA6FB98F84F148125FB895BF95DB78C4618700

Function 0000022DA54BE054 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000022DA54BE0B6
_isleadbyte_l.LIBCMT ref: 0000022DA54BE0E6
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,0000022DA54BCC37), ref: 0000022DA54BE125
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,0000022DA54BCC37), ref: 0000022DA54BE173
_errno.LIBCMT ref: 0000022DA54BE17D

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: bb500fa1f9681e3ff1c3bd5ac37acf72c22b924064050129ccdf58f699b715e5
Instruction ID: 361f7c52d367e6afd90bcb811b2423514accd66ed3b8081570f0ec609934915e
Opcode Fuzzy Hash: bb500fa1f9681e3ff1c3bd5ac37acf72c22b924064050129ccdf58f699b715e5
Instruction Fuzzy Hash: 7E41D536A0478097EF608F65D584B2DBBA5FBD4FC0F2A4125EB896BB95CB78C8518700

Function 0000022DA547BB58 Relevance: 7.6, APIs: 5, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000022DA547BBBA
_isleadbyte_l.LIBCMT ref: 0000022DA547BBEA
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,0000022DA54749AA), ref: 0000022DA547BC29
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,0000022DA54749AA), ref: 0000022DA547BC77
_errno.LIBCMT ref: 0000022DA547BC81

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: b04b0ad383ec3e336078602d6af8b39561975d207cd1c59c949de03cade90b0e
Instruction ID: 5810e58462d2eeecf7cf8b262cce04a5e8ff61f1d05313f49324394f00413610
Opcode Fuzzy Hash: b04b0ad383ec3e336078602d6af8b39561975d207cd1c59c949de03cade90b0e
Instruction Fuzzy Hash: 1541D932A147819AE7608F55D588B6D7BF5F784FC0F188125EF896BB99EB78C841C700

Function 0000022DA544AE60 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA544AEF2

Part of subcall function 0000022DA546AF78: _FF_MSGBANNER.LIBCMT ref: 0000022DA546AFA8
Part of subcall function 0000022DA546AF78: _NMSG_WRITE.LIBCMT ref: 0000022DA546AFB2
Part of subcall function 0000022DA546AF78: HeapAlloc.KERNEL32(?,?,0000000D,0000022DA5477AB4,?,?,?,0000022DA5477D9C,?,?,?,0000022DA5477C9B,?,?,0000000D,0000022DA5471C43), ref: 0000022DA546AFCD
Part of subcall function 0000022DA546AF78: _callnewh.LIBCMT ref: 0000022DA546AFE6
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFF1
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFFC

ReadProcessMemory.KERNEL32 ref: 0000022DA544AF1A
GetLastError.KERNEL32 ref: 0000022DA544AF24
GetLastError.KERNEL32 ref: 0000022DA544AF31
free.LIBCMT ref: 0000022DA544AF79

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast_errno$AllocHeapMemoryProcessRead_callnewhfreemalloc
String ID:
API String ID: 1082828278-0
Opcode ID: d6e3e4dbab309babc6095987cc6d779e96ab9c6683f6db230d54e8c5aec90de9
Instruction ID: f7f70e9e287b6983ecb9160d8c63ed5e97db73502ca97a0e0d6c7d9174edb956
Opcode Fuzzy Hash: d6e3e4dbab309babc6095987cc6d779e96ab9c6683f6db230d54e8c5aec90de9
Instruction Fuzzy Hash: E131C4B6B00B4193EB149BA3A808B6A63A1B789FC0F540032DD0D77B65EFB8C445C344

Function 0000022DA5448930 Relevance: 7.6, APIs: 5, Instructions: 79networksleepCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 0000022DA5448987
recv.WS2_32 ref: 0000022DA54489B7
WSAGetLastError.WS2_32 ref: 0000022DA54489C2
select.WS2_32 ref: 0000022DA5448A3B
Sleep.KERNEL32 ref: 0000022DA5448A74

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorEventLastResetSleeprecvselect
String ID:
API String ID: 2565462947-0
Opcode ID: 7ff08507b991db5d8e799856edb0927d5906ac72714c7171890ce3b41740d667
Instruction ID: 6b7a0f1207590c974dc833a035de1aa99da6821f37db57b6547fe303c2962ae9
Opcode Fuzzy Hash: 7ff08507b991db5d8e799856edb0927d5906ac72714c7171890ce3b41740d667
Instruction Fuzzy Hash: AE319272B08A81A2EB709B65F888B6E63A0FBC5784F854121DB5963A98DF78C444CB00

Function 0000022DA3818808 Relevance: 7.6, APIs: 5, Instructions: 54memoryinjectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32 ref: 0000022DA3818850
VirtualQuery.KERNEL32 ref: 0000022DA38188A3
VirtualProtect.KERNEL32 ref: 0000022DA38188BE
VirtualProtect.KERNEL32 ref: 0000022DA3818908
FlushInstructionCache.KERNEL32 ref: 0000022DA381891F

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Virtual$Protect$CacheFlushInstructionMemoryProcessQueryWrite
String ID:
API String ID: 834688674-0
Opcode ID: 5ebdedb7cf474a5ac70c0ba1df02ce31ed7c10c00178b883543388ffadd1ac77
Instruction ID: 2966988ce9a2e3b21b8b0b92827c95c7b7166da7b8697cae42e66e5ea8e1ce48
Opcode Fuzzy Hash: 5ebdedb7cf474a5ac70c0ba1df02ce31ed7c10c00178b883543388ffadd1ac77
Instruction Fuzzy Hash: 8621B976218BC086CB60CF6AE45465AB761F3C9BA4F504206EEEE43BA8CF3DC445CB00

Function 0000022DA38210DC Relevance: 7.5, APIs: 5, Instructions: 46COMMON

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000022DA38210FD

Part of subcall function 0000022DA383828C: _calloc_impl.LIBCMT ref: 0000022DA383829C
Part of subcall function 0000022DA383828C: _errno.LIBCMT ref: 0000022DA38382AF
Part of subcall function 0000022DA383828C: _errno.LIBCMT ref: 0000022DA38382B9

GetCurrentProcess.KERNEL32 ref: 0000022DA382112F
DuplicateHandle.KERNEL32 ref: 0000022DA3821169
free.LIBCMT ref: 0000022DA3821178
GetLastError.KERNEL32 ref: 0000022DA382117D

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _errno$CurrentDuplicateErrorHandleLastProcess_calloc_implcallocfree
String ID:
API String ID: 461984912-0
Opcode ID: 9d57ffffa63c1059fcfc04dfa408433c05a265e70f195dc81d1451cadfc5e6b0
Instruction ID: dae3cb40f262dcb3a3c398e56f67df36a4101cd2060cd3319e69cddcd77569b6
Opcode Fuzzy Hash: 9d57ffffa63c1059fcfc04dfa408433c05a265e70f195dc81d1451cadfc5e6b0
Instruction Fuzzy Hash: 5B114936608B8083EBA0CFA5E84475AB3B1F7C5B84F604015EACD8BB58DF7EC4448B40

Function 0000022DA54B2C30 Relevance: 7.5, APIs: 5, Instructions: 41threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0000022DA54B2C42
OpenThreadToken.ADVAPI32 ref: 0000022DA54B2C58
GetLastError.KERNEL32 ref: 0000022DA54B2C62
GetTokenInformation.ADVAPI32 ref: 0000022DA54B2C8C

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: ThreadToken$CurrentErrorInformationLastOpen
String ID:
API String ID: 1989924565-0
Opcode ID: 5084d3087fa723fc127976a8fcbcba8c3f86658a42e98295b28540321170cdb4
Instruction ID: 57c1c70b1b060636d589c14a665f1a329847604b1107356a311560cfde8316ba
Opcode Fuzzy Hash: 5084d3087fa723fc127976a8fcbcba8c3f86658a42e98295b28540321170cdb4
Instruction Fuzzy Hash: A0014C76A14A4593EB108BA1F44CB9AA3B0FB84BA5F440025EA4957764DFBCC189CB00

Function 0000022DA54560EF Relevance: 7.5, APIs: 5, Instructions: 36windowCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 0000022DA5456104
GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 8112e8dad5f93f916fb8fc8fa314a8115170b58fc8da1b1524b40cf92251e3a6
Instruction ID: e32feaab2ac5e382c4a6b43e35ef38af88380d67778d912ba802f1c0c8a138a0
Opcode Fuzzy Hash: 8112e8dad5f93f916fb8fc8fa314a8115170b58fc8da1b1524b40cf92251e3a6
Instruction Fuzzy Hash: 32017836605B8092E7759F94F41879A73A0F3887B4F005226DEAA63BE4CF7CC595CB50

Function 0000022DA3818B50 Relevance: 7.5, APIs: 5, Instructions: 33memoryinjectionCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 0000022DA3818B7E
VirtualProtect.KERNEL32 ref: 0000022DA3818B99
WriteProcessMemory.KERNEL32 ref: 0000022DA3818BC7
VirtualProtect.KERNEL32 ref: 0000022DA3818BE1
FlushInstructionCache.KERNEL32 ref: 0000022DA3818BF8

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Virtual$Protect$CacheFlushInstructionMemoryProcessQueryWrite
String ID:
API String ID: 834688674-0
Opcode ID: 0ea2f94e7a4911aa9e781b1710ab951ce4168249ac3ef494bda480926371a858
Instruction ID: 028dbe4ae70ecfccfafa2bf17c9e5aa779dd7ada74acd68e1d94af834de0c02f
Opcode Fuzzy Hash: 0ea2f94e7a4911aa9e781b1710ab951ce4168249ac3ef494bda480926371a858
Instruction Fuzzy Hash: 2911D376218B8092CA50DBA6E44464AB761F38ABB1F505306EAB943BA8CF39C548CB00

Function 0000022DA5444FB0 Relevance: 7.5, APIs: 5, Instructions: 32fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,0000022DA5444552), ref: 0000022DA5444FD4
SetFileAttributesW.KERNEL32(?,?,?,0000022DA5444552), ref: 0000022DA5444FEB
DeleteFileW.KERNEL32(?,?,?,0000022DA5444552), ref: 0000022DA5444FF4
GetLastError.KERNEL32(?,?,?,0000022DA5444552), ref: 0000022DA5444FFE
free.LIBCMT ref: 0000022DA5445009

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: File$Attributes$DeleteErrorLastfree
String ID:
API String ID: 2038201108-0
Opcode ID: e197a73acfeac47e54e21bb698cdcb07d383d7de37e41704fa9242023943988f
Instruction ID: 47228fd1125742b7dc60e72793a13823bbb16d7e5186f975d97c1d6ec1fd1d3e
Opcode Fuzzy Hash: e197a73acfeac47e54e21bb698cdcb07d383d7de37e41704fa9242023943988f
Instruction Fuzzy Hash: 3EF09631F00A0063EB585BB9B85CB2812A06B89BA4F581121E91BB33E4EE78C8418340

Function 0000022DA37CF260 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA37CF286

Part of subcall function 0000022DA37E6E78: _FF_MSGBANNER.LIBCMT ref: 0000022DA37E6EA8
Part of subcall function 0000022DA37E6E78: _NMSG_WRITE.LIBCMT ref: 0000022DA37E6EB2
Part of subcall function 0000022DA37E6E78: _callnewh.LIBCMT ref: 0000022DA37E6EE6
Part of subcall function 0000022DA37E6E78: _errno.LIBCMT ref: 0000022DA37E6EF1
Part of subcall function 0000022DA37E6E78: _errno.LIBCMT ref: 0000022DA37E6EFC

realloc.LIBCMT ref: 0000022DA37CF39B

Part of subcall function 0000022DA37D19F8: wcsncpy.LIBCMT ref: 0000022DA37D1A66

realloc.LIBCMT ref: 0000022DA37CF4BC

Strings

0, xrefs: 0000022DA37CF278

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _errnorealloc$_callnewhmallocwcsncpy
String ID: 0
API String ID: 2375943163-4108050209
Opcode ID: b3af0ea5103111c20113669314b2e1010a481647de944de36a472201f2889a52
Instruction ID: dd3381a2c7c8f6ea74a1c0b1fb9dd2e3ca707297087e1b96c9129cac4f85202b
Opcode Fuzzy Hash: b3af0ea5103111c20113669314b2e1010a481647de944de36a472201f2889a52
Instruction Fuzzy Hash: E391DC76218A8097DBA4DB5DE49461EB7E1F7C8B98F105126FB8E87B69DB38C540CF00

Function 0000022DA381FE60 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA381FE86

Part of subcall function 0000022DA3837A78: _FF_MSGBANNER.LIBCMT ref: 0000022DA3837AA8
Part of subcall function 0000022DA3837A78: _NMSG_WRITE.LIBCMT ref: 0000022DA3837AB2
Part of subcall function 0000022DA3837A78: HeapAlloc.KERNEL32(?,?,00000000,0000022DA3840CB0,?,?,?,0000022DA3840F14,?,?,?,0000022DA3840E13), ref: 0000022DA3837ACD
Part of subcall function 0000022DA3837A78: _callnewh.LIBCMT ref: 0000022DA3837AE6
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837AF1
Part of subcall function 0000022DA3837A78: _errno.LIBCMT ref: 0000022DA3837AFC

realloc.LIBCMT ref: 0000022DA381FF9B

Part of subcall function 0000022DA38225F8: wcsncpy.LIBCMT ref: 0000022DA3822666

realloc.LIBCMT ref: 0000022DA38200BC

Strings

0, xrefs: 0000022DA381FE78

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _errnorealloc$AllocHeap_callnewhmallocwcsncpy
String ID: 0
API String ID: 3789742870-4108050209
Opcode ID: 6e337077695a3da8e3e38612885043905c52aa8fb0f9a32c029affb8ddb49b58
Instruction ID: d1e2fd6f0a3f06143ffb99c6a86c8ef17c9be90d01df39a0e59b10e7d3230784
Opcode Fuzzy Hash: 6e337077695a3da8e3e38612885043905c52aa8fb0f9a32c029affb8ddb49b58
Instruction Fuzzy Hash: 0791FA76618A8487DBA4CB69E49461EB7E2F7C8B94F144125FA8E87B69DF7CC440CF00

Function 0000022DA5447390 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 0000022DA54473AF
swprintf.LIBCMT ref: 0000022DA54473FB

Part of subcall function 0000022DA546D0E8: _vswprintf_s_l.LIBCMT ref: 0000022DA546D102

GetDriveTypeW.KERNEL32(?,00000000,00000000,0000022DA5445D74), ref: 0000022DA5447405

Strings

%c:, xrefs: 0000022DA54473E2

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: DriveDrivesLogicalType_vswprintf_s_lswprintf
String ID: %c:
API String ID: 1363219177-1226554575
Opcode ID: ec7240422976610c5bedee10c6040ecc02fe58a08a6f64066682a8b2fafc924c
Instruction ID: 14e2cfc1c323c28f264a5f1c9c745c8ec8cee71b097f2dc615927ed55832038e
Opcode Fuzzy Hash: ec7240422976610c5bedee10c6040ecc02fe58a08a6f64066682a8b2fafc924c
Instruction Fuzzy Hash: 5611E733A0479097D700DBD2F84499EFB60F785BA0F548521EF4553BA4EBB8C596C740

Function 0000022DA3820140 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56sleeppipeCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA38281F0: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000022DA3818FD8), ref: 0000022DA382820E

PeekNamedPipe.KERNEL32 ref: 0000022DA382019F
GetLastError.KERNEL32 ref: 0000022DA38201CD
Sleep.KERNEL32 ref: 0000022DA382020D

Strings

m, xrefs: 0000022DA38201FC

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLastNamedObjectPeekPipeSingleSleepWait
String ID: m
API String ID: 52212926-3775001192
Opcode ID: 2a087c1654404f3cba168cfebb68e741b99618bd2fb40eaf1b4424191ad5eb22
Instruction ID: d5ca3f3197f17bb11b6c207b17ba236a6d64c1d31ffc95dcbedaebd963c0d81e
Opcode Fuzzy Hash: 2a087c1654404f3cba168cfebb68e741b99618bd2fb40eaf1b4424191ad5eb22
Instruction Fuzzy Hash: 96210E72228B4497E790DFB5E498B0AB7B6F3C5744F005015FA9987B68EB78C444CF01

Function 0000022DA37D1E10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000022DA37D1E6F

Part of subcall function 0000022DA37E768C: _calloc_impl.LIBCMT ref: 0000022DA37E769C
Part of subcall function 0000022DA37E768C: _errno.LIBCMT ref: 0000022DA37E76AF
Part of subcall function 0000022DA37E768C: _errno.LIBCMT ref: 0000022DA37E76B9

swprintf.LIBCMTD ref: 0000022DA37D1ECA

Part of subcall function 0000022DA37D1C9C: _vswprintf_c_l.LIBCMT ref: 0000022DA37D1CDA

wcsncpy.LIBCMT ref: 0000022DA37D1EE2

Strings

lengths, xrefs: 0000022DA37D1EB9

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _errno$_calloc_impl_vswprintf_c_lcallocswprintfwcsncpy
String ID: lengths
API String ID: 3410861999-1062732404
Opcode ID: 87eecd65fb8786f2cda938ccf28df036d67f4295e8f31c338da4c49d5774e372
Instruction ID: cee2689600eba125a147e498b5270e001363422ccb386eda2f18c1e8769c8158
Opcode Fuzzy Hash: 87eecd65fb8786f2cda938ccf28df036d67f4295e8f31c338da4c49d5774e372
Instruction Fuzzy Hash: 99219C76608B84C6DB44DF4AE49055ABBB1F3CAB84F104026EF8D47B68DF39D441CB44

Function 0000022DA3822A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000022DA3822A6F

Part of subcall function 0000022DA383828C: _calloc_impl.LIBCMT ref: 0000022DA383829C
Part of subcall function 0000022DA383828C: _errno.LIBCMT ref: 0000022DA38382AF
Part of subcall function 0000022DA383828C: _errno.LIBCMT ref: 0000022DA38382B9

swprintf.LIBCMTD ref: 0000022DA3822ACA

Part of subcall function 0000022DA382289C: _vswprintf_c_l.LIBCMT ref: 0000022DA38228DA

wcsncpy.LIBCMT ref: 0000022DA3822AE2

Strings

dns://%s?ns=%s&sid=%s&req=%d&cli=%s&, xrefs: 0000022DA3822AB9

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _errno$_calloc_impl_vswprintf_c_lcallocswprintfwcsncpy
String ID: dns://%s?ns=%s&sid=%s&req=%d&cli=%s&
API String ID: 3410861999-2401398329
Opcode ID: 0c344751d3f3fd0527c9ead608822f9737a900d632749d6064372a82e50f1a25
Instruction ID: 20bfa06cd1d84593dda3331c41b8091878405fbc0d4be7f2ae83b653647ee61d
Opcode Fuzzy Hash: 0c344751d3f3fd0527c9ead608822f9737a900d632749d6064372a82e50f1a25
Instruction Fuzzy Hash: 0021997A608B84C6DB44DF5AE49055ABBB1F3CAB84F104026EF8D47B68DF39D441CB00

Function 0000022DA546DF24 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_callnewh.LIBCMT ref: 0000022DA546DF32
malloc.LIBCMT ref: 0000022DA546DF3E

Part of subcall function 0000022DA546AF78: _FF_MSGBANNER.LIBCMT ref: 0000022DA546AFA8
Part of subcall function 0000022DA546AF78: _NMSG_WRITE.LIBCMT ref: 0000022DA546AFB2
Part of subcall function 0000022DA546AF78: HeapAlloc.KERNEL32(?,?,0000000D,0000022DA5477AB4,?,?,?,0000022DA5477D9C,?,?,?,0000022DA5477C9B,?,?,0000000D,0000022DA5471C43), ref: 0000022DA546AFCD
Part of subcall function 0000022DA546AF78: _callnewh.LIBCMT ref: 0000022DA546AFE6
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFF1
Part of subcall function 0000022DA546AF78: _errno.LIBCMT ref: 0000022DA546AFFC

_CxxThrowException.LIBCMT ref: 0000022DA546DF87

Part of subcall function 0000022DA5476AD0: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000022DA546DF8C), ref: 0000022DA5476B3E
Part of subcall function 0000022DA5476AD0: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000022DA546DF8C), ref: 0000022DA5476B7D

Strings

bad allocation, xrefs: 0000022DA546DF4E

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Exception_callnewh_errno$AllocFileHeaderHeapRaiseThrowmalloc
String ID: bad allocation
API String ID: 1214304046-2104205924
Opcode ID: a4dff509c1b450b50239fdaaf582110b6f2ffdfed158d55507b24e56f87aede7
Instruction ID: c9e92c2c80d53ac6600b1a23c97340bda1acfcc26083b6477147815cfe8cb11a
Opcode Fuzzy Hash: a4dff509c1b450b50239fdaaf582110b6f2ffdfed158d55507b24e56f87aede7
Instruction Fuzzy Hash: 75018471F15B4AB0EE289BD5B549B946395AB44384F540020EA4D17BAAEFB8C595C700

Function 0000022DA546BF60 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000022DA546BF7E
_invalid_parameter_noinfo.LIBCMT ref: 0000022DA546BF8A
_errno.LIBCMT ref: 0000022DA546BFCC

Strings

getaddrinfo, xrefs: 0000022DA546BF60, 0000022DA546BF61

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfo
String ID: getaddrinfo
API String ID: 2819658684-300660673
Opcode ID: 5a71fc66c6ae65eb85523488547b2812afc48b5ed6f6ec9191721f6554cae090
Instruction ID: 88afc1bd9cc009061bb5b11b5f1dff83b76e1e2b3c11af02c0324442734f78d6
Opcode Fuzzy Hash: 5a71fc66c6ae65eb85523488547b2812afc48b5ed6f6ec9191721f6554cae090
Instruction Fuzzy Hash: 0101D6B1E153C2B4FE6E17F4095DF7819549B35388F2454619D81B7EFBE19A09098B10

Function 0000022DA38370F8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000022DA3837130
GetProcAddress.KERNEL32 ref: 0000022DA3837140

Strings

ntdll.dll, xrefs: 0000022DA3837129
RtlGetVersion, xrefs: 0000022DA3837136

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: RtlGetVersion$ntdll.dll
API String ID: 1646373207-1489217083
Opcode ID: 4ce185e765b8ed62a937bc797e23cad37f9017e2dff122add8c46e7daac59a1a
Instruction ID: e8b2074a63fd1e0a7199c5e6ad625fe6dd0594da8fd6b9f02211e07f788f09b4
Opcode Fuzzy Hash: 4ce185e765b8ed62a937bc797e23cad37f9017e2dff122add8c46e7daac59a1a
Instruction Fuzzy Hash: F9116132224681E7EBF98BB4E80CB9F62E2F788744F404135E6598AB94EB3DC545CA00

Function 0000022DA3827CB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39networkCOMMON

Download Yara Rule

APIs

HttpOpenRequestW.WININET ref: 0000022DA3827C40
SetLastError.KERNEL32 ref: 0000022DA3827C5E
InternetCloseHandle.WININET ref: 0000022DA3827CCE

Strings

GET, xrefs: 0000022DA3827BE9

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleHttpInternetLastOpenRequest
String ID: GET
API String ID: 1146521569-1805413626
Opcode ID: bb7178db5e6b1158cbd72e94d60813d83f63c8d5a3b73460fda560e7555ca803
Instruction ID: be4e5a8a8a25aeb139ad98d77be5cc142c9b5879a482a593f3f377c3b63b5579
Opcode Fuzzy Hash: bb7178db5e6b1158cbd72e94d60813d83f63c8d5a3b73460fda560e7555ca803
Instruction Fuzzy Hash: 0F11CC75618B4197E7A09BBAE498B1AB7E1F388784F100425FB998ABA4DF7DC444CB01

Function 0000022DA544EED0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 0000022DA544EEF6
GetProcAddress.KERNEL32 ref: 0000022DA544EF06

Strings

IsWow64Process, xrefs: 0000022DA544EEFC
kernel32.dll, xrefs: 0000022DA544EEEF

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32.dll
API String ID: 1646373207-3024904723
Opcode ID: 84acbf0e931c3169ce0b8c9159b8d8034a38f356f1932ab86e08c3c25272fb96
Instruction ID: 077aeea60e4f3deb67b7949bb4215c8c9a49039c236e9005e0acfd357f275c6f
Opcode Fuzzy Hash: 84acbf0e931c3169ce0b8c9159b8d8034a38f356f1932ab86e08c3c25272fb96
Instruction Fuzzy Hash: B1F08172B19B40A6EF448B96F888A55A3A0EB88790F442025EA5F97728EB78C480C700

Function 0000022DA381E578 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA381E5A9
GetProcAddress.KERNEL32 ref: 0000022DA381E5C8

Strings

AddMandatoryAce, xrefs: 0000022DA381E5BC
advapi32.dll, xrefs: 0000022DA381E5A2

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: AddMandatoryAce$advapi32.dll
API String ID: 2574300362-673174713
Opcode ID: 68499263ec1485bfceb7fa33467269506552c86d2a9c13e46f4cc5c5e3ea6af0
Instruction ID: 040195c0c940bc773192a4bf4cda128a2d3e58cc1d1310053a574d7064d1a7ab
Opcode Fuzzy Hash: 68499263ec1485bfceb7fa33467269506552c86d2a9c13e46f4cc5c5e3ea6af0
Instruction Fuzzy Hash: 7F114471115B40E7E790CFA4F84CB4A77A2F788394F800115E58646BA8DF7DD544CF00

Function 0000022DA54B1CC0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,0000022DA54B16E0), ref: 0000022DA54B1CD7
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,0000022DA54B16E0), ref: 0000022DA54B1CFA

Strings

ntdll.dll, xrefs: 0000022DA54B1CCD
NtQueryInformationFile, xrefs: 0000022DA54B1CF0

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtQueryInformationFile$ntdll.dll
API String ID: 1646373207-181822193
Opcode ID: 39ba8088b34ae59a6fbe3a01f1636c490dd6f5b50f95a0a0b8c71051aec04e10
Instruction ID: 8c258f1a4c4ce3ef841115ca7442d3cf2c86cb66eebc96f0c16f17b0021e0563
Opcode Fuzzy Hash: 39ba8088b34ae59a6fbe3a01f1636c490dd6f5b50f95a0a0b8c71051aec04e10
Instruction Fuzzy Hash: 26F0AFB2B04780A2EF408B95F448B697370FB88BE0F084219AA5E13794DFB8C5548B00

Function 0000022DA54B1C40 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,00000003,0000022DA54B194A), ref: 0000022DA54B1C57
GetProcAddress.KERNEL32(?,?,?,?,?,?,00000003,0000022DA54B194A), ref: 0000022DA54B1C7A

Strings

NtSetInformationFile, xrefs: 0000022DA54B1C70
ntdll.dll, xrefs: 0000022DA54B1C4D

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: NtSetInformationFile$ntdll.dll
API String ID: 1646373207-3010545110
Opcode ID: cb995a7f299b8f2775c46e46b3ed55ae0de372c79064a784bacaa018ddac6808
Instruction ID: b6c788f74849e6b9a92340db5a341eff6da5330d13be7b4b9be327ed1d7a2dc4
Opcode Fuzzy Hash: cb995a7f299b8f2775c46e46b3ed55ae0de372c79064a784bacaa018ddac6808
Instruction Fuzzy Hash: EBF0AFB2B04780A2EF408B95F448B697370FB88BE0F484219EA6E13794DFB8C5548B00

Function 0000022DA54541F7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyA.USER32 ref: 0000022DA54541FC
GetKeyNameTextW.USER32 ref: 0000022DA545427D
_snwprintf.LIBCMT ref: 0000022DA54542AA

Part of subcall function 0000022DA546DA18: _errno.LIBCMT ref: 0000022DA546DA4F
Part of subcall function 0000022DA546DA18: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA546DA5A

Strings

<%ls>, xrefs: 0000022DA5454287

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: NameTextVirtual_errno_invalid_parameter_noinfo_snwprintf
String ID: <%ls>
API String ID: 2821865448-2980182092
Opcode ID: 1e82099169b0d0845da0a024a725ada71ab5f1f3fd4df013d42e2c021da26f45
Instruction ID: a516ec45c3657f19c75c29563ea6a97514cb0dc4be20408ae54262928532937c
Opcode Fuzzy Hash: 1e82099169b0d0845da0a024a725ada71ab5f1f3fd4df013d42e2c021da26f45
Instruction Fuzzy Hash: DAF06232B04911E7E715DBE5E848BA913A1E785791F440026DA4EB7664DF78C486C700

Function 0000022DA544A990 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,00000057,0000022DA544A36A), ref: 0000022DA544A9CA
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000057,0000022DA544A36A), ref: 0000022DA544A9DA

Part of subcall function 0000022DA544F1D0: GetLastError.KERNEL32 ref: 0000022DA544F265

Strings

FreeLibrary, xrefs: 0000022DA544A9D0
kernel32, xrefs: 0000022DA544A9B6

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: AddressErrorHandleLastModuleProc
String ID: FreeLibrary$kernel32
API String ID: 4275029093-3113479021
Opcode ID: d37b889259aa068871e5ec1da0ce01602f64094439f74c0884ade4aae4340260
Instruction ID: 116d19f11f6e9eec687dc864376924e184c8e5bdc3e78798763bf4a7141121aa
Opcode Fuzzy Hash: d37b889259aa068871e5ec1da0ce01602f64094439f74c0884ade4aae4340260
Instruction Fuzzy Hash: D7018F32A08B85A6EB40CF54F848B5AB770F399784F101156FB8917A18DFBCC144CB00

Function 0000022DA5453CAD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyA.USER32 ref: 0000022DA5453CB1
GetKeyNameTextW.USER32 ref: 0000022DA5453D30
_snwprintf.LIBCMT ref: 0000022DA5453D5D

Part of subcall function 0000022DA546DA18: _errno.LIBCMT ref: 0000022DA546DA4F
Part of subcall function 0000022DA546DA18: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA546DA5A

Strings

<%ls>, xrefs: 0000022DA5453D3A

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: NameTextVirtual_errno_invalid_parameter_noinfo_snwprintf
String ID: <%ls>
API String ID: 2821865448-2980182092
Opcode ID: 258f5956f3b5b113d786c2b90a34cf0952a954b1aa396ab112bcd8015f24b372
Instruction ID: a440385ad438d256d24fcd1345e0417720eacb30404a0b701d14d345dc1486e1
Opcode Fuzzy Hash: 258f5956f3b5b113d786c2b90a34cf0952a954b1aa396ab112bcd8015f24b372
Instruction Fuzzy Hash: 6C014F75B00A08E2E710CB92E448FDD63B6F789B90F894066DA5DB3758DFB8C945C340

Function 0000022DA5454192 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

_snwprintf.LIBCMT ref: 0000022DA54541B4

Part of subcall function 0000022DA546DA18: _errno.LIBCMT ref: 0000022DA546DA4F
Part of subcall function 0000022DA546DA18: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA546DA5A

_snwprintf.LIBCMT ref: 0000022DA54541C5

Strings

<RAlt>, xrefs: 0000022DA54541AD
<LAlt>, xrefs: 0000022DA54541BE

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: _snwprintf$_errno_invalid_parameter_noinfo
String ID: <LAlt>$<RAlt>
API String ID: 3682513478-2751853527
Opcode ID: dd63d83ceec4b95eca76c606194d6cfd8bbe9f629a2d0d0c00b368c3f4db30d8
Instruction ID: 8465e6b5637f1e6e2f20d84e646ac988bc49f0410578f471a02a5966f5481725
Opcode Fuzzy Hash: dd63d83ceec4b95eca76c606194d6cfd8bbe9f629a2d0d0c00b368c3f4db30d8
Instruction Fuzzy Hash: 16F06576E4CA10F2F711DBD5F849BE913A0A3D47A0F850122990EB22E5EFB8C8C2C340

Function 0000022DA5453C48 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

_snwprintf.LIBCMT ref: 0000022DA5453C6A

Part of subcall function 0000022DA546DA18: _errno.LIBCMT ref: 0000022DA546DA4F
Part of subcall function 0000022DA546DA18: _invalid_parameter_noinfo.LIBCMT ref: 0000022DA546DA5A

_snwprintf.LIBCMT ref: 0000022DA5453C7B

Strings

<RAlt>, xrefs: 0000022DA5453C63
<LAlt>, xrefs: 0000022DA5453C74

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: _snwprintf$_errno_invalid_parameter_noinfo
String ID: <LAlt>$<RAlt>
API String ID: 3682513478-2751853527
Opcode ID: a9f0457a17a344acafc6d0b291cc38d65f985b71abf054ea728c7e7b4c76ee66
Instruction ID: 129a367d0b074d2a8e64019c3a0b11b3b2cbfdba055c1890b33e8c9fe798a704
Opcode Fuzzy Hash: a9f0457a17a344acafc6d0b291cc38d65f985b71abf054ea728c7e7b4c76ee66
Instruction Fuzzy Hash: D5F03A76A08A44F1E720DB91E409BD923B4F348BA0F5501A2991EB3350DFA4C945C380

Function 0000022DA3828640 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0000022DA382864B
GetProcAddress.KERNEL32 ref: 0000022DA3828662

Strings

kernel32.dll, xrefs: 0000022DA3828644
SetThreadErrorMode, xrefs: 0000022DA3828656

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: SetThreadErrorMode$kernel32.dll
API String ID: 2574300362-2080226504
Opcode ID: 083609c2db1c679f84eaa94bb10d9947de6566112fb50a4adefca3b3c2697270
Instruction ID: 821bda292443d3996e0d21f9f205e982e03153da9872f0710b710c810475d033
Opcode Fuzzy Hash: 083609c2db1c679f84eaa94bb10d9947de6566112fb50a4adefca3b3c2697270
Instruction Fuzzy Hash: F1E01A31104E4093E7A0DB64E80875973A2F78C394F440212D59D06A74DF7DC299C701

Function 0000022DA37D3C44 Relevance: 6.6, APIs: 5, Instructions: 306COMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA37E8CF8: calloc.LIBCMT ref: 0000022DA37E8D20

Part of subcall function 0000022DA37D286C: malloc.LIBCMT ref: 0000022DA37D2889

calloc.LIBCMT ref: 0000022DA37D3D6A

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: calloc$malloc
String ID:
API String ID: 1849211866-0
Opcode ID: 07ab07a60ab9044aa467c59ba9eda5ccefc7ec7a827272b935809317b253664b
Instruction ID: 117123e2593e88649eee1f352a436c460b4220a4dc3e7e80d464a6bea6983bee
Opcode Fuzzy Hash: 07ab07a60ab9044aa467c59ba9eda5ccefc7ec7a827272b935809317b253664b
Instruction Fuzzy Hash: E102DB32218B8492E7A4CB59F49979AB7A5F7C4784F149126EACD4BBA8DF7CC444CF00

Function 0000022DA37C1CF8 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 427COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000022DA37C2414

Strings

@, xrefs: 0000022DA37C2120
data error, xrefs: 0000022DA37C1F16

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free
String ID: @$data error
API String ID: 1294909896-2003774022
Opcode ID: b9bfb66e13597722efd53f610cecb8fb5c2cbbf8338c398701cb5df2b7c2b290
Instruction ID: 8510fd5be6a68018e26b44a219f5c190a2fd42ecbeeecf8b5ae7c4fdf83b3a5a
Opcode Fuzzy Hash: b9bfb66e13597722efd53f610cecb8fb5c2cbbf8338c398701cb5df2b7c2b290
Instruction Fuzzy Hash: 5E22BF76208B81A7EBA0CB69F458B9BB7E1F785784F104125DAC98BB58DF7DC844CB40

Function 0000022DA37D5A54 Relevance: 6.3, APIs: 4, Instructions: 313COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000022DA37D5EF3
free.LIBCMT ref: 0000022DA37D5F15

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9d3fae3b913182020316e8d408d92b0493f9235b373a96aff1a0586f213521b9
Instruction ID: 0565654567e03431c3d3195826454c7ed6ae87e9bb0488c358bee1e40b7798d7
Opcode Fuzzy Hash: 9d3fae3b913182020316e8d408d92b0493f9235b373a96aff1a0586f213521b9
Instruction Fuzzy Hash: F5E11432218681D7EBE09BA9E458B1E77E1F7847D4F144525EA8D8B794DF78C848CF04

Function 0000022DA37D4F60 Relevance: 6.3, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000022DA37D4F9E
free.LIBCMT ref: 0000022DA37D4FC5
free.LIBCMT ref: 0000022DA37D4FEC
free.LIBCMT ref: 0000022DA37D5013
free.LIBCMT ref: 0000022DA37D503D

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 767ccf97320330de263f9bb40be07dc8994c01f3744b01c4d393c73c94bb1f21
Instruction ID: de501bce9192c25bbf5446c358d38b0490e30d047f751d842d20d33db7d0e00b
Opcode Fuzzy Hash: 767ccf97320330de263f9bb40be07dc8994c01f3744b01c4d393c73c94bb1f21
Instruction Fuzzy Hash: F5218337214B8893EBB09B56E09871EA7B1F389B88F554215EACC4B7A4CF7CC945CB40

Function 0000022DA3825B60 Relevance: 6.3, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000022DA3825B9E
free.LIBCMT ref: 0000022DA3825BC5
free.LIBCMT ref: 0000022DA3825BEC
free.LIBCMT ref: 0000022DA3825C13
free.LIBCMT ref: 0000022DA3825C3D

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 767ccf97320330de263f9bb40be07dc8994c01f3744b01c4d393c73c94bb1f21
Instruction ID: 959ac72778c9e36182bb3f0e904cc4ed668390f3f20eaacc5fd7f839d7f16b80
Opcode Fuzzy Hash: 767ccf97320330de263f9bb40be07dc8994c01f3744b01c4d393c73c94bb1f21
Instruction Fuzzy Hash: E221A336204B8893EBA49B56E08871AA7B1F788B48F514215EACD4BBA4CF7DC944CB40

Function 0000022DA37D6278 Relevance: 6.3, APIs: 4, Instructions: 291COMMON

Download Yara Rule

APIs

rand.LIBCMT ref: 0000022DA37D6492
rand.LIBCMT ref: 0000022DA37D64AD

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: rand
String ID:
API String ID: 415692148-0
Opcode ID: ed6bf554bfff6b9a45289098e7d7e6728f9cbadbeda906988a6a97ac9c1bfca1
Instruction ID: 0b1262d7296730a3851e068e4d6abdc9bf66975df4c80cbbb0e2cc8b87eeb453
Opcode Fuzzy Hash: ed6bf554bfff6b9a45289098e7d7e6728f9cbadbeda906988a6a97ac9c1bfca1
Instruction Fuzzy Hash: 1EE1CE7720874597EBE0CB59E458B1AB7E1F788BD4F500126EA8D8BBA8DB78C544CF00

Function 0000022DA37D0EA4 Relevance: 6.3, APIs: 4, Instructions: 288COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000022DA37D12F8
free.LIBCMT ref: 0000022DA37D131A

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ae1c41e8f55a2c86926dd828d29fa380c44f6c1b7a24ec4ecad43b64ee6fdbcc
Instruction ID: c89c45aeb4263557c4bd1d25f4ee3832194c463f5d0b2daea3d9fe5b1e33bad8
Opcode Fuzzy Hash: ae1c41e8f55a2c86926dd828d29fa380c44f6c1b7a24ec4ecad43b64ee6fdbcc
Instruction Fuzzy Hash: 6DD113333186819BE7F0DBA9E458B5EB7A1F784784F100525EA89CBB94DB79D448CF00

Function 0000022DA37C9D04 Relevance: 6.2, APIs: 4, Instructions: 217COMMON

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000022DA37C9D8A
memmove_s.LIBCMT ref: 0000022DA37C9F54
malloc.LIBCMT ref: 0000022DA37C9FC3
memcpy_s.LIBCMT ref: 0000022DA37CA01E

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: callocmallocmemcpy_smemmove_s
String ID:
API String ID: 3989352486-0
Opcode ID: 19822e133ba44aaf2f2c473610b63a3d3511321b07b0f4c8c329c773f98d5a3d
Instruction ID: d5c14696500531077421b70c37342b6c4ee3c3668eb29e5085ae80eaf15cb555
Opcode Fuzzy Hash: 19822e133ba44aaf2f2c473610b63a3d3511321b07b0f4c8c329c773f98d5a3d
Instruction Fuzzy Hash: 72A11136214B85A7EBD0CBADE458B1AB7E1F7C5794F104025EA8A8BB64EF39C444CB40

Function 0000022DA544CEF0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA544CFB8
malloc.LIBCMT ref: 0000022DA544D190
_snprintf.LIBCMT ref: 0000022DA544D1B7

Strings

%s %s, xrefs: 0000022DA544D1A1

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: malloc$_snprintf
String ID: %s %s
API String ID: 4147802357-2939940506
Opcode ID: 68435554cd36b2d1dce5ab45086c9abcdae0e98eabb7d57b0f1df9df5d6140f3
Instruction ID: 464e69b2a74b2444a42a82290acaeb9fde9c6f74149db391f35b23d1fe2b81a3
Opcode Fuzzy Hash: 68435554cd36b2d1dce5ab45086c9abcdae0e98eabb7d57b0f1df9df5d6140f3
Instruction Fuzzy Hash: 6E811832B44F8496FB55CBA69408B6A6BE0F745B84F488125DF9A573C6EFB8C406C300

Function 0000022DA5445B90 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 207COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000022DA5445CBE

Strings

mapi, xrefs: 0000022DA5445DA4, 0000022DA5445E1A
iehistory, xrefs: 0000022DA5445D80, 0000022DA5445DC1
*.*, xrefs: 0000022DA5445D39

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: free
String ID: *.*$iehistory$mapi
API String ID: 1294909896-3549654276
Opcode ID: 1abf7f794f6d09191c47d3ff15f83a8a805e85731a9abce61c457e3347678866
Instruction ID: 3b0a641bc673649aa58815e7ed9f4a555d25cba07da33427d35428e005de85f2
Opcode Fuzzy Hash: 1abf7f794f6d09191c47d3ff15f83a8a805e85731a9abce61c457e3347678866
Instruction Fuzzy Hash: 61919E72B40B40AAEF50DFA1D454AED33B1F754B88F808526DE4A63B98EF74C646C340

Function 0000022DA3824F8C Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 0000022DA3824FE9
calloc.LIBCMT ref: 0000022DA382501F
free.LIBCMT ref: 0000022DA3825272

Strings

P%, xrefs: 0000022DA3825138

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLastcallocfree
String ID: P%
API String ID: 2550761543-2959514604
Opcode ID: df2ba7436967e8bccd8a96100c71055cb77cbea2f05700d2d21d1939547bb40e
Instruction ID: 975354632d07b76fa8cf257364a485249c92174d6872a85521bac29e59881df1
Opcode Fuzzy Hash: df2ba7436967e8bccd8a96100c71055cb77cbea2f05700d2d21d1939547bb40e
Instruction Fuzzy Hash: C191EA36258B8497EBA0CBA5E45871EB7E1F7C8B94F100116FA9D87BA8DF78C544CB01

Function 0000022DA381D550 Relevance: 6.2, APIs: 4, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ab69efb2d87fd3e200a71f991c6a03de737a1530dffe167a31e300fc4d83295
Instruction ID: b9bcb5c04b24181cf2590fc8ae5aec80653ba8314f5964a8efab3d45a0ed5c99
Opcode Fuzzy Hash: 3ab69efb2d87fd3e200a71f991c6a03de737a1530dffe167a31e300fc4d83295
Instruction Fuzzy Hash: C781D236224B4497EB90DB6AE458B2A77A2F7C4B94F105515EE5E4B7E8DF38C844CB00

Function 0000022DA38162EC Relevance: 6.2, APIs: 4, Instructions: 153COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA38163FD
free.LIBCMT ref: 0000022DA3816483
htonl.WS2_32 ref: 0000022DA38164DB
free.LIBCMT ref: 0000022DA38165AC

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free$htonlmalloc
String ID:
API String ID: 568810363-0
Opcode ID: c1e2e4b3b834b2742be366ddb8f7aca5c01035fc9f29b6706ebf7d245d5260da
Instruction ID: 4525efb410821bb9ba7bbcb12f57f7c37522672a46a93b38f21dfa55e895c71a
Opcode Fuzzy Hash: c1e2e4b3b834b2742be366ddb8f7aca5c01035fc9f29b6706ebf7d245d5260da
Instruction Fuzzy Hash: A9819976218B8497DBA0DF65E088B5AB7A1F7C5B84F505016EBCA47BA8DF78C844CF00

Function 0000022DA37C7490 Relevance: 6.1, APIs: 4, Instructions: 123COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA37C7510

Part of subcall function 0000022DA37E6E78: _FF_MSGBANNER.LIBCMT ref: 0000022DA37E6EA8
Part of subcall function 0000022DA37E6E78: _NMSG_WRITE.LIBCMT ref: 0000022DA37E6EB2
Part of subcall function 0000022DA37E6E78: _callnewh.LIBCMT ref: 0000022DA37E6EE6
Part of subcall function 0000022DA37E6E78: _errno.LIBCMT ref: 0000022DA37E6EF1
Part of subcall function 0000022DA37E6E78: _errno.LIBCMT ref: 0000022DA37E6EFC

free.LIBCMT ref: 0000022DA37C76AB

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _errno$_callnewhfreemalloc
String ID:
API String ID: 3099215566-0
Opcode ID: bab57fdc92ed76bceed7fbf4e3f5a12e51f6b3f23785cdf08656ac47bfd46250
Instruction ID: 4480af88e32bcb615b4b85aed295b52f8965c56bbf62ba48dcd7a86438e91ca6
Opcode Fuzzy Hash: bab57fdc92ed76bceed7fbf4e3f5a12e51f6b3f23785cdf08656ac47bfd46250
Instruction Fuzzy Hash: 7E51F8726186809BD794CF68E494B1AB7B2F7C8784F205115FB8A8BB69DF79C841CF00

Function 0000022DA544D3B0 Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA5449D10: LoadLibraryA.KERNEL32 ref: 0000022DA5449D35
Part of subcall function 0000022DA5449D10: GetProcAddress.KERNEL32 ref: 0000022DA5449D4D
Part of subcall function 0000022DA5449D10: FreeLibrary.KERNEL32 ref: 0000022DA5449D8F

htonl.WS2_32 ref: 0000022DA544D408
htonl.WS2_32 ref: 0000022DA544D509
htonl.WS2_32 ref: 0000022DA544D52B
htonl.WS2_32 ref: 0000022DA544D54D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: htonl$Library$AddressFreeLoadProc
String ID:
API String ID: 3905280739-0
Opcode ID: f6cc4356139d136595636d18eaa36b4af537126db05a3b2cff5b69ba0107ec73
Instruction ID: 2cc4518296190ad62c0716b0f3b04639aca7f6bf37c5bf95af4c9754f2c52934
Opcode Fuzzy Hash: f6cc4356139d136595636d18eaa36b4af537126db05a3b2cff5b69ba0107ec73
Instruction Fuzzy Hash: EB5125B6A01B94DEE714CFB5D8887AD3BB1F744B98F00402ADE4A27B98DB78C459C744

Function 0000022DA544EC80 Relevance: 6.1, APIs: 4, Instructions: 107threadinjectionCOMMON

Download Yara Rule

APIs

GetThreadContext.KERNEL32 ref: 0000022DA544ED00
htonl.WS2_32 ref: 0000022DA544EDB3
SetThreadContext.KERNEL32 ref: 0000022DA544EDFE
GetLastError.KERNEL32 ref: 0000022DA544EE08

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ContextThread$ErrorLasthtonl
String ID:
API String ID: 3697063647-0
Opcode ID: 3e72485e887547924d30ecf914f6c77d810e540657494fd566ea8b9ed8e36e3f
Instruction ID: 66d5b8a675e4dcb798f1d9200c86f23da94ed659154133da1b1dd1cd852bec77
Opcode Fuzzy Hash: 3e72485e887547924d30ecf914f6c77d810e540657494fd566ea8b9ed8e36e3f
Instruction Fuzzy Hash: 81418172704B8593EB60CFA2E808B6A67A0F789FC5F544026DE4D97B59EFB8C505C740

Function 0000022DA54423B0 Relevance: 6.1, APIs: 4, Instructions: 106COMMON

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000022DA54423CD

Part of subcall function 0000022DA546AEF4: _calloc_impl.LIBCMT ref: 0000022DA546AF04
Part of subcall function 0000022DA546AEF4: _errno.LIBCMT ref: 0000022DA546AF17
Part of subcall function 0000022DA546AEF4: _errno.LIBCMT ref: 0000022DA546AF21

Part of subcall function 0000022DA5441C00: GetModuleHandleA.KERNEL32(?,?,?,?,00000000,?,?,0000022DA54423E6), ref: 0000022DA5441C16
Part of subcall function 0000022DA5441C00: GetProcAddress.KERNEL32(?,?,?,?,00000000,?,?,0000022DA54423E6), ref: 0000022DA5441C26

htonl.WS2_32 ref: 0000022DA5442481
htonl.WS2_32 ref: 0000022DA54424A3
free.LIBCMT ref: 0000022DA544255A

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: _errnohtonl$AddressHandleModuleProc_calloc_implcallocfree
String ID:
API String ID: 3702241348-0
Opcode ID: a353da6aecc8a7f68d040641dd10a9fce14beae6869e57e0acc3eeedaa22756d
Instruction ID: 0c178640fb1fb54419be20002822981cfcb2547f015460f909dbfc62e821f11f
Opcode Fuzzy Hash: a353da6aecc8a7f68d040641dd10a9fce14beae6869e57e0acc3eeedaa22756d
Instruction Fuzzy Hash: D55146B2A04B80DEE750CFA4E44879D37B1F345368F404216EBAA67BC8DBB8C599C744

Function 0000022DA3816BBC Relevance: 6.1, APIs: 4, Instructions: 105COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA3816C3F
htonl.WS2_32 ref: 0000022DA3816C96
htonl.WS2_32 ref: 0000022DA3816CB1
free.LIBCMT ref: 0000022DA3816D77

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: htonl$freemalloc
String ID:
API String ID: 1249573706-0
Opcode ID: 1a4d609c4260e32384f4063f2ebf364937de1ec6e9471f5c1dd6f826de14de3a
Instruction ID: 685a277bd3021136931dfc91f39fcf41cf61029b8890708df67253616f6f7511
Opcode Fuzzy Hash: 1a4d609c4260e32384f4063f2ebf364937de1ec6e9471f5c1dd6f826de14de3a
Instruction Fuzzy Hash: A151AB766186408BD7A4CF69E094B1AB7E1F3C8748F505215FACA87BA8DB3DD5418F40

Function 0000022DA3844BD4 Relevance: 6.1, APIs: 4, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

_flush.LIBCMT ref: 0000022DA3844BEC
_lock.LIBCMT ref: 0000022DA3844CCB

Part of subcall function 0000022DA3840DF0: _mtinitlocknum.LIBCMT ref: 0000022DA3840E0E
Part of subcall function 0000022DA3840DF0: _amsg_exit.LIBCMT ref: 0000022DA3840E1A

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _amsg_exit_flush_lock_mtinitlocknum
String ID:
API String ID: 595854648-0
Opcode ID: f080c6d54ebb1e9bcab9313a283e6dd19c5f31b0f3fd22aa36b5dfeb18049f6a
Instruction ID: b0728be382fcb04f1ae9845a1417d12d1f98a42b797a22a1a9980478c475c944
Opcode Fuzzy Hash: f080c6d54ebb1e9bcab9313a283e6dd19c5f31b0f3fd22aa36b5dfeb18049f6a
Instruction Fuzzy Hash: 01317B3520074463FBE48FF6948EB6A9693AB8CF94F1816159E570FBE2CB38C481C700

Function 0000022DA544D260 Relevance: 6.1, APIs: 4, Instructions: 83sleepfilepipeCOMMON

Download Yara Rule

APIs

PeekNamedPipe.KERNEL32 ref: 0000022DA544D2D1
ReadFile.KERNEL32 ref: 0000022DA544D300
Sleep.KERNEL32 ref: 0000022DA544D344
GetLastError.KERNEL32 ref: 0000022DA544D34E

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorFileLastNamedPeekPipeReadSleep
String ID:
API String ID: 3382443847-0
Opcode ID: 36464be5b928ddf9bf3cd2c32f09305229afb0ca037eddb2ed834c8bc830af9f
Instruction ID: 4a1fd698ed3bd52d4cd1913c53bdcee8d582d2d43bdbebfd5dd156f75bd17c89
Opcode Fuzzy Hash: 36464be5b928ddf9bf3cd2c32f09305229afb0ca037eddb2ed834c8bc830af9f
Instruction Fuzzy Hash: BB316D72B04F8297E7609BA2B848F5A63A0F789B84F454135EF89A3B54DF78C551C704

Function 0000022DA5455FD0 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: b2b9c30d6c31285107972dcce0f46adf72b66fbdda8aaac270d6c5b502cf59c1
Instruction ID: 1c500888439e33844cd1da307eeafd990ac2018d2c87a6ea2c0ef89f16a07a73
Opcode Fuzzy Hash: b2b9c30d6c31285107972dcce0f46adf72b66fbdda8aaac270d6c5b502cf59c1
Instruction Fuzzy Hash: 94416236605F8496DBA08F69E88074A77A4F388B98F144126DE8D97B68EF78C494CB50

Function 0000022DA5455ED2 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: a7086a2882efe9afe4d72891320daf46dba836480783308d765adedd4aa15e32
Instruction ID: 178203d565fcb22b4a3c000a560401c738cb53953ad932eba38de329cc54abab
Opcode Fuzzy Hash: a7086a2882efe9afe4d72891320daf46dba836480783308d765adedd4aa15e32
Instruction Fuzzy Hash: 7A417336605F8496DBA08F69F48074E77A4F388B98F144126DF8D97B68EF78C494CB50

Function 0000022DA5455DE3 Relevance: 6.1, APIs: 4, Instructions: 76windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: b62e60b3f5ccbe2dd8ced59e8c39c202014cff6376ae91b59b90259bf114bf12
Instruction ID: 37e5896667dca903d20a26e2c36faf94d75172d377d255c7870c533f64c0ea4c
Opcode Fuzzy Hash: b62e60b3f5ccbe2dd8ced59e8c39c202014cff6376ae91b59b90259bf114bf12
Instruction Fuzzy Hash: 38416336605F8496DBA08F69F48074E77A4F388B98F144126DF8D97B68EF78C494CB50

Function 0000022DA5455D03 Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: afe8c316c84c62fd3a065a4fb5e2c1b7341d8d05d04b75254077d39522da13dd
Instruction ID: e71e6bc07d3bf527b7bcb6d221a55f6ac77d37ecb5f99395abe17f3a3bc65828
Opcode Fuzzy Hash: afe8c316c84c62fd3a065a4fb5e2c1b7341d8d05d04b75254077d39522da13dd
Instruction Fuzzy Hash: 81317336605F8496DBA08F69F48074E77A4F388B98F104126DF8D93B68EF78C494CB50

Function 0000022DA5455C32 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 4a3bbf87ac19936af28eada4c7b5a692c00e025f3a5cc7bd92504db1154ef4a3
Instruction ID: be91ad74cad3b6371d485dbfd961b4a98a340a0b50e56b274cbeb747604f1ea8
Opcode Fuzzy Hash: 4a3bbf87ac19936af28eada4c7b5a692c00e025f3a5cc7bd92504db1154ef4a3
Instruction Fuzzy Hash: 00318336605F8486DBA08F69F48074E77A4F388B98F104126DF8D93B68EF78C494CB50

Function 0000022DA5455B70 Relevance: 6.1, APIs: 4, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 61041e40f2561606ef8fbee9ff4edd0bbc4608b1d614a04faf459b7a51c4705a
Instruction ID: 53e7d7e77619863e9818aad44eb534f6d48b657ed7d20b9f9fc710afbc05c1c9
Opcode Fuzzy Hash: 61041e40f2561606ef8fbee9ff4edd0bbc4608b1d614a04faf459b7a51c4705a
Instruction Fuzzy Hash: 8F319336605F8486DBA08F69F48074E77A4F388B98F104126DF8D93B68EF78C494CB50

Function 0000022DA544E680 Relevance: 6.1, APIs: 4, Instructions: 69threadCOMMON

Download Yara Rule

APIs

Thread32Next.KERNEL32 ref: 0000022DA544E72A
GetLastError.KERNEL32 ref: 0000022DA544E733
GetLastError.KERNEL32 ref: 0000022DA544E73E
CloseHandle.KERNEL32 ref: 0000022DA544E763

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$CloseHandleNextThread32
String ID:
API String ID: 3034546079-0
Opcode ID: aec4a2b0bd95f6241514bc863d71b2255e2469b591946cd59780e87da6ecd847
Instruction ID: ad3bf0b606ce6241f1cdf4c72ad8929f7d851204a6fb1de0d9d87cd54993db2b
Opcode Fuzzy Hash: aec4a2b0bd95f6241514bc863d71b2255e2469b591946cd59780e87da6ecd847
Instruction Fuzzy Hash: 6C21A476B44B40D7EB609BA2E54876A63A1F78CFD0F444021DE89A3B55EFBCD501CB05

Function 0000022DA5455ABD Relevance: 6.1, APIs: 4, Instructions: 68windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 4a2fea5c17112d8d44599e0dfd56ec231b93e85a9a2e4f668c695b4ea578e954
Instruction ID: e6e7f2171471667c0d05765054c483b610a440b25842d1b090eb7420caf2a56e
Opcode Fuzzy Hash: 4a2fea5c17112d8d44599e0dfd56ec231b93e85a9a2e4f668c695b4ea578e954
Instruction Fuzzy Hash: C2319336605F8486DBA08F69F48074E77A4F388B98F104126DF8D93B68EF78C494CB50

Function 0000022DA38182C4 Relevance: 6.1, APIs: 4, Instructions: 65memorylibrarystringCOMMON

Download Yara Rule

APIs

strrchr.LIBCMT ref: 0000022DA38182FD
VirtualAlloc.KERNEL32 ref: 0000022DA381832F

Part of subcall function 0000022DA3818930: LoadLibraryW.KERNEL32 ref: 0000022DA3818940

Part of subcall function 0000022DA3818D78: VirtualAlloc.KERNEL32 ref: 0000022DA3818DCB
Part of subcall function 0000022DA3818D78: VirtualAlloc.KERNEL32 ref: 0000022DA3818E04
Part of subcall function 0000022DA3818D78: GetModuleHandleA.KERNEL32 ref: 0000022DA3818E30
Part of subcall function 0000022DA3818D78: GetProcAddress.KERNEL32 ref: 0000022DA3818E40
Part of subcall function 0000022DA3818D78: WriteProcessMemory.KERNEL32 ref: 0000022DA3818EBE
Part of subcall function 0000022DA3818D78: WriteProcessMemory.KERNEL32 ref: 0000022DA3818F64

LoadLibraryA.KERNEL32 ref: 0000022DA38183BF
VirtualFree.KERNEL32 ref: 0000022DA38183F9

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Virtual$Alloc$LibraryLoadMemoryProcessWrite$AddressFreeHandleModuleProcstrrchr
String ID:
API String ID: 76982856-0
Opcode ID: e140eef7ca3731698891a2bcd5c82b68a28e790e871516885fcf39ade51d6b3d
Instruction ID: d648d77dc8c9da060ea76437013df58eb7031108f3844d7e3896820519ded4e3
Opcode Fuzzy Hash: e140eef7ca3731698891a2bcd5c82b68a28e790e871516885fcf39ade51d6b3d
Instruction Fuzzy Hash: 38310B31204B4093EB90DBB9F899B5AB3A2F7C8794F540125D98E4B7A4CF7DC585C700

Function 0000022DA5455984 Relevance: 6.1, APIs: 4, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: d2dc9cc98bb9ba40a4f696e00e912281e306063a425ac1303bc342a991d4438c
Instruction ID: a98cf614145edde84a773aeea463a51667432be7acd3ab454853d79406dc397a
Opcode Fuzzy Hash: d2dc9cc98bb9ba40a4f696e00e912281e306063a425ac1303bc342a991d4438c
Instruction Fuzzy Hash: B931C436605F8486DBA08F69F48074E77A4F388BA8F104126DF8D53B68DF78C494CB50

Function 0000022DA54C4C9C Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000022DA54C4CC0

Part of subcall function 0000022DA54B83BC: _getptd.LIBCMT ref: 0000022DA54B83D2
Part of subcall function 0000022DA54B83BC: __updatetlocinfo.LIBCMT ref: 0000022DA54B8407
Part of subcall function 0000022DA54B83BC: __updatetmbcinfo.LIBCMT ref: 0000022DA54B842E

_errno.LIBCMT ref: 0000022DA54C4CCC

Part of subcall function 0000022DA54B7C50: _getptd_noexit.LIBCMT ref: 0000022DA54B7C54

_invalid_parameter_noinfo.LIBCMT ref: 0000022DA54C4CD7
strchr.LIBCMT ref: 0000022DA54C4CED

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: b0d23f3fa0da5fa6e20ae43454cc5ba0bbb08d20c2c924f3f09bd53aa0dde170
Instruction ID: a4149ae2163325d176cb492a18684bb14b3f6b1c0ac418e58bc2f9cd9d38304b
Opcode Fuzzy Hash: b0d23f3fa0da5fa6e20ae43454cc5ba0bbb08d20c2c924f3f09bd53aa0dde170
Instruction Fuzzy Hash: 9C215CB2E043E071FB7067A59158B3DA6F0E3C0BD6F5D4525EA872BAC5C9ACC842C720

Function 0000022DA54558FE Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 7a7d32f20e1435e171047a9ea03d0246d898c516d5e0b66592470f9daaafcd6c
Instruction ID: 17643ff67e11aefb4915eea4c29069867e17b2d710e7068ba9c96b29c5e7519c
Opcode Fuzzy Hash: 7a7d32f20e1435e171047a9ea03d0246d898c516d5e0b66592470f9daaafcd6c
Instruction Fuzzy Hash: F931B436605F4496DB648F69F48075E77A4F388BA8F101126DF8D53B68DF78C491CB50

Function 0000022DA547FD64 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0000022DA547FD88

Part of subcall function 0000022DA546BBE4: _getptd.LIBCMT ref: 0000022DA546BBFA
Part of subcall function 0000022DA546BBE4: __updatetlocinfo.LIBCMT ref: 0000022DA546BC2F
Part of subcall function 0000022DA546BBE4: __updatetmbcinfo.LIBCMT ref: 0000022DA546BC56

_errno.LIBCMT ref: 0000022DA547FD94

Part of subcall function 0000022DA546F970: _getptd_noexit.LIBCMT ref: 0000022DA546F974

_invalid_parameter_noinfo.LIBCMT ref: 0000022DA547FD9F
strchr.LIBCMT ref: 0000022DA547FDB5

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 0905ea5d1d6877d7788902e3141d2462c87efc777c415f618fc4460f7ebd8957
Instruction ID: f2b031b380619ba4e1044f32a1373e7b9ddc6d92f978624eef1a53b146025143
Opcode Fuzzy Hash: 0905ea5d1d6877d7788902e3141d2462c87efc777c415f618fc4460f7ebd8957
Instruction Fuzzy Hash: 3F213672E082A2B1FB6017A19058B7DA6D1E380BD4F2C5421EB976BECACBA8C541C750

Function 0000022DA54487E0 Relevance: 6.1, APIs: 4, Instructions: 62networksleepCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 0000022DA544881B
WSAGetLastError.WS2_32 ref: 0000022DA544882C
select.WS2_32 ref: 0000022DA544889C
Sleep.KERNEL32 ref: 0000022DA54488A9

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLastSleepselectsend
String ID:
API String ID: 3306477828-0
Opcode ID: 918c14bd7b12d78cf174c339a8be75b4101ecdb4595a4efdf14ad4e6086214c0
Instruction ID: eff1ba1978e910c01c9d3f11152138d88f9a36296f48e539fab4562ecf3c7630
Opcode Fuzzy Hash: 918c14bd7b12d78cf174c339a8be75b4101ecdb4595a4efdf14ad4e6086214c0
Instruction Fuzzy Hash: 83215632B18784A7EB60DFA1E48CB9E77B4F798B80F404526DA59A3B94DB78C444C780

Function 0000022DA5453490 Relevance: 6.1, APIs: 4, Instructions: 60keyboardthreadCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 0000022DA5453501
free.LIBCMT ref: 0000022DA5453518
calloc.LIBCMT ref: 0000022DA5453527
CreateThread.KERNEL32 ref: 0000022DA545354A

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: AsyncCreateStateThreadcallocfree
String ID:
API String ID: 1391261026-0
Opcode ID: 8ea331d521ac2e4e81fa7cebc09ca57b493a23f257400f372c72906feae4b1c2
Instruction ID: 6f8f8a672f75c4dc6d7e0ac4179497965d1cfb1645c4cbd2b25c89562fb1d639
Opcode Fuzzy Hash: 8ea331d521ac2e4e81fa7cebc09ca57b493a23f257400f372c72906feae4b1c2
Instruction Fuzzy Hash: F4212F76A04B40E2FB04DF91F849B6A77A1F785B94F584426DA4A677A4DFBCC841C700

Function 0000022DA5455881 Relevance: 6.1, APIs: 4, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 72ac9c761ac106d7e91ce607d9d103776cad95955984c88a7651a8bd569ced3c
Instruction ID: 10aa4cb1eb603cd3aecc1c0d865ca9491e94458a8711974e684d0e63c7bb9f5b
Opcode Fuzzy Hash: 72ac9c761ac106d7e91ce607d9d103776cad95955984c88a7651a8bd569ced3c
Instruction Fuzzy Hash: 8621C436605F8496DB648FA9F48075E77A4F388BA8F101126DF8E53B68DF78C491CB50

Function 0000022DA381CCE8 Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000022DA381C46D), ref: 0000022DA381CD3C
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000022DA381C46D), ref: 0000022DA381CD4F
WriteFile.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000022DA381C46D), ref: 0000022DA381CD97
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000022DA381C46D), ref: 0000022DA381CDE2

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: File$CloseCreateErrorHandleLastWrite
String ID:
API String ID: 1150274393-0
Opcode ID: e9829b33afac3a2a8b328ce8f451d27958ebe7d243e94f6bf6aa11b7a932b998
Instruction ID: 9dd967ebc3d689728e671b288aafb8ff47256accf29b36f79590c8da203378f5
Opcode Fuzzy Hash: e9829b33afac3a2a8b328ce8f451d27958ebe7d243e94f6bf6aa11b7a932b998
Instruction Fuzzy Hash: C631DB726186409BD760CF68F458B1ABBB1F3857A4F200219E7A987BD8DB7EC844CF40

Function 0000022DA381DD2E Relevance: 6.1, APIs: 4, Instructions: 58fileCOMMON

Download Yara Rule

APIs

GetOverlappedResult.KERNEL32 ref: 0000022DA381DD96
GetLastError.KERNEL32 ref: 0000022DA381DDA4
ResetEvent.KERNEL32 ref: 0000022DA381E1FF
ReadFile.KERNEL32 ref: 0000022DA381E258

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorEventFileLastOverlappedReadResetResult
String ID:
API String ID: 1039749767-0
Opcode ID: ada5fe50e06014838f7bd00c876b089099aa9aa3267754176ada25cef5078a95
Instruction ID: b4323221b69ea0010e79b4e9ce3829621ce344c1a859e129652aa1f7ad0bf2d4
Opcode Fuzzy Hash: ada5fe50e06014838f7bd00c876b089099aa9aa3267754176ada25cef5078a95
Instruction Fuzzy Hash: B521F77622578197EBD18BB5E458B6BA7A1F7D4B84F005025FA4A8BBD8DF38C444CB40

Function 0000022DA545580D Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 90e69e9afa06c3974bfe8eed0568bedde42f048f28e75a4b8f22642663fa2f80
Instruction ID: e2cfbcfd0e35721dff6ec295b31f7b34a77c7afaceeafea28a0051af54ba4c6e
Opcode Fuzzy Hash: 90e69e9afa06c3974bfe8eed0568bedde42f048f28e75a4b8f22642663fa2f80
Instruction Fuzzy Hash: 1721D436605F8496DB648F99F48075E77A4F388BA8F101126DE8E53B68DF78C490CB50

Function 0000022DA54557A2 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: c0cd1c77f6e24788377c665dbfa692fac731fa66b160a37af0283adeed89901f
Instruction ID: 359194bc7a4a74ea1125fc29370492f4e0a76854f6aac6f9a188040b6f3e1a27
Opcode Fuzzy Hash: c0cd1c77f6e24788377c665dbfa692fac731fa66b160a37af0283adeed89901f
Instruction Fuzzy Hash: F021E436605F8496DB648F99F48075E77A4F388BA8F001126DE8E53B68DF78C490CB50

Function 0000022DA54556E7 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: b17048f3605008b953b34addcec862f7b0ac59f864253739523679d245e9a739
Instruction ID: 8d770a6c726de6a51698f98eb3edbad20eb4cbbbe6e922a26a88f74c68822bfc
Opcode Fuzzy Hash: b17048f3605008b953b34addcec862f7b0ac59f864253739523679d245e9a739
Instruction Fuzzy Hash: 2B21F436605B4496DB648F95F48475E77A4F388BA8F005126DE8E63B68DF78C490CB50

Function 0000022DA5455697 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 976423b9656a6452779b8b9f5782de351ca9c0e93b353db427e95054c90f20a7
Instruction ID: 6886796e7655d1864697c4fde3dc8689e09a3a613e00c467c3f9f9efa9d9c1a1
Opcode Fuzzy Hash: 976423b9656a6452779b8b9f5782de351ca9c0e93b353db427e95054c90f20a7
Instruction Fuzzy Hash: 78212636605B4492EB648F95F48475E77B4F388BA8F005126DF8E63B68DF78C490CB50

Function 0000022DA38288BC Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 0000022DA3828909

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 50c998272f27af9edd0328b38f89847052232a433b433938d757d35aa8247f7a
Instruction ID: 0bb7462c6a456fd74228face1373edc5f4b44fb1a769ac1b7302bb65d23c2995
Opcode Fuzzy Hash: 50c998272f27af9edd0328b38f89847052232a433b433938d757d35aa8247f7a
Instruction Fuzzy Hash: 2121FE32118B8097EBA0DBA6F45871BB7A2F785798F200519E7D94BB98DB7DC4448B01

Function 0000022DA5455612 Relevance: 6.0, APIs: 4, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 5746d89d0b83ca40719fd2205ef5d53485dd379b7d5e7dc2ed8fecbcec8729ef
Instruction ID: 7bd3e265efc519f311cc358b0940d4aeb5683a8c8f6237597b4249570fbdc04f
Opcode Fuzzy Hash: 5746d89d0b83ca40719fd2205ef5d53485dd379b7d5e7dc2ed8fecbcec8729ef
Instruction Fuzzy Hash: 9E114836605B4092EB64CF95F48475E73A4F388BE8F005126DE8E63B58DF78C491CB50

Function 0000022DA54555DD Relevance: 6.0, APIs: 4, Instructions: 44windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 3e7628819223a86f227a963dcdc278a61384c0858bbf9d0acf65b33bb884723a
Instruction ID: 5ffba628dbf1db85d879d5e239f1fa8c3019e6bf049888d175b95d6eccb5f7c7
Opcode Fuzzy Hash: 3e7628819223a86f227a963dcdc278a61384c0858bbf9d0acf65b33bb884723a
Instruction Fuzzy Hash: 60113976605B4092EB64CF95F44475E73A4F388BE8F005126DE8E63B98DF78C495CB50

Function 0000022DA54482A0 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 0000022DA54482C5
htonl.WS2_32 ref: 0000022DA54482E0

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: htonl
String ID:
API String ID: 2009864989-0
Opcode ID: fbdfd50c4e506deb77010849facf6a1ce5b8e026f1ed61bb804bfe40a57c883e
Instruction ID: cfed76c6952eaca8b8c26e465c4f95de77f4d74b36ff7bb446239b5ad4c40ec0
Opcode Fuzzy Hash: fbdfd50c4e506deb77010849facf6a1ce5b8e026f1ed61bb804bfe40a57c883e
Instruction Fuzzy Hash: 6A017CB3A00A81EBE7489FF2944924C37E1E709B34B18C325C6358A3D8EB7884D5CB20

Function 0000022DA54555B1 Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: aa98f7de1584b15507fa4a17be37555005ee15de53e15ded06f3532a50d7947d
Instruction ID: b50b4e940b7f4e9418c10fb57eff57f0b95c25c4d63ac5a4ed00838a1867fee8
Opcode Fuzzy Hash: aa98f7de1584b15507fa4a17be37555005ee15de53e15ded06f3532a50d7947d
Instruction Fuzzy Hash: 30115776605B4092EB248F95F44475E73A0F388BE8F004126DE8E63B98DF78C895CB50

Function 0000022DA545558E Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: b3f75b19b86892c7e106ed7e682513adc9095eceb4867b26c013f3c14fadee07
Instruction ID: 1bd918bf97a26802cb74dc9628bf29e588fba0e04f0130defd39867e64f9169a
Opcode Fuzzy Hash: b3f75b19b86892c7e106ed7e682513adc9095eceb4867b26c013f3c14fadee07
Instruction Fuzzy Hash: E6014876605B8092EB249F95F444B5E73A0F388BE8F004527DE8E63B98DF78C895C760

Function 0000022DA5455574 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 4b2e10e7c265b51ea59fecfb19629960b8adc43bfa9454758584f0ee8daf7f0b
Instruction ID: bb29e2fd2c6cb7d92f90dd51a8005988470119aa0885b2ee2defc727defbbbba
Opcode Fuzzy Hash: 4b2e10e7c265b51ea59fecfb19629960b8adc43bfa9454758584f0ee8daf7f0b
Instruction Fuzzy Hash: DE017C36604B4092E7249F95F444B5D63A0F388BE8F004427DE4A63794DF78C895C760

Function 0000022DA545555E Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 82d95210de489c2020ff652dbb332ce7a9a788ce6543578b6c6512c5c306744d
Instruction ID: 1c95a312b8e11ce6789ca3b12f028256ff470a316e00b2d4129de2bedf420139
Opcode Fuzzy Hash: 82d95210de489c2020ff652dbb332ce7a9a788ce6543578b6c6512c5c306744d
Instruction Fuzzy Hash: 6C018B36604B80A3EB249F94F444B6E63A0F388BE8F004427CE4A63B94DF78C8958760

Function 0000022DA545554C Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 4185a86188baf1e1936c135ccb65691e905285086dcb3ac576645b517027c0f9
Instruction ID: 6ecdcc706842829c84a6fdfea060d448b68597996c8f306a6c2b6e916032ae92
Opcode Fuzzy Hash: 4185a86188baf1e1936c135ccb65691e905285086dcb3ac576645b517027c0f9
Instruction Fuzzy Hash: 7C016D36605B40A3EB259F94F454B6E63A0F388BE4F005426DE4A63B94DF78C8958750

Function 0000022DA3822678 Relevance: 6.0, APIs: 4, Instructions: 35networkCOMMON

Download Yara Rule

APIs

calloc.LIBCMT ref: 0000022DA3822699

Part of subcall function 0000022DA383828C: _calloc_impl.LIBCMT ref: 0000022DA383829C
Part of subcall function 0000022DA383828C: _errno.LIBCMT ref: 0000022DA38382AF
Part of subcall function 0000022DA383828C: _errno.LIBCMT ref: 0000022DA38382B9

WSADuplicateSocketA.WS2_32 ref: 0000022DA38226CE
free.LIBCMT ref: 0000022DA38226DD
WSAGetLastError.WS2_32 ref: 0000022DA38226E2

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _errno$DuplicateErrorLastSocket_calloc_implcallocfree
String ID:
API String ID: 3321659797-0
Opcode ID: 91b43d0b998da2d443010618f3202ab0a2297b850d1b2379a2656786b8e2a99c
Instruction ID: 27f049ae769156f7587e7f2ae51aba88a30cc5ef2d0fde2c3dad7e1a707bbfbe
Opcode Fuzzy Hash: 91b43d0b998da2d443010618f3202ab0a2297b850d1b2379a2656786b8e2a99c
Instruction Fuzzy Hash: 47012536608B8493EBA0DBA5E45471AB3B1F3C8B84F104125EACD4BB69CF3CC655CB40

Function 0000022DA5445560 Relevance: 6.0, APIs: 4, Instructions: 35fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,00000000,0000022DA54448D1), ref: 0000022DA54455AA
GetLastError.KERNEL32(?,?,00000000,0000022DA54448D1), ref: 0000022DA54455B4
free.LIBCMT ref: 0000022DA54455BF
free.LIBCMT ref: 0000022DA54455C7

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: free$CopyErrorFileLast
String ID:
API String ID: 2361750919-0
Opcode ID: 08b971a8897f4b3d9b7cd8a5975e4d2a662702f8203bbf77f7ff7a5d2b3de6a2
Instruction ID: 6130dfd8212ca00fce4b61c7469cc5e6eff46f0e71c20c1845ddb2afa151fd7d
Opcode Fuzzy Hash: 08b971a8897f4b3d9b7cd8a5975e4d2a662702f8203bbf77f7ff7a5d2b3de6a2
Instruction Fuzzy Hash: 73F04431B12B90D3FF949BA6A84CB6D63A1AB89FD0F485031ED0DA7B59DE78C4428740

Function 0000022DA545553E Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: 834f1d2574a2003f595f742e9d9cbb98ec3646baca90f34c204d0f9219fd8df1
Instruction ID: c31e793489da766f0562ff1081b7a5b75b4ea968d3d269f3c0e5319446ccc9c2
Opcode Fuzzy Hash: 834f1d2574a2003f595f742e9d9cbb98ec3646baca90f34c204d0f9219fd8df1
Instruction Fuzzy Hash: 0D018C32A05B40A3EB259FD4F458B6E62A0F3887E4F004426DE4B63B94DFBCC8958750

Function 0000022DA5453090 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

OpenWindowStationA.USER32 ref: 0000022DA54530C1
GetCurrentProcessId.KERNEL32 ref: 0000022DA54530CF

Part of subcall function 0000022DA5449D10: LoadLibraryA.KERNEL32 ref: 0000022DA5449D35
Part of subcall function 0000022DA5449D10: GetProcAddress.KERNEL32 ref: 0000022DA5449D4D
Part of subcall function 0000022DA5449D10: FreeLibrary.KERNEL32 ref: 0000022DA5449D8F

EnumDesktopsA.USER32 ref: 0000022DA54530F9
CloseWindowStation.USER32 ref: 0000022DA5453102

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: LibraryStationWindow$AddressCloseCurrentDesktopsEnumFreeLoadOpenProcProcess
String ID:
API String ID: 688010510-0
Opcode ID: 7a9cdac373a70054b3c20df1c9dbe98048ed7a927ed2ccc06e9498efc7f87123
Instruction ID: 619eb208342cad2923f6b88ac1fb220a92e90c4592c6f3bcd06e6ad94548119e
Opcode Fuzzy Hash: 7a9cdac373a70054b3c20df1c9dbe98048ed7a927ed2ccc06e9498efc7f87123
Instruction Fuzzy Hash: 8C014471A14B4092EB109F51F84865AB7A4F78C7C0F444529E98E53B58EF7CC5058B00

Function 0000022DA54454D0 Relevance: 6.0, APIs: 4, Instructions: 34fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32 ref: 0000022DA5445517
GetLastError.KERNEL32(?,?,00000000,0000022DA5444821), ref: 0000022DA5445521
free.LIBCMT ref: 0000022DA544552C
free.LIBCMT ref: 0000022DA5445534

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: free$ErrorFileLastMove
String ID:
API String ID: 2579794736-0
Opcode ID: 291b5438e7529929f52d0f386ec5ed61ff3bfae22bc219a404e2f600446a0a82
Instruction ID: 12bf290048b227deb6f3f5baf6b38457d84aa512ccc46779bba3d98adc526f00
Opcode Fuzzy Hash: 291b5438e7529929f52d0f386ec5ed61ff3bfae22bc219a404e2f600446a0a82
Instruction Fuzzy Hash: E0F04435B01B9093EF44AB92B84876D52A1A788FD0F485031ED09A7758DE78C8428740

Function 0000022DA5455533 Relevance: 6.0, APIs: 4, Instructions: 34windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000022DA545611A
FormatMessageA.KERNEL32 ref: 0000022DA5456153
free.LIBCMT ref: 0000022DA5456175

Part of subcall function 0000022DA546AF38: RtlFreeHeap.NTDLL(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF4E
Part of subcall function 0000022DA546AF38: _errno.LIBCMT ref: 0000022DA546AF58
Part of subcall function 0000022DA546AF38: GetLastError.KERNEL32(?,?,00000000,0000022DA5471DA2,?,?,0000000D,0000022DA546F979,?,?,?,?,0000022DA546B016,?,?,0000000D), ref: 0000022DA546AF60

SetLastError.KERNEL32 ref: 0000022DA545617D

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: ErrorLast$FormatFreeHeapMessage_errnofree
String ID:
API String ID: 1334669472-0
Opcode ID: eaec3b1fcbc6324a5b24d51297b381d9c3f5b9d9b04bce02bb7abc97fde0c2db
Instruction ID: c8805acf7352cbb188ab5f869302aad29b492995e378895ad35dc48ffe94fada
Opcode Fuzzy Hash: eaec3b1fcbc6324a5b24d51297b381d9c3f5b9d9b04bce02bb7abc97fde0c2db
Instruction Fuzzy Hash: 1001AF32A05B40A3F7259FD0F408B6E62A0F3887E4F004426DE4B63B90DF7CC4958750

Function 0000022DA544D1F0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0000022DA544D208
CloseHandle.KERNEL32 ref: 0000022DA544D212
TerminateProcess.KERNEL32 ref: 0000022DA544D223
free.LIBCMT ref: 0000022DA544D22C

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: CloseHandle$ProcessTerminatefree
String ID:
API String ID: 2486429917-0
Opcode ID: 412f049ddc23010ba7421f2826d06794b0c0760214997c0c1134fd8403da04d2
Instruction ID: fec5f5cb244ba9a23836ffa3184825a889c3ca0aaf3b3556782e6140c46c2ab0
Opcode Fuzzy Hash: 412f049ddc23010ba7421f2826d06794b0c0760214997c0c1134fd8403da04d2
Instruction Fuzzy Hash: 58F03A31B00B40A2EB48DFB2E999B3923A0FB89FC1F089121DE5AA7755CF78C4948340

Function 0000022DA37D2C00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

_itow_s.LIBCMT ref: 0000022DA37D2C99

Part of subcall function 0000022DA37E9080: xtow_s.LIBCMT ref: 0000022DA37E909D

_itow_s.LIBCMT ref: 0000022DA37D2CD0

Strings

nce tree, xrefs: 0000022DA37D2D1F

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _itow_s$xtow_s
String ID: nce tree
API String ID: 1082565867-362744757
Opcode ID: 9d0118cebba9a1c756e1499f0c9946bbbdd878b5642ec9ce9b0ae3c1da530d1d
Instruction ID: 3d8afb46d3584f7d9a81baae77015f69287cabea67636ea110a15496a0b97473
Opcode Fuzzy Hash: 9d0118cebba9a1c756e1499f0c9946bbbdd878b5642ec9ce9b0ae3c1da530d1d
Instruction Fuzzy Hash: F891A036219F8486DAA0CB5AF49475AB7A5F7C9B88F500126EACD87B69DF3CC1518B00

Function 0000022DA381C2BC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA381CCE8: CreateFileA.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000022DA381C46D), ref: 0000022DA381CD3C
Part of subcall function 0000022DA381CCE8: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000022DA381C46D), ref: 0000022DA381CD4F
Part of subcall function 0000022DA381CCE8: CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000022DA381C46D), ref: 0000022DA381CDE2

LoadLibraryA.KERNEL32 ref: 0000022DA381C491
GetLastError.KERNEL32 ref: 0000022DA381C4A4

Strings

W, xrefs: 0000022DA381C3AC

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ErrorLast$CloseCreateFileHandleLibraryLoad
String ID: W
API String ID: 3673398112-655174618
Opcode ID: e3eee38003e3cf380294a744880cad7600cb3248acc840b3d5760d4c8fa9dda4
Instruction ID: 87dd6a8be66e9b93cd0e87a1730757a1ec2416706f335f089dd9278676e1ea16
Opcode Fuzzy Hash: e3eee38003e3cf380294a744880cad7600cb3248acc840b3d5760d4c8fa9dda4
Instruction Fuzzy Hash: FF71F232118B8197E7D08BB5E498B5BB7F1F7C5784F101025FA8A8AAD9DF78C484DB00

Function 0000022DA38232D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94sleepnetworkCOMMON

Download Yara Rule

APIs

DnsQuery_W.DNSAPI ref: 0000022DA38233D3
Sleep.KERNEL32 ref: 0000022DA38233FB

Strings

%d.%s.%s, xrefs: 0000022DA3823380

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: Query_Sleep
String ID: %d.%s.%s
API String ID: 3064896189-4117531494
Opcode ID: b7551569b396200f6caaa90a9c90138e43f0c7a073e5991dea3db6b24b91ce12
Instruction ID: 89b8a7e9ebce6b842c37a98ece8a721f06e72d479b256cfeeefeead2ace5dda3
Opcode Fuzzy Hash: b7551569b396200f6caaa90a9c90138e43f0c7a073e5991dea3db6b24b91ce12
Instruction Fuzzy Hash: 7441D736628A8487DB908BA9E49471AB7E1F3D8B84F101116FB9A87B68DB78C541CF00

Function 0000022DA37D4BEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 0000022DA37D4C61
calloc.LIBCMT ref: 0000022DA37D4C70

Strings

ree with lengths, xrefs: 0000022DA37D4C28

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: callocswprintf
String ID: ree with lengths
API String ID: 2821977984-1206687603
Opcode ID: a13eb21bdaf03c154b25a5ef7839ee663a8d9d07b3730e9c2d6b5dff98bec649
Instruction ID: 742663577db0577207e102d591903af43a62f34382d77522470250ff2a8ce485
Opcode Fuzzy Hash: a13eb21bdaf03c154b25a5ef7839ee663a8d9d07b3730e9c2d6b5dff98bec649
Instruction Fuzzy Hash: 2F311036214B5593EBA08B59E49576AB7E1F3C8B88F504122EE8D8B7A4DF3CC945CB40

Function 0000022DA37CBD98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

wcschr.LIBCMT ref: 0000022DA37CBE04
_snwprintf_s.LIBCMT ref: 0000022DA37CBEAF

Strings

compression method, xrefs: 0000022DA37CBE98

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: _snwprintf_swcschr
String ID: compression method
API String ID: 1488494685-2394989468
Opcode ID: 53728fefee931a2ebb508c77460470079659acf6498bbc88df63689f9c6ebc03
Instruction ID: 34adb5114d6b6ccd60ae62ffa7c3748805c3102a5a54dbfe85f17fdfe4de0949
Opcode Fuzzy Hash: 53728fefee931a2ebb508c77460470079659acf6498bbc88df63689f9c6ebc03
Instruction Fuzzy Hash: 93316072218A81A3E760DF69E49479BB3A2F7C4744F504026E7C98AA98DF7DC548CB40

Function 0000022DA54B4500 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(0000EA60,0000022DA54B4AFF), ref: 0000022DA54B455F
CloseHandle.KERNEL32 ref: 0000022DA54B459C

Strings

\lsass.exe, xrefs: 0000022DA54B4584

Memory Dump Source

Source File: 00000000.00000002.3274725884.0000022DA54B1000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA54B0000, based on PE: true

Associated: 00000000.00000002.3274713840.0000022DA54B0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274741051.0000022DA54C7000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D0000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274754544.0000022DA54D4000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274778327.0000022DA54D5000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da54b0000_iDaD62by4N.jbxd

Similarity

API ID: CloseHandleOpenProcess
String ID: \lsass.exe
API String ID: 39102293-316735421
Opcode ID: bf0a33010513eedd848553df734bc68e1ba21984676a669285f0801cc9d95d52
Instruction ID: dd703b3c5b58220df38c3c3ac12a07427de1718d84d5f6309a58327d0f339de3
Opcode Fuzzy Hash: bf0a33010513eedd848553df734bc68e1ba21984676a669285f0801cc9d95d52
Instruction Fuzzy Hash: B711E931B1468053EF34DBA6F5447D9A3E1FB8C7C4F450124EB5993789EFA8CA458600

Function 0000022DA37C703C Relevance: 5.3, APIs: 4, Instructions: 267COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000022DA37C729C
malloc.LIBCMT ref: 0000022DA37C72E9
free.LIBCMT ref: 0000022DA37C7422
free.LIBCMT ref: 0000022DA37C7440

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: a05b3f4f0f8d26311a36f74e8274fc892ae58491887857d4bc6903f23e4cad06
Instruction ID: 83feff75f16f46ade7780198929becbeeb09e33466f2e402c4c42a8ded2a1775
Opcode Fuzzy Hash: a05b3f4f0f8d26311a36f74e8274fc892ae58491887857d4bc6903f23e4cad06
Instruction Fuzzy Hash: 1CD1DE32218AC5ABEBA0CB69E494B5AB7F1F7C9798F104115EA8D8B764DF3DC544CB00

Function 0000022DA54450B0 Relevance: 5.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0000022DA5445030: ExpandEnvironmentStringsW.KERNEL32(?,0000022DA544528E,?,?,00000000,?,?,0000022DA54441EC), ref: 0000022DA5445062
Part of subcall function 0000022DA5445030: free.LIBCMT ref: 0000022DA544506F

GetLastError.KERNEL32 ref: 0000022DA544516D
free.LIBCMT ref: 0000022DA544517F
free.LIBCMT ref: 0000022DA5445187
free.LIBCMT ref: 0000022DA544518F

Memory Dump Source

Source File: 00000000.00000002.3274635801.0000022DA5441000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA5440000, based on PE: true

Associated: 00000000.00000002.3274624232.0000022DA5440000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274659850.0000022DA5481000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274675258.0000022DA5492000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA549C000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274688453.0000022DA54A1000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da5440000_iDaD62by4N.jbxd

Similarity

API ID: free$EnvironmentErrorExpandLastStrings
String ID:
API String ID: 3442589191-0
Opcode ID: baed30adc81c547e3d95290c397dd71a1272d571384f4b9c6af5bc305874585a
Instruction ID: 8f3f8f029f9bac03bbd0fa2fb8666263724865c2847da666261651dcadc65ad4
Opcode Fuzzy Hash: baed30adc81c547e3d95290c397dd71a1272d571384f4b9c6af5bc305874585a
Instruction Fuzzy Hash: 0A21A436B05B8096EF64DB96A44476EA3B0FB59BC0F480121EE8DA3B59EFBCC4418744

Function 0000022DA37C93F0 Relevance: 5.1, APIs: 4, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

rand.LIBCMT ref: 0000022DA37C941B
rand.LIBCMT ref: 0000022DA37C9447
rand.LIBCMT ref: 0000022DA37C946E
rand.LIBCMT ref: 0000022DA37C949B

Part of subcall function 0000022DA37C8BDC: _time64.LIBCMT ref: 0000022DA37C8BEA

Part of subcall function 0000022DA37E7E0C: _getptd.LIBCMT ref: 0000022DA37E7E14

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: rand$_getptd_time64
String ID:
API String ID: 245728536-0
Opcode ID: a82ec2cefcb129ea57a8b14f2c34b17ec677154b6f58ddc472dc0c179104e35e
Instruction ID: effad05f1a00a2761081a9c8813fc89f63de0c467134234108a5d1979f24a3fa
Opcode Fuzzy Hash: a82ec2cefcb129ea57a8b14f2c34b17ec677154b6f58ddc472dc0c179104e35e
Instruction Fuzzy Hash: 8E1123A1FA10C96BE79D967DDC2BB6855CB83D6309F2CD1389105CEFEAD82884018B80

Function 0000022DA3819FF0 Relevance: 5.1, APIs: 4, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

rand.LIBCMT ref: 0000022DA381A01B
rand.LIBCMT ref: 0000022DA381A047
rand.LIBCMT ref: 0000022DA381A06E
rand.LIBCMT ref: 0000022DA381A09B

Part of subcall function 0000022DA38197DC: _time64.LIBCMT ref: 0000022DA38197EA

Part of subcall function 0000022DA3838A0C: _getptd.LIBCMT ref: 0000022DA3838A14

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: rand$_getptd_time64
String ID:
API String ID: 245728536-0
Opcode ID: 0e148f07ddb71317180c8bd904ae471086d3e8f99d4f9070a4ddb8e7832b84cc
Instruction ID: 1bd117ea8981fb9b9c90c407c58b9a7fa85d3bf882cf234df6ba0d212d796f53
Opcode Fuzzy Hash: 0e148f07ddb71317180c8bd904ae471086d3e8f99d4f9070a4ddb8e7832b84cc
Instruction Fuzzy Hash: 031136A1BB11C55BE75C563DCC2BB6859CB43D5305F0CD13C9606CEFDADC2994158740

Function 0000022DA37C5C58 Relevance: 5.1, APIs: 4, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000022DA37C5C9E
free.LIBCMT ref: 0000022DA37C5D36

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2a37156ca432fdc115037b5e2f48d20ad8716e6770901dbf48966f541b417b0c
Instruction ID: b1102936eef41a26b85059f997f950e30fe036aa09b6c358578b7edb89ca6c01
Opcode Fuzzy Hash: 2a37156ca432fdc115037b5e2f48d20ad8716e6770901dbf48966f541b417b0c
Instruction Fuzzy Hash: BA21DF36214A44A3E6A0DB5AD498B1E67B2F7C9F50F614111EB8D4B7A5CF39C844CB00

Function 0000022DA3816858 Relevance: 5.1, APIs: 4, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000022DA381689E
free.LIBCMT ref: 0000022DA3816936

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d4d9540287774547a4cb37d8ebbd3f4ef39f27859966a3cd75a83bf78070c9e3
Instruction ID: 1a137bda8815c7ac6a9741f7e61b2aed45e0680b7f443787454bbd179d101e31
Opcode Fuzzy Hash: d4d9540287774547a4cb37d8ebbd3f4ef39f27859966a3cd75a83bf78070c9e3
Instruction Fuzzy Hash: C121FC36214A4493EAA4DB66D498B5EA7B2F7C5B40F504111EFCD8B7E5CF7DC9448B00

Function 0000022DA381E46C Relevance: 5.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0000022DA381E4B8
CloseHandle.KERNEL32 ref: 0000022DA381E515
free.LIBCMT ref: 0000022DA381E543
free.LIBCMT ref: 0000022DA381E55D

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: CloseHandlefree
String ID:
API String ID: 3486141430-0
Opcode ID: 838ed654071c40631eda68f631fbb792f4393b7b9ff441844346000101387389
Instruction ID: a2d4df9bf2ffeb50d2900a6cfc7930deee04dc49d67cac4efcf01f9d903ff49e
Opcode Fuzzy Hash: 838ed654071c40631eda68f631fbb792f4393b7b9ff441844346000101387389
Instruction Fuzzy Hash: B6313332225F8592EBD18B65D498B5A63A1F7C4F60F401321FAAE8B7E4DF38C941C700

Function 0000022DA37CFC40 Relevance: 5.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000022DA37CFC7E
free.LIBCMT ref: 0000022DA37CFCB7
free.LIBCMT ref: 0000022DA37CFCE1
free.LIBCMT ref: 0000022DA37CFD00

Memory Dump Source

Source File: 00000000.00000002.3274464449.0000022DA37C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000022DA37C0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da37c0000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e2e7b0ecd4029482a230d8a698a84c1a780103b3f3023d1571aef2a8f1808391
Instruction ID: a4bf19229405a140c6bac44e35ebdd638d4b07174fb74ec332d6f1af8ef63780
Opcode Fuzzy Hash: e2e7b0ecd4029482a230d8a698a84c1a780103b3f3023d1571aef2a8f1808391
Instruction Fuzzy Hash: BA218636224B89A2EBD19B5AE498B5E77A1F7C4F44F511012FE8E4BBA4CF78C844C700

Function 0000022DA3820840 Relevance: 5.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 0000022DA382087E
free.LIBCMT ref: 0000022DA38208B7
free.LIBCMT ref: 0000022DA38208E1
free.LIBCMT ref: 0000022DA3820900

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: e2e7b0ecd4029482a230d8a698a84c1a780103b3f3023d1571aef2a8f1808391
Instruction ID: 82ab1bfaa579ccd34efaee77a137c0d6925c757eb4b9d6338c9e569b236f8253
Opcode Fuzzy Hash: e2e7b0ecd4029482a230d8a698a84c1a780103b3f3023d1571aef2a8f1808391
Instruction Fuzzy Hash: F821AC76635B4892EB949B96D488B1EA7A1F3C4B40F511011FE5A4B7A4DF78C444C741

Function 0000022DA381E270 Relevance: 5.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 0000022DA381E2C0
CloseHandle.KERNEL32 ref: 0000022DA381E2CF
CloseHandle.KERNEL32 ref: 0000022DA381E2DE
free.LIBCMT ref: 0000022DA381E2FF

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: CloseHandle$free
String ID:
API String ID: 1609210156-0
Opcode ID: 357d3d16d2c0a9f6b64f96e843bc8c51d6786ed4f0a8e0156c311bf668da9696
Instruction ID: c07e501d7d91dc1ed29b693a10e0e8fc7db7dbba1c7b98267ecea024f3715986
Opcode Fuzzy Hash: 357d3d16d2c0a9f6b64f96e843bc8c51d6786ed4f0a8e0156c311bf668da9696
Instruction Fuzzy Hash: 48219A36204B8892DBA0DB66E89875A77B1F7C8B84F454122EE8D47BA5DF3DC581CB00

Function 0000022DA38287F4 Relevance: 5.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 0000022DA3828832

Memory Dump Source

Source File: 00000000.00000002.3274501460.0000022DA3811000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000022DA3810000, based on PE: true

Associated: 00000000.00000002.3274489665.0000022DA3810000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274522975.0000022DA3848000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3852000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274536335.0000022DA3859000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3274561789.0000022DA385B000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22da3810000_iDaD62by4N.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: 7d43caf65be07134105767492c5b0294db6c666b17a0894c8eb58e72d45b9cff
Instruction ID: 2f4bf29b921be9a9b81d0983fe3a0ccb4b7979dda4831bcdc557f2442b2626e2
Opcode Fuzzy Hash: 7d43caf65be07134105767492c5b0294db6c666b17a0894c8eb58e72d45b9cff
Instruction Fuzzy Hash: 2A113372618B809BE7E09BB1E44871AA7A2F7C4794F101115FA9A4BBD4DB7CC0448B41

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Modification, Command: Command Execution, File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report iDaD62by4N.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Meterpreter

Threatname: Metasploit

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\89dad5d484a9f889a3a8dfca823edc3e_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Windows Analysis Report
iDaD62by4N.exe

Function 0000022DA54515C0 Relevance: 54.4, APIs: 22, Strings: 9, Instructions: 196
libraryloaderCOMMON

Function 0000022DA381AC84 Relevance: 33.3, APIs: 22, Instructions: 268
encryptionCOMMONLIBRARYCODE

Function 0000022DA381B564 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 204
encryptionCOMMON

Function 0000022DA3821AA4 Relevance: 27.3, APIs: 18, Instructions: 288
networkCOMMON

Function 0000022DA381B138 Relevance: 12.2, APIs: 8, Instructions: 183
encryptionCOMMON

Function 0000022DA381B69F Relevance: 9.0, APIs: 6, Instructions: 37
encryptionCOMMON

Function 0000022DA5447BA0 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 231
libraryloaderCOMMON

Function 0000022DA54478C0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 171
libraryloaderCOMMON

Function 0000022DA36700D6 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124
networklibrarymemoryCOMMON

Function 00007FF6EF725524 Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Function 0000022DA5452460 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74
COMMON

Function 0000022DA54523C0 Relevance: 9.0, APIs: 6, Instructions: 40
threadCOMMON

Function 00007FF6EF713000 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 169
threadCOMMON

Function 0000022DA3828514 Relevance: 6.1, APIs: 4, Instructions: 66
COMMONLIBRARYCODE

Function 00007FF6EF7113D0 Relevance: 4.6, APIs: 3, Instructions: 75
memorysynchronizationthreadCOMMON

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre