Edit tour

Windows Analysis Report
LX4CUQO8qI.dll

Overview

General Information

Sample name:	LX4CUQO8qI.dll renamed because original name is a hash value
Original sample name:	882E00DD2C44F57162C0AC90858E8FC7.dll
Analysis ID:	1500271
MD5:	882e00dd2c44f57162c0ac90858e8fc7
SHA1:	8e7c38c20fb19e890c896a4c98108b291237afb8
SHA256:	d999e7ee9fb086bf4109f9c1821d959fd8b038902fa6f8dff2c3beafc36bee7b
Tags:	dll
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected CobaltStrike

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

PE file contains sections with non-standard names

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 7704 cmdline: loaddll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7752 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7780 cmdline: rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

regsvr32.exe (PID: 7764 cmdline: regsvr32.exe /s C:\Users\user\Desktop\LX4CUQO8qI.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

rundll32.exe (PID: 7788 cmdline: rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllGetClassObject MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7868 cmdline: rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllMain MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7924 cmdline: rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllRegisterServer MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 2003, "SleepTime": 30000, "MaxGetSize": 1398102, "Jitter": 20, "C2Server": "154.82.113.115,/owa/", "HttpPostUri": "/OWA/", "Malleable_C2_Instructions": ["Base64 URL-safe decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "GET", "HttpPostChunk": 96, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16700, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x887:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x8f3:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x344cf:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x3453b:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1
Process Memory Space: loaddll32.exe PID: 7704	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
Process Memory Space: loaddll32.exe PID: 7704	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.loaddll32.exe.960000.0.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.loaddll32.exe.960000.0.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.loaddll32.exe.960000.0.unpack	Windows_Trojan_Metasploit_7bc0f998	Identifies the API address lookup function leverage by metasploit shellcode	unknown	0x34487:$a1: 48 31 D2 65 48 8B 52 60 48 8B 52 18 48 8B 52 20 48 8B 72 50 48 0F B7 4A 4A 4D 31 C9 48 31 C0 AC 3C 61
0.2.loaddll32.exe.960000.0.unpack	Windows_Trojan_Metasploit_c9773203	Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families.	unknown	0x344f3:$a: 48 31 C0 AC 41 C1 C9 0D 41 01 C1 38 E0 75 F1 4C 03 4C 24 08 45 39 D1

Suricata Signatures

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:10:22.534991+0200
SID:	2028765
Severity:	3
Source Port:	49742
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:10:28.243287+0200
SID:	2028765
Severity:	3
Source Port:	49743
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET MALWARE Meterpreter or Other Reverse Shell SSL Cert - Source IP: 154.82.113.115 - Destination IP: 192.168.2.4

Timestamp:	2024-08-28T07:09:32.344215+0200
SID:	2035651
Severity:	1
Source Port:	2003
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:11:27.521168+0200
SID:	2028765
Severity:	3
Source Port:	49754
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:10:16.208107+0200
SID:	2028765
Severity:	3
Source Port:	49741
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:10:58.177119+0200
SID:	2028765
Severity:	3
Source Port:	49749
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:10:40.161221+0200
SID:	2028765
Severity:	3
Source Port:	49746
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:11:16.231106+0200
SID:	2028765
Severity:	3
Source Port:	49752
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:11:10.815329+0200
SID:	2028765
Severity:	3
Source Port:	49751
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:11:21.946675+0200
SID:	2028765
Severity:	3
Source Port:	49753
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:10:46.453380+0200
SID:	2028765
Severity:	3
Source Port:	49747
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:11:04.280237+0200
SID:	2028765
Severity:	3
Source Port:	49750
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:10:08.303721+0200
SID:	2028765
Severity:	3
Source Port:	49739
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:10:33.718106+0200
SID:	2028765
Severity:	3
Source Port:	49744
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:10:52.741600+0200
SID:	2028765
Severity:	3
Source Port:	49748
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:09:30.416134+0200
SID:	2028765
Severity:	3
Source Port:	49730
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

ET JA3 Hash - [Abuse.ch] Possible Dridex - Source IP: 192.168.2.4 - Destination IP: 154.82.113.115

Timestamp:	2024-08-28T07:10:03.136520+0200
SID:	2028765
Severity:	3
Source Port:	49738
Destination Port:	2003
Protocol:	TCP
Classtype:	Unknown Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LX4CUQO8qI.dll

Avira: detected

Found malware configuration

Source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 2003, "SleepTime": 30000, "MaxGetSize": 1398102, "Jitter": 20, "C2Server": "154.82.113.115,/owa/", "HttpPostUri": "/OWA/", "Malleable_C2_Instructions": ["Base64 URL-safe decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "GET", "HttpPostChunk": 96, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16700, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "True", "HostHeader": ""}

Multi AV Scanner detection for domain / URL

Source: https://154.82.113.115/	Virustotal: Detection: 9%			Perma Link
Source: 154.82.113.115	Virustotal: Detection: 9%			Perma Link

Multi AV Scanner detection for submitted file

Source: LX4CUQO8qI.dll	ReversingLabs: Detection: 65%
Source: LX4CUQO8qI.dll	Virustotal: Detection: 60%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.4% probability

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0096D7AA CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

0_2_0096D7AA

Source: LX4CUQO8qI.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: LX4CUQO8qI.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096480C _malloc,_memset,_strncmp,GetCurrentDirectoryA,FindFirstFileA,GetLastError,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_0096480C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096925B _malloc,__snprintf,FindFirstFileA,_malloc,__snprintf,FindNextFileA,FindClose,		0_2_0096925B

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 154.82.113.115:2003 -> 192.168.2.4:49730

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 154.82.113.115

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 154.82.113.115:2003

Source: Joe Sandbox View

ASN Name: ROOTNETWORKSUS ROOTNETWORKSUS

Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49750 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49751 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49744 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49730 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49747 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49754 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49749 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49739 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49748 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49743 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49738 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49752 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49741 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49746 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49753 -> 154.82.113.115:2003
Source: Network traffic	Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49742 -> 154.82.113.115:2003

Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115
Source: unknown	TCP traffic detected without corresponding DNS query: 154.82.113.115

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0096296B _memset,__snprintf,__snprintf,__snprintf,HttpOpenRequestA,HttpSendRequestA,InternetCloseHandle,InternetQueryDataAvailable,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_0096296B

Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: loaddll32.exe, 00000000.00000003.2094032497.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2093978733.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2936517291.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1794866952.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab(
Source: loaddll32.exe, 00000000.00000002.2936517291.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2093978733.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1794866952.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enlJ
Source: loaddll32.exe, 00000000.00000002.2936517291.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://154.82.113.115/
Source: loaddll32.exe, 00000000.00000002.2936517291.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2936517291.0000000000A72000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://154.82.113.115:2003/
Source: loaddll32.exe, 00000000.00000002.2936517291.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://154.82.113.115:2003/hy
Source: loaddll32.exe, 00000000.00000002.2936517291.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://154.82.113.115:2003/oft
Source: loaddll32.exe, 00000000.00000002.2936891536.000000000129C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://154.82.113.115:2003/owa/?wa=FPR-lSl93sxmVlVCOAlZFbF7o1dHykWQX
Source: loaddll32.exe, 00000000.00000002.2936517291.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://154.82.113.115:2003/owa/?wa=FPR-lSl93sxmVlVCOAlZFbF7o1dHykWQXURFaS8Dwbgi6FyenzDlocbqwA4aTXi6

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.loaddll32.exe.960000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 0.2.loaddll32.exe.960000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown
Source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown
Source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00964065 CreateProcessAsUserA,GetLastError,GetLastError,GetLastError,CreateProcessA,GetLastError,

0_2_00964065

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_01098954	0_3_01098954
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_010A5DB8	0_3_010A5DB8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_010A2470	0_3_010A2470
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_010A57E8	0_3_010A57E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_0109365C	0_3_0109365C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009838D1	0_2_009838D1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009840FD	0_2_009840FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00983028	0_2_00983028
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00986145	0_2_00986145
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00986970	0_2_00986970
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00974214	0_2_00974214
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009863A0	0_2_009863A0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00985B20	0_2_00985B20
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00983CDD	0_2_00983CDD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009834FD	0_2_009834FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0097950C	0_2_0097950C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_0108CD8D	0_3_0108CD8D

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 00979AD4 appears 39 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 01098F1C appears 35 times

Source: LX4CUQO8qI.dll

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL

Source: 0.2.loaddll32.exe.960000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 0.2.loaddll32.exe.960000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23
Source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23
Source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winDLL@14/4@0/1

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009637C3 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

0_2_009637C3

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00969031 _memset,GetCurrentProcess,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,Process32Next,

0_2_00969031

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03

Source: LX4CUQO8qI.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1

Source: LX4CUQO8qI.dll	ReversingLabs: Detection: 65%
Source: LX4CUQO8qI.dll	Virustotal: Detection: 60%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\LX4CUQO8qI.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllMain
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\LX4CUQO8qI.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllGetClassObject	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: LX4CUQO8qI.dll

Static PE information: Image base 0x6cfc0000 > 0x60000000

Source: LX4CUQO8qI.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009809A5 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_009809A5

Source: LX4CUQO8qI.dll

Static PE information: section name: .eh_fram

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\LX4CUQO8qI.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_01096248 push eax; ret	0_3_0109624F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_0109572F push edi; ret	0_3_01095730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_01096F68 push dword ptr [ecx-75h]; iretd	0_3_01096F70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_01098F61 push ecx; ret	0_3_01098F74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0098ABE1 push FFFFFFCBh; retf	0_2_0098ABE5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00979B19 push ecx; ret	0_2_00979B2C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0098932C pushfd ; ret	0_2_00989331
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00976E00 push eax; ret	0_2_00976E07
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0391061C push eax; mov dword ptr [esp], ebx	0_2_0391065F

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00963374		0_2_00963374
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00966C1F		0_2_00966C1F

Source: C:\Windows\System32\loaddll32.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-20603

Source: C:\Windows\System32\loaddll32.exe	Evasive API call chain: GetLocalTime,DecisionNodes			graph_0-19760
Source: C:\Windows\System32\loaddll32.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-20367

Source: C:\Windows\System32\loaddll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_0-19098
Source: C:\Windows\System32\loaddll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep			graph_0-18709

Source: C:\Windows\System32\loaddll32.exe

API coverage: 8.2 %

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00966C1F

0_2_00966C1F

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096480C _malloc,_memset,_strncmp,GetCurrentDirectoryA,FindFirstFileA,GetLastError,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_0096480C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096925B _malloc,__snprintf,FindFirstFileA,_malloc,__snprintf,FindNextFileA,FindClose,		0_2_0096925B

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.2936517291.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2936517291.0000000000A28000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\loaddll32.exe

API call chain: ExitProcess graph end node

graph_0-19099

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0391047E LdrInitializeThunk,

0_2_0391047E

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0097EB2E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_0097EB2E

Source: C:\Windows\System32\loaddll32.exe

0_2_009809A5

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_010B479D mov eax, dword ptr fs:[00000030h]	0_3_010B479D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_3_010B47AA mov eax, dword ptr fs:[00000030h]	0_3_010B47AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_039101A1 mov eax, dword ptr fs:[00000030h]	0_2_039101A1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_039101AE mov eax, dword ptr fs:[00000030h]	0_2_039101AE

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00984B20 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

0_2_00984B20

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00981150 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00981150
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0097EB2E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0097EB2E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0097AD12 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0097AD12

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0096CAAA LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,

0_2_0096CAAA

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0096CC7A GetCurrentProcessId,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0096CC7A

Source: C:\Windows\System32\loaddll32.exe

Code function: GetLocaleInfoA,

0_2_009846F0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00963873 CreateNamedPipeA,

0_2_00963873

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00978876 GetSystemTimeAsFileTime,__aulldiv,

0_2_00978876

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00966CD1 GetUserNameA,GetComputerNameA,GetModuleFileNameA,_strrchr,GetVersionExA,__snprintf,

0_2_00966CD1

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00966CD1 GetUserNameA,GetComputerNameA,GetModuleFileNameA,_strrchr,GetVersionExA,__snprintf,

0_2_00966CD1

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 7704, type: MEMORYSTR
Source: Yara match	File source: 0.2.loaddll32.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00967293 socket,htons,ioctlsocket,closesocket,bind,listen,	0_2_00967293
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00967375 htonl,htons,socket,closesocket,bind,ioctlsocket,	0_2_00967375
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0096D5DB socket,closesocket,htons,bind,listen,	0_2_0096D5DB

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	3 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	21 Access Token Manipulation	1 Virtualization/Sandbox Evasion	LSASS Memory	131 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	12 Process Injection	21 Access Token Manipulation	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	12 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Regsvr32	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	14 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LX4CUQO8qI.dll	66%	ReversingLabs	Win32.Trojan.CobaltStrike
LX4CUQO8qI.dll	60%	Virustotal		Browse
LX4CUQO8qI.dll	100%	Avira	HEUR/AGEN.1354117

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
bg.microsoft.map.fastly.net	0%	Virustotal		Browse
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://154.82.113.115/	0%	Avira URL Cloud	safe
https://154.82.113.115:2003/owa/?wa=FPR-lSl93sxmVlVCOAlZFbF7o1dHykWQXURFaS8Dwbgi6FyenzDlocbqwA4aTXi6	0%	Avira URL Cloud	safe
154.82.113.115	0%	Avira URL Cloud	safe
https://154.82.113.115:2003/	0%	Avira URL Cloud	safe
https://154.82.113.115:2003/hy	0%	Avira URL Cloud	safe
https://154.82.113.115:2003/oft	0%	Avira URL Cloud	safe
https://154.82.113.115:2003/owa/?wa=FPR-lSl93sxmVlVCOAlZFbF7o1dHykWQX	0%	Avira URL Cloud	safe
https://154.82.113.115/	9%	Virustotal		Browse
154.82.113.115	9%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.210.21	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
154.82.113.115	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://154.82.113.115/	loaddll32.exe, 00000000.00000002.2936517291.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://154.82.113.115:2003/owa/?wa=FPR-lSl93sxmVlVCOAlZFbF7o1dHykWQXURFaS8Dwbgi6FyenzDlocbqwA4aTXi6	loaddll32.exe, 00000000.00000002.2936517291.0000000000A28000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://154.82.113.115:2003/	loaddll32.exe, 00000000.00000002.2936517291.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2936517291.0000000000A72000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://154.82.113.115:2003/hy	loaddll32.exe, 00000000.00000002.2936517291.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://154.82.113.115:2003/oft	loaddll32.exe, 00000000.00000002.2936517291.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://154.82.113.115:2003/owa/?wa=FPR-lSl93sxmVlVCOAlZFbF7o1dHykWQX	loaddll32.exe, 00000000.00000002.2936891536.000000000129C000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.82.113.115	unknown	Seychelles		32708	ROOTNETWORKSUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1500271
Start date and time:	2024-08-28 07:08:29 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LX4CUQO8qI.dll renamed because original name is a hash value
Original Sample Name:	882E00DD2C44F57162C0AC90858E8FC7.dll
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@14/4@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 23 Number of non-executed functions: 119
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	http://autoiothiatowers.web.app/0.05389702077273273	Get hash	malicious	HTMLPhisher	Browse	217.20.57.26
	https://appeal-right.netlify.app/	Get hash	malicious	Unknown	Browse	217.20.57.21
	http://pub-ceb6fc917f1a45e3a1cfe0221e017792.r2.dev/index.html	Get hash	malicious	Unknown	Browse	84.201.210.34
	https://bx1f04.na1.hubspotlinks.com/Ctc/2D+113/bX1F04/VWNJB36hmH_dW5B6f4M3tvNPkW6wcfC_5kfpqkN8pR4CT3qn9gW8wLKSR6lZ3lWW4RH0pD8cfc9fW1F_Bh_64Dbx_W8NP5442K_JLsW7VR2DZ6lXzbTW28cFfX9gXt3BW7kls0H2y2hq_W3ngTnJ28DTx_W6DvQHq8CwpszW2lLgbg3Q_MrpW2nSqGh8-5CjqW8mVvJw37-m1FW7tfJZm8wSKY9W920ndF61Cm7DW9fdnsh4qV1mzW6pLzrc94r10SW7SD62m3Qvv5jW87mYgh1YRjnYVKpmxr6B_xWTW3fp6Zx8jLGfWW7jL-y0457X8VN1TltTwsBPcYW7WJ-FL8qLjSdW7qm5WN8GZBkfW95bMcn6zJPqCVf27963J_4FxV1TfBP8XznlQW4GzPL-176L_NW72HRpV192F4df1YJ3TM04	Get hash	malicious	Unknown	Browse	217.20.57.36
	Vak#U0131fBank - #U00d6deme onay makbuzu 20240826.pdf.exe	Get hash	malicious	Quasar	Browse	84.201.210.37
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFl8RKvJCjgfWXgpyGiQbouwIVFCzJZdO6C7IEJWnFiPmUdkD_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZOJptL-2BsSl02HxRvbllikFuSJtHHDkVwyIj5AuFgiubBu9sTxc8j0-2BQG5wldcZa7WyDp4BZYdRmFKi1MU2RpCFoGVLX1rLVx-2BFFfe8ZtbBDm0OusvqG9hc8jycErQH9w4yo0iZBNb6ruS35AQpqe-2Bn9sSG0dYdsEjJuPPD68-2FQoiA15kbRIRZcVBuBtywmpClclGh64Ps2rLg6E3U3-2Ft-2B24zaJbCf8tvrjozgadicpaRwQ3KIy53pMZsOUCbTeEqGc-3D#bGFtYmVydC5nZW9yZ2lhQGFpZGIub3Jn	Get hash	malicious	Unknown	Browse	217.20.57.27
	SecuriteInfo.com.Trojan-Downloader.Win32.Agent.xycwio.1244.6578.exe	Get hash	malicious	Coinhive	Browse	217.20.57.42
	http://telegramr.club/	Get hash	malicious	Telegram Phisher	Browse	217.20.57.22
	https://meta.submitdisablecase.eu/community-standard/407721902629009	Get hash	malicious	Unknown	Browse	217.20.57.43
	https://ipfs.io/ipfs/bafkreietmk3h6ldxpjxm2yqz3nui477zqwmz5m6du5fljx4a5bnqt4gzse	Get hash	malicious	HTMLPhisher	Browse	217.20.57.37
bg.microsoft.map.fastly.net	ibero.bat	Get hash	malicious	SilverRat	Browse	199.232.210.172
	https://www.wpspublish.com/customer/account/createPassword/?id=28732&token=k5FPAv4ZQlJ0DbFv9HIliRQV9FN7ztvs	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://wpspublish.com	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://pub-10050726d25949d8bd6cb438a8b6b09c.r2.dev/home.html	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://emea.dcv.ms/haHCQHi4RD	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	http://get-verified-free-badge.vercel.app/	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://rondgeusbe-f69b39.ingress-erytho.ewp.live/wp-content/plugins/esidem/pages/region.php	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://pub-78727057140540a199a7e00bf238a392.r2.dev/index.html	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://onoff.vn/blog/wp-content/builds/app/smserror.php	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://office.microsoftoniline.com/common/oauth2/v2.0/authorize/?clinet_id=2e5d6a57-eb8c-44bf3-8bd3-fc61824af882	Get hash	malicious	Unknown	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTNETWORKSUS	3621103789.exe	Get hash	malicious	Unknown	Browse	154.82.84.197
	#U540d#U5f55#U5217#U8868_install_.exe	Get hash	malicious	GhostRat	Browse	154.82.92.202
	#U901a#U77e5#U5982#U4e0b.exe	Get hash	malicious	GhostRat	Browse	154.82.92.202
	http://telegxawm.com/	Get hash	malicious	Unknown	Browse	154.82.100.126
	sora.x86.elf	Get hash	malicious	Mirai	Browse	38.145.246.108
	SvpnLong2.exe	Get hash	malicious	Unknown	Browse	154.82.85.236
	SvpnLong2.exe	Get hash	malicious	Unknown	Browse	154.82.85.236
	down.exe	Get hash	malicious	GhostRat, Mimikatz, Nitol	Browse	154.82.85.12
	Supe.exe	Get hash	malicious	Unknown	Browse	154.82.85.236
	Supe.exe	Get hash	malicious	Unknown	Browse	154.82.85.236

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\loaddll32.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\System32\loaddll32.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.229605184327072
Encrypted:	false
SSDEEP:	6:kKv9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:2DImsLNkPlE99SNxAhUe/3
MD5:	1D03BEA958C410A26CEAC6A48F63D21F
SHA1:	1AD004103D1D2F31E32636BA17FC7E9C400AF016
SHA-256:	42C7EA99DE8977C620714CF23F3CDB5670B93603C96C1F3FC119BF584809A9DB
SHA-512:	863CCFED9F211804A48534FD2D81748D41EF7F9B0D184D6B23B9F149A7007ACC477DF40D18D50CF9655D71048A902D45B72E5D230B9DE4CA97B5273760785BAB
Malicious:	false
Reputation:	low
Preview:	p...... ......... Hw....(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

\Device\Mailslot\slot-3457

Download File

Process:	C:\Windows\System32\loaddll32.exe
File Type:	data
Category:	dropped
Size (bytes):	239616
Entropy (8bit):	7.528695531238492
Encrypted:	false
SSDEEP:	3072:SnvEg+AeNNOcCsO8JzxPuvEKbZTOTCMIGEvWZSfx13gArA7lre5YtszmY229qZAt:SbWNKshx2JZmrxkn3gmAJoYjY2HZA4I3
MD5:	4ACFF65641011450C7E5669D6390148A
SHA1:	2BB5CAD326881A622BC7662FF2E6FD2AC1817179
SHA-256:	E8432C9C2694766BD8ED345EC636DF00B5E57C053F1BBDCDD59B7BABC319EE59
SHA-512:	6C35481D4434FE4B025C21C064F8427AB1FCE31B503FB1EE788BC380CAE307E3E81679B533BEB739C2328CC6945C051ADB11B4A14B7CE8019D65DD23C4BCAD92
Malicious:	false
Reputation:	low
Preview:	.;GH4Q.2.:...p.E....FZv.[.U.2.6...Q.2.a...Q.2.a...Q.2.a..\Q.2.~........A.p.Z..5}.>.@..5n.?.].Awh.#.\..{-......qh.\.8.a...Q.2.$...P.2.a...Q.2.a..<Q...`...+.2.....Q.2.....A.2.....Q.".q...S.2.a...Q.2.a...Q.2.....U.2.a...Q.3.a...A.2.a...A.2.a...Q.2FJ...Q.2R{...Q.2.a...Q.2.a...Q.2.a...Q.2.Q...I.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.....R.2.a...Q.2.a...Q.2.a...Q.2..pu.Q.23....A.2.....U.2.a...Q.2.a...Q.R..ql.0.2.......2...../.2.a...Q.2.a...Q.r..ty.Q.2.....a.2.....M.2.a...Q.2.a...Q...pa.2.2.A...a.2.C....2.a...Q.2.a...Q.p.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2

\Device\Mailslot\slot-457

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	102400
Entropy (8bit):	7.6470620959270175
Encrypted:	false
SSDEEP:	3072:SnvEg+AeNNOcCsO8JzxPuvEKbZTOTCMIGEvWZT:SbWNKshx2JZmrxT
MD5:	74FFE47C6D4DE71335D2D8D99E13D37B
SHA1:	59E3B38BBE6536D2E81579F86E5A0B0784A12004
SHA-256:	ADDDD0957AAFDB649C1EA22A48322EDA7F8C1C07E40B506A5B0255BAD59426A9
SHA-512:	05773724BF1E6F60B8F68AB50171637AD091E8B60F59659F442DEF9580A1AD973EC93FF6244786FFA10B83B57DA656D87EDC7DAFFC34B77A7DF5E95662203F2D
Malicious:	false
Reputation:	low
Preview:	.;GH4Q.2.:...p.E....FZv.[.U.2.6...Q.2.a...Q.2.a...Q.2.a..\Q.2.~........A.p.Z..5}.>.@..5n.?.].Awh.#.\..{-......qh.\.8.a...Q.2.$...P.2.a...Q.2.a..<Q...`...+.2.....Q.2.....A.2.....Q.".q...S.2.a...Q.2.a...Q.2.....U.2.a...Q.3.a...A.2.a...A.2.a...Q.2FJ...Q.2R{...Q.2.a...Q.2.a...Q.2.a...Q.2.Q...I.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.....R.2.a...Q.2.a...Q.2.a...Q.2..pu.Q.23....A.2.....U.2.a...Q.2.a...Q.R..ql.0.2.......2...../.2.a...Q.2.a...Q.r..ty.Q.2.....a.2.....M.2.a...Q.2.a...Q...pa.2.2.A...a.2.C....2.a...Q.2.a...Q.p.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2.a...Q.2

Static File Info

General

File type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.6167264315880985
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LX4CUQO8qI.dll
File size:	355'840 bytes
MD5:	882e00dd2c44f57162c0ac90858e8fc7
SHA1:	8e7c38c20fb19e890c896a4c98108b291237afb8
SHA256:	d999e7ee9fb086bf4109f9c1821d959fd8b038902fa6f8dff2c3beafc36bee7b
SHA512:	05e75efbd6f383564091950f6d8bfe5069700c859f9beb20a7627fc9052a0cea5beb8d133a4e3fee6c71386992ac4efa6beb5d86262b5729f934a3c0e8c4619b
SSDEEP:	6144:DsyrpKZu/6bWNKshx2JZmrxkn3gmAJoYjY2HZA4I:DdVKZu/6phJZminOGOY259I
TLSH:	8B749D9AE5CE3BBFF151D730C40FA725AF9029983369872C49C587592BA761333C981B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...;.&f...........#...).v...j.....................l................................."....@... ............................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x6cfc1390
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x6cfc0000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6626E13B [Mon Apr 22 22:14:19 2024 UTC]
TLS Callbacks:	0x6cfc1ca0, 0x6cfc1c50
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b189f83bdce907074c1f8f63d1974fe5

Entrypoint Preview

Instruction
sub esp, 0Ch
mov dword ptr [6D018120h], 00000000h
mov ecx, dword ptr [esp+18h]
mov edx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
call 00007FE5F0E896F7h
add esp, 0Ch
retn 000Ch
lea esi, dword ptr [esi+00000000h]
lea esi, dword ptr [esi+00h]
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], 6D018000h
mov dword ptr [esp+04h], eax
call 00007FE5F0E9025Eh
add esp, 1Ch
ret
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 6D015000h
call dword ptr [6D01A170h]
sub esp, 04h
test eax, eax
je 00007FE5F0E89915h
mov ebx, eax
mov dword ptr [esp], 6D015000h
call dword ptr [6D01A198h]
mov edi, dword ptr [6D01A178h]
sub esp, 04h
mov dword ptr [6D018010h], eax
mov dword ptr [esp+04h], 6D015013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 6D015029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [6CFC9004h], eax
test esi, esi
je 00007FE5F0E898B3h
mov dword ptr [esp+04h], 6D018014h
mov dword ptr [esp], 6D016124h
call esi
mov dword ptr [eax+eax], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x59000	0xaa	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5a000	0x6bc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5d000	0x440	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5508c	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5a138	0xfc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7414	0x7600	7b0ba2fcfe5af863b8a244efed9daee3	False	0.5615068855932204	data	6.221679032999006	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x9000	0x4bc84	0x4be00	c2d0f53aa616f3acbcdfa7422204216e	False	0.5452243358731467	data	6.566620498653716	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x55000	0x80c	0xa00	528975c1e588ce61a8d4929a68abb985	False	0.3359375	data	4.914761132868546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x56000	0x171c	0x1800	939f3d7920cb73aa42f05db7121f35b1	False	0.3489583333333333	data	4.806623669374318	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x58000	0xb30	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x59000	0xaa	0x200	8f6553dc45cea0fe170cb488b61b82ee	False	0.265625	data	1.962743792527949	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x5a000	0x6bc	0x800	5dc42cd4f08ec230e77ec216282edbcc	False	0.38330078125	data	4.5785745189937455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x5b000	0x2c	0x200	d8422d6e25ecb2eb08bca8f681b56a0b	False	0.0546875	data	0.20153937813451883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x5c000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5d000	0x440	0x600	5562fa3d49c966c6955281f58b6f3fef	False	0.6412760416666666	data	5.234940914371754	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

CloseHandle, ConvertThreadToFiber, CreateFiber, CreateFileA, CreateMailslotA, CreateThread, DeleteCriticalSection, DeleteFiber, EnterCriticalSection, FreeLibrary, GetCurrentProcess, GetCurrentThreadId, GetLastError, GetMailslotInfo, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetTickCount, HeapAlloc, HeapCreate, HeapReAlloc, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, ReadFile, Sleep, SleepEx, SwitchToFiber, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject, WideCharToMultiByte, WriteFile

msvcrt.dll

__mb_cur_max, _amsg_exit, _errno, _initterm, _iob, _lock, _unlock, abort, atoi, calloc, fputc, free, fwrite, localeconv, malloc, memcpy, memset, realloc, setlocale, strchr, strerror, strlen, strncmp, vfprintf, wcslen

Exports

Name	Ordinal	Address
DllGetClassObject	1	0x6cfc1b56
DllMain	2	0x6cfc1b0b
DllRegisterServer	3	0x6cfc1b50
DllUnregisterServer	4	0x6cfc1b53
StartW	5	0x6cfc1b63

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Severity	Source Port	Dest Port	Source IP	Dest IP
2024-08-28T07:10:22.534991+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49742	2003	192.168.2.4	154.82.113.115
2024-08-28T07:10:28.243287+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49743	2003	192.168.2.4	154.82.113.115
2024-08-28T07:09:32.344215+0200	TCP	2035651	ET MALWARE Meterpreter or Other Reverse Shell SSL Cert	1	2003	49730	154.82.113.115	192.168.2.4
2024-08-28T07:11:27.521168+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49754	2003	192.168.2.4	154.82.113.115
2024-08-28T07:10:16.208107+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49741	2003	192.168.2.4	154.82.113.115
2024-08-28T07:10:58.177119+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49749	2003	192.168.2.4	154.82.113.115
2024-08-28T07:10:40.161221+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49746	2003	192.168.2.4	154.82.113.115
2024-08-28T07:11:16.231106+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49752	2003	192.168.2.4	154.82.113.115
2024-08-28T07:11:10.815329+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49751	2003	192.168.2.4	154.82.113.115
2024-08-28T07:11:21.946675+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49753	2003	192.168.2.4	154.82.113.115
2024-08-28T07:10:46.453380+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49747	2003	192.168.2.4	154.82.113.115
2024-08-28T07:11:04.280237+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49750	2003	192.168.2.4	154.82.113.115
2024-08-28T07:10:08.303721+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49739	2003	192.168.2.4	154.82.113.115
2024-08-28T07:10:33.718106+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49744	2003	192.168.2.4	154.82.113.115
2024-08-28T07:10:52.741600+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49748	2003	192.168.2.4	154.82.113.115
2024-08-28T07:09:30.416134+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49730	2003	192.168.2.4	154.82.113.115
2024-08-28T07:10:03.136520+0200	TCP	2028765	ET JA3 Hash - [Abuse.ch] Possible Dridex	3	49738	2003	192.168.2.4	154.82.113.115

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 28, 2024 07:09:29.552496910 CEST	49730	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:09:29.557540894 CEST	2003	49730	154.82.113.115	192.168.2.4
Aug 28, 2024 07:09:29.557624102 CEST	49730	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:09:29.566930056 CEST	49730	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:09:29.571799040 CEST	2003	49730	154.82.113.115	192.168.2.4
Aug 28, 2024 07:09:30.415929079 CEST	2003	49730	154.82.113.115	192.168.2.4
Aug 28, 2024 07:09:30.416134119 CEST	49730	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:09:30.679497957 CEST	2003	49730	154.82.113.115	192.168.2.4
Aug 28, 2024 07:09:30.679660082 CEST	49730	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:09:32.339308023 CEST	49730	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:09:32.344214916 CEST	2003	49730	154.82.113.115	192.168.2.4
Aug 28, 2024 07:09:32.640942097 CEST	2003	49730	154.82.113.115	192.168.2.4
Aug 28, 2024 07:09:32.641005993 CEST	49730	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:09:32.950792074 CEST	2003	49730	154.82.113.115	192.168.2.4
Aug 28, 2024 07:09:32.950949907 CEST	49730	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:09:32.955272913 CEST	49730	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:09:32.962480068 CEST	2003	49730	154.82.113.115	192.168.2.4
Aug 28, 2024 07:09:33.260396957 CEST	2003	49730	154.82.113.115	192.168.2.4
Aug 28, 2024 07:09:33.260413885 CEST	2003	49730	154.82.113.115	192.168.2.4
Aug 28, 2024 07:09:33.260478973 CEST	49730	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:09:33.261339903 CEST	49730	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:09:33.266108036 CEST	2003	49730	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:01.958992004 CEST	49738	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:01.963778973 CEST	2003	49738	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:01.963888884 CEST	49738	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:01.964539051 CEST	49738	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:01.964539051 CEST	49738	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:01.969269037 CEST	2003	49738	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:01.969393969 CEST	2003	49738	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:03.136444092 CEST	2003	49738	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:03.136496067 CEST	2003	49738	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:03.136519909 CEST	49738	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:03.136547089 CEST	49738	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:03.136568069 CEST	2003	49738	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:03.136604071 CEST	49738	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:03.137042046 CEST	49738	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:03.141779900 CEST	2003	49738	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:03.199342966 CEST	49738	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:03.204082966 CEST	2003	49738	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:03.692744017 CEST	2003	49738	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:03.692823887 CEST	49738	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:03.692838907 CEST	2003	49738	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:03.692878962 CEST	49738	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:03.692991972 CEST	49738	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:03.698405981 CEST	2003	49738	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:07.423533916 CEST	49739	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:07.428430080 CEST	2003	49739	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:07.428500891 CEST	49739	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:07.429438114 CEST	49739	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:07.434252977 CEST	2003	49739	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:08.303601980 CEST	2003	49739	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:08.303720951 CEST	49739	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:08.559834003 CEST	2003	49739	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:08.559926033 CEST	49739	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:08.560836077 CEST	49739	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:08.564593077 CEST	49739	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:08.565576077 CEST	2003	49739	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:08.569331884 CEST	2003	49739	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:10.116363049 CEST	2003	49739	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:10.116378069 CEST	2003	49739	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:10.116386890 CEST	2003	49739	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:10.116441965 CEST	49739	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:10.116476059 CEST	49739	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:10.116574049 CEST	2003	49739	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:10.116616964 CEST	49739	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:10.116710901 CEST	49739	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:10.117238998 CEST	2003	49739	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:10.117302895 CEST	49739	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:10.117908001 CEST	2003	49739	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:10.117942095 CEST	49739	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:10.121588945 CEST	2003	49739	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:14.552598953 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:14.557573080 CEST	2003	49741	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:14.557636023 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:14.557876110 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:14.562637091 CEST	2003	49741	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:16.207902908 CEST	2003	49741	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:16.208106995 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:16.208158970 CEST	2003	49741	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:16.208205938 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:16.208683014 CEST	2003	49741	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:16.208740950 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:16.208817005 CEST	2003	49741	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:16.208856106 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:16.209034920 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:16.210259914 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:16.520242929 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:16.603624105 CEST	2003	49741	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:16.603684902 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:16.604624033 CEST	2003	49741	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:16.604633093 CEST	2003	49741	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:16.604640961 CEST	2003	49741	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:16.916984081 CEST	2003	49741	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:16.917072058 CEST	2003	49741	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:16.917078972 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:16.917114973 CEST	2003	49741	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:16.917121887 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:16.917152882 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:16.917505026 CEST	49741	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:16.922336102 CEST	2003	49741	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:20.646409988 CEST	49742	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:21.031791925 CEST	2003	49742	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:21.031873941 CEST	49742	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:21.034441948 CEST	49742	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:21.039244890 CEST	2003	49742	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:22.534687996 CEST	2003	49742	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:22.534722090 CEST	2003	49742	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:22.534734964 CEST	2003	49742	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:22.534742117 CEST	2003	49742	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:22.534991026 CEST	49742	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:22.534991026 CEST	49742	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:22.535372972 CEST	49742	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:22.536791086 CEST	49742	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:22.540074110 CEST	2003	49742	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:22.540131092 CEST	49742	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:22.540131092 CEST	2003	49742	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:22.541672945 CEST	2003	49742	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:23.088709116 CEST	2003	49742	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:23.088736057 CEST	2003	49742	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:23.088956118 CEST	49742	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:23.088956118 CEST	49742	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:23.093789101 CEST	2003	49742	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:27.172983885 CEST	49743	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:27.333549976 CEST	2003	49743	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:27.333734035 CEST	49743	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:27.334048033 CEST	49743	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:27.338849068 CEST	2003	49743	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:28.243228912 CEST	2003	49743	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:28.243287086 CEST	49743	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:28.510557890 CEST	2003	49743	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:28.510870934 CEST	49743	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:28.511223078 CEST	49743	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:28.512475967 CEST	49743	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:28.515958071 CEST	2003	49743	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:28.517277956 CEST	2003	49743	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:29.112097025 CEST	2003	49743	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:29.112184048 CEST	2003	49743	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:29.112220049 CEST	49743	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:29.112364054 CEST	49743	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:29.112365007 CEST	49743	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:29.117305040 CEST	2003	49743	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:32.820000887 CEST	49744	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:32.824949026 CEST	2003	49744	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:32.825009108 CEST	49744	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:32.825274944 CEST	49744	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:32.830708981 CEST	2003	49744	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:33.718008995 CEST	2003	49744	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:33.718106031 CEST	49744	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:34.044672012 CEST	2003	49744	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:34.044751883 CEST	49744	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:34.045131922 CEST	49744	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:34.046422005 CEST	49744	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:34.051151037 CEST	2003	49744	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:34.052891970 CEST	2003	49744	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:34.626121044 CEST	2003	49744	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:34.626133919 CEST	2003	49744	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:34.626146078 CEST	2003	49744	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:34.626189947 CEST	49744	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:34.626219988 CEST	49744	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:34.626354933 CEST	49744	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:34.631268978 CEST	2003	49744	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:39.240241051 CEST	49746	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:39.245431900 CEST	2003	49746	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:39.245520115 CEST	49746	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:39.245860100 CEST	49746	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:39.250688076 CEST	2003	49746	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:40.161151886 CEST	2003	49746	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:40.161221027 CEST	49746	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:40.427700996 CEST	2003	49746	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:40.427886963 CEST	49746	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:40.428163052 CEST	49746	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:40.432948112 CEST	2003	49746	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:40.433528900 CEST	49746	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:40.438546896 CEST	2003	49746	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:41.017203093 CEST	2003	49746	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:41.017219067 CEST	2003	49746	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:41.017227888 CEST	2003	49746	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:41.017394066 CEST	49746	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:41.017496109 CEST	49746	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:41.022242069 CEST	2003	49746	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:45.505904913 CEST	49747	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:45.511054039 CEST	2003	49747	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:45.516330957 CEST	49747	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:45.516556978 CEST	49747	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:45.521364927 CEST	2003	49747	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:46.453315973 CEST	2003	49747	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:46.453380108 CEST	49747	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:46.726427078 CEST	2003	49747	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:46.726499081 CEST	49747	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:46.726794004 CEST	49747	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:46.728053093 CEST	49747	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:46.731662989 CEST	2003	49747	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:46.732808113 CEST	2003	49747	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:47.303457975 CEST	2003	49747	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:47.303486109 CEST	2003	49747	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:47.303491116 CEST	2003	49747	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:47.303769112 CEST	49747	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:47.303880930 CEST	49747	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:47.308656931 CEST	2003	49747	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:51.412240982 CEST	49748	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:51.879065037 CEST	2003	49748	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:51.879163027 CEST	49748	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:51.879477978 CEST	49748	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:51.884300947 CEST	2003	49748	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:52.741529942 CEST	2003	49748	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:52.741600037 CEST	49748	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:52.991293907 CEST	2003	49748	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:52.991384983 CEST	49748	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:52.991753101 CEST	49748	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:52.993002892 CEST	49748	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:52.996463060 CEST	2003	49748	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:52.997752905 CEST	2003	49748	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:53.783526897 CEST	2003	49748	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:53.783550978 CEST	2003	49748	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:53.783597946 CEST	49748	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:53.783623934 CEST	49748	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:53.783639908 CEST	2003	49748	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:53.783680916 CEST	49748	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:53.783771992 CEST	49748	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:53.788522005 CEST	2003	49748	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:57.287189007 CEST	49749	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:57.292135954 CEST	2003	49749	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:57.292207003 CEST	49749	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:57.292623997 CEST	49749	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:57.297693014 CEST	2003	49749	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:58.177057028 CEST	2003	49749	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:58.177119017 CEST	49749	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:58.434926033 CEST	2003	49749	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:58.434993029 CEST	49749	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:58.435336113 CEST	49749	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:58.436542034 CEST	49749	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:58.440099001 CEST	2003	49749	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:58.441312075 CEST	2003	49749	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:58.997040987 CEST	2003	49749	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:58.997104883 CEST	49749	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:58.997195959 CEST	49749	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:58.997257948 CEST	2003	49749	154.82.113.115	192.168.2.4
Aug 28, 2024 07:10:58.997298956 CEST	49749	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:10:59.008179903 CEST	2003	49749	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:03.396634102 CEST	49750	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:03.401597023 CEST	2003	49750	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:03.401683092 CEST	49750	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:03.402002096 CEST	49750	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:03.406740904 CEST	2003	49750	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:04.280163050 CEST	2003	49750	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:04.280236959 CEST	49750	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:04.547662020 CEST	2003	49750	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:04.547730923 CEST	49750	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:04.548013926 CEST	49750	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:04.549177885 CEST	49750	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:04.552782059 CEST	2003	49750	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:04.553971052 CEST	2003	49750	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:05.116439104 CEST	2003	49750	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:05.116518021 CEST	49750	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:05.116820097 CEST	2003	49750	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:05.116837025 CEST	2003	49750	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:05.116871119 CEST	49750	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:05.116899014 CEST	49750	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:05.116966009 CEST	49750	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:05.121700048 CEST	2003	49750	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:09.912731886 CEST	49751	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:09.919423103 CEST	2003	49751	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:09.919559956 CEST	49751	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:09.920243025 CEST	49751	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:09.925558090 CEST	2003	49751	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:10.815268040 CEST	2003	49751	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:10.815329075 CEST	49751	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:11.087714911 CEST	2003	49751	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:11.087846994 CEST	49751	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:11.090090990 CEST	49751	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:11.094959021 CEST	2003	49751	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:11.100217104 CEST	49751	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:11.105067968 CEST	2003	49751	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:11.672967911 CEST	2003	49751	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:11.673068047 CEST	49751	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:11.673161030 CEST	2003	49751	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:11.673229933 CEST	49751	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:11.673348904 CEST	49751	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:11.678124905 CEST	2003	49751	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:15.334232092 CEST	49752	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:15.339215994 CEST	2003	49752	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:15.339303970 CEST	49752	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:15.339905024 CEST	49752	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:15.344686031 CEST	2003	49752	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:16.231000900 CEST	2003	49752	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:16.231106043 CEST	49752	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:16.484085083 CEST	2003	49752	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:16.484177113 CEST	49752	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:16.484497070 CEST	49752	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:16.485647917 CEST	49752	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:16.489237070 CEST	2003	49752	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:16.490474939 CEST	2003	49752	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:17.045351982 CEST	2003	49752	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:17.045450926 CEST	49752	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:17.045463085 CEST	2003	49752	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:17.045500994 CEST	49752	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:17.045542002 CEST	49752	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:17.050589085 CEST	2003	49752	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:21.068504095 CEST	49753	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:21.074434042 CEST	2003	49753	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:21.074517012 CEST	49753	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:21.074817896 CEST	49753	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:21.079579115 CEST	2003	49753	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:21.946587086 CEST	2003	49753	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:21.946675062 CEST	49753	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:22.200846910 CEST	2003	49753	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:22.200921059 CEST	49753	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:22.201266050 CEST	49753	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:22.202500105 CEST	49753	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:22.205995083 CEST	2003	49753	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:22.207256079 CEST	2003	49753	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:22.775135040 CEST	2003	49753	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:22.775154114 CEST	2003	49753	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:22.775218964 CEST	49753	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:22.811084986 CEST	49753	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:22.815872908 CEST	2003	49753	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:26.665013075 CEST	49754	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:26.670118093 CEST	2003	49754	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:26.670208931 CEST	49754	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:26.670849085 CEST	49754	2003	192.168.2.4	154.82.113.115
Aug 28, 2024 07:11:26.675625086 CEST	2003	49754	154.82.113.115	192.168.2.4
Aug 28, 2024 07:11:27.521167994 CEST	49754	2003	192.168.2.4	154.82.113.115

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Aug 28, 2024 07:09:30.767981052 CEST	1.1.1.1	192.168.2.4	0xf24	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Aug 28, 2024 07:09:30.767981052 CEST	1.1.1.1	192.168.2.4	0xf24	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Aug 28, 2024 07:10:36.942295074 CEST	1.1.1.1	192.168.2.4	0x4cba	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.210.21	A (IP address)	IN (0x0001)	false
Aug 28, 2024 07:10:36.942295074 CEST	1.1.1.1	192.168.2.4	0x4cba	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.37	A (IP address)	IN (0x0001)	false
Aug 28, 2024 07:10:36.942295074 CEST	1.1.1.1	192.168.2.4	0x4cba	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.24	A (IP address)	IN (0x0001)	false
Aug 28, 2024 07:10:36.942295074 CEST	1.1.1.1	192.168.2.4	0x4cba	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.19	A (IP address)	IN (0x0001)	false
Aug 28, 2024 07:10:36.942295074 CEST	1.1.1.1	192.168.2.4	0x4cba	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.22	A (IP address)	IN (0x0001)	false
Aug 28, 2024 07:10:36.942295074 CEST	1.1.1.1	192.168.2.4	0x4cba	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.210.35	A (IP address)	IN (0x0001)	false
Aug 28, 2024 07:10:36.942295074 CEST	1.1.1.1	192.168.2.4	0x4cba	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.25	A (IP address)	IN (0x0001)	false
Aug 28, 2024 07:10:36.942295074 CEST	1.1.1.1	192.168.2.4	0x4cba	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.41	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	01:09:17
Start date:	28/08/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll"
Imagebase:	0x5b0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Metasploit_7bc0f998, Description: Identifies the API address lookup function leverage by metasploit shellcode, Source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Metasploit_c9773203, Description: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., Source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:09:17
Start date:	28/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:09:17
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:09:17
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\LX4CUQO8qI.dll
Imagebase:	0xe00000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:09:17
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1
Imagebase:	0x3b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:09:17
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllGetClassObject
Imagebase:	0x3b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:09:20
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllMain
Imagebase:	0x3b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:09:23
Start date:	28/08/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllRegisterServer
Imagebase:	0x3b0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	5.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	18

Executed Functions

Function 0096296B Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 169
networkfileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 009629AC
__snprintf.LIBCMT ref: 009629D3

Part of subcall function 009682E1: _memset.LIBCMT ref: 00968302

__snprintf.LIBCMT ref: 00962A1A
__snprintf.LIBCMT ref: 00962A31
HttpOpenRequestA.WININET(00000000,?,00000000,00000000,0098F540), ref: 00962A61
HttpSendRequestA.WININET(00000000,?,?,00962B4C,?), ref: 00962A8A
InternetCloseHandle.WININET(00000000), ref: 00962AA7
InternetQueryDataAvailable.WININET(00000000,00961544,00000000,00000000), ref: 00962AB8
InternetReadFile.WININET(00000000,?,00001000,?), ref: 00962AE6
InternetCloseHandle.WININET(00000000), ref: 00962B06
InternetCloseHandle.WININET(00000000), ref: 00962B27

Strings

*/*, xrefs: 00962993
%s%s, xrefs: 00962A2A

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle__snprintf$HttpRequest_memset$AvailableDataFileOpenQueryReadSend
String ID: %s%s$*/*
API String ID: 2581463937-856325523
Opcode ID: 694fcbf1ca210630e6582c6d824939f76d1f442d900c5206ededbc3c4b34a4b2
Instruction ID: f68a13d289ff4bd6fb4d58e8d677d3df42af7704e28a6de3eb7dafa22e1f14a4
Opcode Fuzzy Hash: 694fcbf1ca210630e6582c6d824939f76d1f442d900c5206ededbc3c4b34a4b2
Instruction Fuzzy Hash: CE51BC72904109BFCF12AFA8EC85EFEBBBDEF45714F14446AF524A2290DA3199049B61

Function 00966CD1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00966F84: _malloc.LIBCMT ref: 00966F8A
Part of subcall function 00966F84: _malloc.LIBCMT ref: 00966F9A

GetUserNameA.ADVAPI32(?,?), ref: 00966D36
GetComputerNameA.KERNEL32(?,?), ref: 00966D46
GetModuleFileNameA.KERNEL32(00000000,?,00000100,?,?,?,?,?,?,?,?,?,00000000), ref: 00966D5A
_strrchr.LIBCMT ref: 00966D69
GetVersionExA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00966D84
__snprintf.LIBCMT ref: 00966DF0

Strings

%s%s%s, xrefs: 00966DE7

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Name$_malloc$ComputerFileModuleUserVersion__snprintf_strrchr
String ID: %s%s%s
API String ID: 1877169212-1891519693
Opcode ID: 5c738f342313c031734f86322efffb8ec162db67875274b397a26dccdac3a0f7
Instruction ID: 8ceb4388a18d3d090fbdd48f769a2d57e30d6e3c7e9fc8f1187e6d8ddfbddae4
Opcode Fuzzy Hash: 5c738f342313c031734f86322efffb8ec162db67875274b397a26dccdac3a0f7
Instruction Fuzzy Hash: 3D418475D08209BFDF116FA0DC4AEBEBFB9EF85350F104056F504A6292EB359A50EB60

Function 0096D7AA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
encryptionCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000020,00000000,00000000,?,?,0096D820,?,00966E58,?,00966E58,?), ref: 0096D7CD
CryptAcquireContextA.ADVAPI32(00000000,00000000,Microsoft Base Cryptographic Provider v1.0,00000001,F0000028,?,?,0096D820,?,00966E58,?,00966E58,?), ref: 0096D7E0
CryptGenRandom.ADVAPI32(00000000,00966E58,?,?,?,0096D820,?,00966E58,?,00966E58,?), ref: 0096D7F4
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,0096D820,?,00966E58,?,00966E58,?), ref: 0096D804

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 0096D7C1, 0096D7C6, 0096D7DA

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$RandomRelease
String ID: Microsoft Base Cryptographic Provider v1.0
API String ID: 685801729-291530887
Opcode ID: 4554082547c7ff1043a8122728ce60a4b39f1db58be8dcdb7f876cd2a4b5d15e
Instruction ID: f53a5f8145536727e887e6ed68b4c220273c4beaed93fbd1064c8829d3079863
Opcode Fuzzy Hash: 4554082547c7ff1043a8122728ce60a4b39f1db58be8dcdb7f876cd2a4b5d15e
Instruction Fuzzy Hash: 0EF0AF76A45218F7DF208B91CD09FDF7B7DEB45751F200020FA01E2190C6719A00A7A0

Function 0391047E Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2937237770.0000000003910000.00000020.00001000.00020000.00000000.sdmp, Offset: 03910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3910000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76238dbd0442da84bde43e65ac94f93f3842ea98458fa3857e84c3016f132bc2
Instruction ID: 922ce7de32c54f9caacf08a3d62bfd2dba0eff49d37f2d81070e39fef133f8a7
Opcode Fuzzy Hash: 76238dbd0442da84bde43e65ac94f93f3842ea98458fa3857e84c3016f132bc2
Instruction Fuzzy Hash: 87E026313043085BDB45E624AC814B97389E7C0210F900068EA1557384F9735CB4F2A2

Function 00961B63 Relevance: 15.4, APIs: 10, Instructions: 417
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00967018: htonl.WS2_32(89009A17), ref: 0096702E

GetLastError.KERNEL32(?,00000000,00000080,00964B37,009959A8,00000000), ref: 00961DA5

Part of subcall function 0096C3C5: GetCurrentProcess.KERNEL32(000F003F,00000000,00000000,?,00000000,00000001,00000000,DDF4A353,00000000,?,?,00961D3F,00000000,000F003F,?,00000000), ref: 0096C434

_memset.LIBCMT ref: 00961DF3
_memset.LIBCMT ref: 00961E35
_memset.LIBCMT ref: 00961E7F
_memset.LIBCMT ref: 00961EC9
_memset.LIBCMT ref: 00961F13
_memset.LIBCMT ref: 00961F63
_memset.LIBCMT ref: 00961F8B

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset$CurrentErrorLastProcesshtonl
String ID:
API String ID: 4245727424-0
Opcode ID: 68c9849b0438a6520a86867794098ac258168e68de574e46daa678439c0b74aa
Instruction ID: c949db661059b73e5254c6fabb508e9b61a1e89a253b3e02f2f986240a9224e5
Opcode Fuzzy Hash: 68c9849b0438a6520a86867794098ac258168e68de574e46daa678439c0b74aa
Instruction Fuzzy Hash: 6BD1BFB2A107019FD7209F69DC81A2BB7F9FF883047188C3EF196C6A52E235F9559B10

Function 00966E28 Relevance: 12.1, APIs: 8, Instructions: 124
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetACP.KERNEL32(00000000,00000000,00000080,?,?,?,?,?,?,?,?,009614A7,00000000,00000000), ref: 00966E31
GetOEMCP.KERNEL32(?,?,?,?,?,?,?,?,009614A7,00000000,00000000), ref: 00966E3D
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,009614A7,00000000), ref: 00966E6A
GetTickCount.KERNEL32 ref: 00966E6E

Part of subcall function 0097740A: __getptd.LIBCMT ref: 0097740F

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,009614A7,00000000), ref: 00966E9B
GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,009614A7,00000000), ref: 00966F01
_memset.LIBCMT ref: 00966F38
_memset.LIBCMT ref: 00966F77

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CurrentProcess$_memset$CountTick__getptd
String ID:
API String ID: 3908538216-0
Opcode ID: 4c64baf91e8cc2af5f4a506b5d7e77bb374641a713544ff93857d765d1c18454
Instruction ID: eb8bcacd473a48372a22ab798e5bcd9332923fd371b4657e60aaf138e5d4928e
Opcode Fuzzy Hash: 4c64baf91e8cc2af5f4a506b5d7e77bb374641a713544ff93857d765d1c18454
Instruction Fuzzy Hash: DE313B76C08208BADB117BB4EC4AFEE3FACDF85320F144416F504AB192DE38D944A761

Function 0096131C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 280
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00966F84: _malloc.LIBCMT ref: 00966F8A
Part of subcall function 00966F84: _malloc.LIBCMT ref: 00966F9A

_malloc.LIBCMT ref: 009613A4

Part of subcall function 00977001: __FF_MSGBANNER.LIBCMT ref: 00977024
Part of subcall function 00977001: __NMSG_WRITE.LIBCMT ref: 0097702B
Part of subcall function 00977001: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6), ref: 00977078

Part of subcall function 0096D265: _malloc.LIBCMT ref: 0096D28C
Part of subcall function 0096D265: _memset.LIBCMT ref: 0096D2BA

Part of subcall function 0096D265: _realloc.LIBCMT ref: 0096D29B

_malloc.LIBCMT ref: 0096146D
__snprintf.LIBCMT ref: 009614D6
__snprintf.LIBCMT ref: 009614F4
__snprintf.LIBCMT ref: 00961512

Part of subcall function 0096C690: Sleep.KERNEL32(000003E8,00000000,00000000,00000080,0096167C), ref: 0096C6C8
Part of subcall function 0096C690: ExitThread.KERNEL32 ref: 0096C6D2

Part of subcall function 00968F03: htonl.WS2_32(00000000), ref: 00968F1A
Part of subcall function 00968F03: htonl.WS2_32(?), ref: 00968F23
Part of subcall function 00968F03: _memset.LIBCMT ref: 00968F4C

Strings

/OWA/, xrefs: 0096150D

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc$__snprintf$_memsethtonl$AllocateExitHeapSleepThread_realloc
String ID: /OWA/
API String ID: 281750196-1837399179
Opcode ID: 6014d88288996bb3096a70ae9efa88dbb896f32edda35917a2ca304518c8309d
Instruction ID: 01a35ff62a86c66fea0348c883ce804297af46a4897b37331ceebfc6165ea369
Opcode Fuzzy Hash: 6014d88288996bb3096a70ae9efa88dbb896f32edda35917a2ca304518c8309d
Instruction Fuzzy Hash: F581E1B19083016AD7217BB5DC03B2FBAE8AFC4350F14482EF5959A1D2EE76C9409B67

Function 00962506 Relevance: 9.1, APIs: 6, Instructions: 114
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET(0096152B,00000003,00000000,00000000,00000000), ref: 00962587
InternetSetOptionA.WININET(00000005,0003A980,00000004), ref: 009625A6
InternetSetOptionA.WININET(00000006,0003A980,00000004), ref: 009625B6
InternetConnectA.WININET(?,?,00000000,00000000,00000003,00000000), ref: 009625CF
InternetSetOptionA.WININET(00000000,0000002B,00000000,00000000), ref: 00962600
InternetSetOptionA.WININET(0000002C,00000000,00000000), ref: 0096261C

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Internet$Option$ConnectOpen
String ID:
API String ID: 230958251-0
Opcode ID: f5ba2432ee57ae3e69dec9323644031418555aa9c7872f314f8d584b9f9ef63f
Instruction ID: 72b622f5b591654219b7bb3153240d2f66d6aad94c09eff00616bb3578dce029
Opcode Fuzzy Hash: f5ba2432ee57ae3e69dec9323644031418555aa9c7872f314f8d584b9f9ef63f
Instruction Fuzzy Hash: FA31B671258644B6EB357B65EC0EF7B3F2DE7D1B10F10401AF601AD0E1DAB68D40EAA5

Function 00967B2D Relevance: 9.1, APIs: 6, Instructions: 113
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 00967B51

Part of subcall function 00977001: __FF_MSGBANNER.LIBCMT ref: 00977024
Part of subcall function 00977001: __NMSG_WRITE.LIBCMT ref: 0097702B
Part of subcall function 00977001: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6), ref: 00977078

htonl.WS2_32(?), ref: 00967B7D
recvfrom.WS2_32(00000000,?,000FFFFC,00000000,000000FF,?), ref: 00967BAC
WSAGetLastError.WS2_32 ref: 00967BB7

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocateErrorHeapLast_mallochtonlrecvfrom
String ID:
API String ID: 987280018-0
Opcode ID: 35c78945855f4a7d04d2b665ab01487bbcca7cb78ae6d6bfa35b8122b92aa427
Instruction ID: a93b60817bda6f6de29bfd5784fa2cda71b4228eeec4bcf809035cb5c3c1a98a
Opcode Fuzzy Hash: 35c78945855f4a7d04d2b665ab01487bbcca7cb78ae6d6bfa35b8122b92aa427
Instruction Fuzzy Hash: 3441E471818204EFDB21DFB4DD81B6EB7B8FBA4329F20462AE551A23A0E3355905AB14

Function 00962C13 Relevance: 4.6, APIs: 3, Instructions: 68
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00962B66: WSAStartup.WS2_32(00000202,?), ref: 00962B87
Part of subcall function 00962B66: WSACleanup.WS2_32 ref: 00962B91

WSASocketA.WS2_32(00000002,00000002,00000000,00000000,00000000,00000000), ref: 00962C37
WSAIoctl.WS2_32(00000000,4004747F,00000000,00000000,?,000005F0,?,00000000,00000000), ref: 00962C62
closesocket.WS2_32(00000000), ref: 00962CA1

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CleanupIoctlSocketStartupclosesocket
String ID:
API String ID: 1100289767-0
Opcode ID: 5eb2382e751910c73f80fbc38864250f328728d4d320ef493893dc129938c450
Instruction ID: cbb5e0e054a39ec25b3129212112d39ed6a33fb726d6b9e000a142bd0dc78ceb
Opcode Fuzzy Hash: 5eb2382e751910c73f80fbc38864250f328728d4d320ef493893dc129938c450
Instruction Fuzzy Hash: 7E11C671A045287FE7208B65DC89FFF7FADEFC57B1F1080A2FA45D6181D63889418AA0

Function 0096BD3C Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000180,?,?,?,?,00961D93,00000000,00000180,?,00000000,00000080,00964B37,009959A8,00000000), ref: 0096BD85
VirtualAlloc.KERNELBASE(00000000,00961D93,00003000,00000000,00000180,?,?,?,?,00961D93,00000000,00000180,?,00000000,00000080,00964B37), ref: 0096BDE6
VirtualAllocEx.KERNEL32(00000000,00000000,00961D93,00003000,00000000,00000180,?,?,?,?,00961D93,00000000,00000180,?,00000000,00000080), ref: 0096BDF1

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocVirtual$CurrentProcess
String ID:
API String ID: 3337257186-0
Opcode ID: c7326c892a7c6426fb01ce7bc64155e14cb71e313dd97f75b7d57ad7ef539839
Instruction ID: f765f78a07db0e9b77e1932f15236088c1160da01ec792b5ada87cec94291116
Opcode Fuzzy Hash: c7326c892a7c6426fb01ce7bc64155e14cb71e313dd97f75b7d57ad7ef539839
Instruction Fuzzy Hash: FD2129B5828108FFCB25CF95DC988EA7B7CEB55350B20411AF446CA290E7309E80EB60

Function 0096BDFB Relevance: 4.6, APIs: 3, Instructions: 63
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,?,00961ADD,00000000,?,00000000,00000000,00000001,?,?,0096C6B4,00000000,00000001,00000000,00000000), ref: 0096BE3D
VirtualProtect.KERNELBASE(00000000,?,00000000,0096167C,?,?,?,00961ADD,00000000,?,00000000,00000000,00000001,?,?,0096C6B4), ref: 0096BE9B
VirtualProtectEx.KERNEL32(00000000,00000000,?,00000000,0096167C,?,?,?,00961ADD,00000000,?,00000000,00000000,00000001), ref: 0096BEA6

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$CurrentProcess
String ID:
API String ID: 473988918-0
Opcode ID: d3b7863ca9a4881ad9bfdca45209ff1feafbfb6febd81362e772e76d19e4f0b7
Instruction ID: 6e6388174d7ba71642bb195528f854be6d51a419c55c04389710c1acad5cfa51
Opcode Fuzzy Hash: d3b7863ca9a4881ad9bfdca45209ff1feafbfb6febd81362e772e76d19e4f0b7
Instruction Fuzzy Hash: 59116D75828105EFCF2ACF54EC589FA3B7DEB25355B10441EF506C2250E7319A84EBE0

Function 00966F84 Relevance: 4.5, APIs: 3, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_malloc.LIBCMT ref: 00966F8A

Part of subcall function 00977001: __FF_MSGBANNER.LIBCMT ref: 00977024
Part of subcall function 00977001: __NMSG_WRITE.LIBCMT ref: 0097702B
Part of subcall function 00977001: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6), ref: 00977078

_malloc.LIBCMT ref: 00966F9A
_memset.LIBCMT ref: 00966FB7

Part of subcall function 00976F24: __lock.LIBCMT ref: 00976F42
Part of subcall function 00976F24: ___sbh_find_block.LIBCMT ref: 00976F4D
Part of subcall function 00976F24: ___sbh_free_block.LIBCMT ref: 00976F5C
Part of subcall function 00976F24: HeapFree.KERNEL32(00000000,00000000,00991598,0000000C,0097BF8F,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C), ref: 00976F8C
Part of subcall function 00976F24: GetLastError.KERNEL32(?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6,00000000,00000000,?,0097C049,0000000D), ref: 00976F9D

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap_malloc$AllocateErrorFreeLast___sbh_find_block___sbh_free_block__lock_memset
String ID:
API String ID: 1561657895-0
Opcode ID: 61534aa85420bc20a0a0e46b7215270e67d30e662735e5fb66d2e16309e5309f
Instruction ID: f88b78b05c6c432d7413bbc2f46c0271f6b1fcd0dccc1f0dbf77e0a54fdfd8f3
Opcode Fuzzy Hash: 61534aa85420bc20a0a0e46b7215270e67d30e662735e5fb66d2e16309e5309f
Instruction Fuzzy Hash: 28E0923720851936CA2236A9EC02FAF7E2DCFC2BB0F154825F90C5A142EA23985192E1

Function 00964AFA Relevance: 3.1, APIs: 2, Instructions: 66
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

htonl.WS2_32(?), ref: 00964B23
_memset.LIBCMT ref: 00964B63

Part of subcall function 0096D265: _malloc.LIBCMT ref: 0096D28C
Part of subcall function 0096D265: _memset.LIBCMT ref: 0096D2BA

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset$_mallochtonl
String ID:
API String ID: 188960057-0
Opcode ID: c2354fe097054f125e1be6cd521020a0c67145ecc547877d88b4f201ea79028f
Instruction ID: a0bedc1bf37d5d8cb5dfd44c202804f7b3900d0daff0412c4c8edb410c70077a
Opcode Fuzzy Hash: c2354fe097054f125e1be6cd521020a0c67145ecc547877d88b4f201ea79028f
Instruction Fuzzy Hash: 7F115E71D05218EBCF11EBE9DD42BAEBB79EF94760F100026E904B7151E7709E11ABA0

Function 00962B66 Relevance: 3.0, APIs: 2, Instructions: 50
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00962B87
WSACleanup.WS2_32 ref: 00962B91

Part of subcall function 009776DE: _doexit.LIBCMT ref: 009776EA

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CleanupStartup_doexit
String ID:
API String ID: 3413891862-0
Opcode ID: b67c7b878644146c738f5580bd5c17377736e00978854ee32328682bda2a0812
Instruction ID: c58307a05f07932ccd96b46ba00bec7485a02031b91562a1329b55ef8b76a729
Opcode Fuzzy Hash: b67c7b878644146c738f5580bd5c17377736e00978854ee32328682bda2a0812
Instruction Fuzzy Hash: D6012231A993149BC725BFB8FC4674A77A8EB49740F00002BF1049E1E1DAB482C0EFC1

Function 0391061C Relevance: 3.0, APIs: 2, Instructions: 31
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 03910525: GetCurrentProcess.KERNEL32 ref: 0391054D

GetCurrentProcess.KERNEL32 ref: 0391064A
WaitForSingleObject.KERNEL32 ref: 03910657

Part of subcall function 039105A6: GetCurrentProcess.KERNEL32 ref: 039105EE

Memory Dump Source

Source File: 00000000.00000002.2937237770.0000000003910000.00000020.00001000.00020000.00000000.sdmp, Offset: 03910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3910000_loaddll32.jbxd

Similarity

API ID: CurrentProcess$ObjectSingleWait
String ID:
API String ID: 1913300457-0
Opcode ID: 0080f5eacbb6bedecf27aa11ed33267a077c67b7822abf9fe32e21e1ad6cf542
Instruction ID: 0934fb41d21e9de70d083830615d8620ed3fbf4f26711f760ea681fe37637012
Opcode Fuzzy Hash: 0080f5eacbb6bedecf27aa11ed33267a077c67b7822abf9fe32e21e1ad6cf542
Instruction Fuzzy Hash: 20F0B7B9808748ABC700BF6598C45ADBBA8EE44250F015C1DE9C6AB305D67694E0CBA2

Function 00967C7D Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 009677F6: htonl.WS2_32(?), ref: 00967830
Part of subcall function 009677F6: select.WS2_32(00000000,?,?,?,?), ref: 00967894
Part of subcall function 009677F6: __WSAFDIsSet.WS2_32(00000000,?), ref: 009678B0
Part of subcall function 009677F6: accept.WS2_32(00000000,00000000,00000000), ref: 009678C5
Part of subcall function 009677F6: ioctlsocket.WS2_32(00000000,8004667E,?), ref: 009678D8

GetTickCount.KERNEL32 ref: 00967C8B

Part of subcall function 00967B2D: _malloc.LIBCMT ref: 00967B51
Part of subcall function 00967B2D: htonl.WS2_32(?), ref: 00967B7D
Part of subcall function 00967B2D: recvfrom.WS2_32(00000000,?,000FFFFC,00000000,000000FF,?), ref: 00967BAC
Part of subcall function 00967B2D: WSAGetLastError.WS2_32 ref: 00967BB7

GetTickCount.KERNEL32 ref: 00967C9E

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CountTickhtonl$ErrorLast_mallocacceptioctlsocketrecvfromselect
String ID:
API String ID: 597769433-0
Opcode ID: a6269a5a6e385f80d766dcd26c3d8eddb0ccb595484ec0589c3b02d63331af12
Instruction ID: 8d8d4b0ca532a5cbf125dfd3756b9cd3f145af83aeea9c3dbfc1e2ca5c7d55f8
Opcode Fuzzy Hash: a6269a5a6e385f80d766dcd26c3d8eddb0ccb595484ec0589c3b02d63331af12
Instruction Fuzzy Hash: C7D0A91261D02B02950033F8AD066BEC6898EC137A738007BE402C2212ED0898831BB2

Function 0096F501 Relevance: 1.8, APIs: 1, Instructions: 257COMMONLIBRARYCODE

Download Yara Rule

APIs

_calloc.LIBCMT ref: 0096F563

Part of subcall function 00985190: __calloc_impl.LIBCMT ref: 009851A5

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: __calloc_impl_calloc
String ID:
API String ID: 2108883976-0
Opcode ID: 9c1c7ea8d892aab153fc98ac2dbcdf52535bffec6922c39ba6fd71e86401bd6c
Instruction ID: b952fc25c9d9b21d60367d139f77f8b34a35ed8887e7d8dc969329b22688ae62
Opcode Fuzzy Hash: 9c1c7ea8d892aab153fc98ac2dbcdf52535bffec6922c39ba6fd71e86401bd6c
Instruction Fuzzy Hash: CFA107B5900208EFDF219F94DC45FAEBBB9FF89300F20856AF505AA260D7715951DF60

Function 0096934F Relevance: 1.6, APIs: 1, Instructions: 63memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0096C4F4: GetCurrentProcess.KERNEL32(?,00000000,00000000,0000001C,00000000,?,?,?,00969389,?,00000000), ref: 0096C53E

HeapDestroy.KERNELBASE(?), ref: 009693AD

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CurrentDestroyHeapProcess
String ID:
API String ID: 4041245566-0
Opcode ID: 29bf5fc2720762008ddad70de72b1dec7b5c0ca8d194195509cdd5f9dabbe9dc
Instruction ID: 7348fe1a8c9aff8de0c582a02d4e79584446c2fe2ea9ecfefdcb51f685f06823
Opcode Fuzzy Hash: 29bf5fc2720762008ddad70de72b1dec7b5c0ca8d194195509cdd5f9dabbe9dc
Instruction Fuzzy Hash: 3611A532408206DBCB25AB64D886FBE736C9F91361F948027F401A63D1DF35DD81DB95

Function 00964BAB Relevance: 1.5, APIs: 1, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00964BB8

Part of subcall function 00977001: __FF_MSGBANNER.LIBCMT ref: 00977024
Part of subcall function 00977001: __NMSG_WRITE.LIBCMT ref: 0097702B
Part of subcall function 00977001: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6), ref: 00977078

Part of subcall function 0096D265: _malloc.LIBCMT ref: 0096D28C
Part of subcall function 0096D265: _memset.LIBCMT ref: 0096D2BA

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap_memset
String ID:
API String ID: 3655941445-0
Opcode ID: 4424f32425ce63ec2858080b839c7aed4e4b483ad54078d2ab8cfe52b776740e
Instruction ID: be337bcc6a9b79346b65927df6022138b23f7672aa8bc4945194063560f443c9
Opcode Fuzzy Hash: 4424f32425ce63ec2858080b839c7aed4e4b483ad54078d2ab8cfe52b776740e
Instruction Fuzzy Hash: 13F0EC72E4631497D7217FF4ACC2FA67A549F66710F04001AF5186F1C2DA718C80D7A1

Function 00972722 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00972729

Part of subcall function 00977001: __FF_MSGBANNER.LIBCMT ref: 00977024
Part of subcall function 00977001: __NMSG_WRITE.LIBCMT ref: 0097702B
Part of subcall function 00977001: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6), ref: 00977078

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: a4544c196cefc97ca9c1b093490c7b9f1f35aa0b32403612e36adf648e5b5200
Instruction ID: 3581dcfdb919b3cd34c1ff906b4bd4360db44f00ab60eceb243f5e20eb47593d
Opcode Fuzzy Hash: a4544c196cefc97ca9c1b093490c7b9f1f35aa0b32403612e36adf648e5b5200
Instruction Fuzzy Hash: F9E01A722186014FDB288F28F880A0AA7E19B84320B30CE3EE09AC7285D634A4828A04

Function 00978DBB Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,?,00978AF7,00000001,?,?,?,00978C70,?,?,?,009916D8,0000000C,00978D2B), ref: 00978DD0

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: e1294d95deca586fbf3cb9ed0f571734036946f82af2819b835b35ebb5c43b42
Instruction ID: 1198cf7968fed5c95f82d70e3af6b4260e2e206b49ab3bd0793642f3058e5376
Opcode Fuzzy Hash: e1294d95deca586fbf3cb9ed0f571734036946f82af2819b835b35ebb5c43b42
Instruction Fuzzy Hash: B6D05E366A83455FEB105FB86C4CB623BDCDB84795F148436B80CC6590E671C940A644

Function 00964A81 Relevance: 1.3, APIs: 1, Instructions: 31sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

Sleep.KERNEL32(?,00001388,?,0096165F,00001388), ref: 00964ADC

Part of subcall function 00964AFA: htonl.WS2_32(?), ref: 00964B23

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Sleephtonl
String ID:
API String ID: 4038527953-0
Opcode ID: 46caafdc3a7df966654cd8bbe994ff79715ce6e792e92079249a22671e1c4ab4
Instruction ID: 80c1511c6c38903b3af6b54a464d9e0c11f2daa7a3ade285b98e191ad249d4ce
Opcode Fuzzy Hash: 46caafdc3a7df966654cd8bbe994ff79715ce6e792e92079249a22671e1c4ab4
Instruction Fuzzy Hash: EBF0823106D205FFDF146FE8EDA97783769FB51310F08041AE90256261EBB6C850FB25

Non-executed Functions

Function 0096480C Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 172filetimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0096481E

Part of subcall function 00977001: __FF_MSGBANNER.LIBCMT ref: 00977024
Part of subcall function 00977001: __NMSG_WRITE.LIBCMT ref: 0097702B
Part of subcall function 00977001: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6), ref: 00977078

_memset.LIBCMT ref: 0096482A

Part of subcall function 00961683: _malloc.LIBCMT ref: 00961689

Part of subcall function 009616D3: htonl.WS2_32(0000001F), ref: 009616D9

_strncmp.LIBCMT ref: 00964879
GetCurrentDirectoryA.KERNEL32(00004000,00000000), ref: 00964887

Part of subcall function 00976F24: __lock.LIBCMT ref: 00976F42
Part of subcall function 00976F24: ___sbh_find_block.LIBCMT ref: 00976F4D
Part of subcall function 00976F24: ___sbh_free_block.LIBCMT ref: 00976F5C
Part of subcall function 00976F24: HeapFree.KERNEL32(00000000,00000000,00991598,0000000C,0097BF8F,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C), ref: 00976F8C
Part of subcall function 00976F24: GetLastError.KERNEL32(?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6,00000000,00000000,?,0097C049,0000000D), ref: 00976F9D

FindFirstFileA.KERNEL32(00000000,?), ref: 009648B8
GetLastError.KERNEL32 ref: 009648C5
FileTimeToSystemTime.KERNEL32(?,?), ref: 00964911
SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,00000000), ref: 00964921
FindNextFileA.KERNEL32(00000000,00000010), ref: 009649B4
FindClose.KERNEL32(00000000), ref: 009649C3

Part of subcall function 00961726: _vwprintf.LIBCMT ref: 00961730
Part of subcall function 00961726: _vswprintf_s.LIBCMT ref: 00961754

Strings

%s, xrefs: 009648A2
.\*, xrefs: 00964873
F%I64d%02d/%02d/%02d %02d:%02d:%02d%s, xrefs: 0096499E
D0%02d/%02d/%02d %02d:%02d:%02d%s, xrefs: 00964958

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Time$FileFind$ErrorHeapLastSystem_malloc$AllocateCloseCurrentDirectoryFirstFreeLocalNextSpecific___sbh_find_block___sbh_free_block__lock_memset_strncmp_vswprintf_s_vwprintfhtonl
String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
API String ID: 2804257087-1754256099
Opcode ID: 39033aa710bc213908743776c7858c64b0bf2e47592ee96bdcbca99273865b0b
Instruction ID: 2a44dc2e27599bf82541dc9bcf0530bd393cf73714345dee46a892c8370a76a6
Opcode Fuzzy Hash: 39033aa710bc213908743776c7858c64b0bf2e47592ee96bdcbca99273865b0b
Instruction Fuzzy Hash: D85120B2904129AACB10EBE5DC46FFF77BCAF88754F080426F615E1181F6789A44D771

Function 00969031 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 159processCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00969052

Part of subcall function 00961683: _malloc.LIBCMT ref: 00961689

GetCurrentProcess.KERNEL32(?,?,?,0099E6C0), ref: 0096909D
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 009690D1
Process32First.KERNEL32(00000000,?), ref: 009690F3

Part of subcall function 009616D3: htonl.WS2_32(0000001F), ref: 009616D9

Process32Next.KERNEL32(00000000,00000128), ref: 009691D5

Part of subcall function 00968FC4: OpenProcessToken.ADVAPI32(00000002,00000008,00000000,-00000400,?,00969161,00000000,?,00000002,00000000,?,?,?,0099E6C0), ref: 00968FD1

ProcessIdToSessionId.KERNEL32(?,?,00000002,00000000,?,?,?,0099E6C0), ref: 00969177

Strings

x64, xrefs: 009690AE, 009690BC
x86, xrefs: 0096918E, 009691A2
%s%d%d%s%s%d, xrefs: 009691B9
%s%d%d, xrefs: 00969144

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Process$Process32$CreateCurrentFirstNextOpenSessionSnapshotTokenToolhelp32_malloc_memsethtonl
String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
API String ID: 3674674043-1833344708
Opcode ID: a3a890fbdff9a5b4308eb7590313322a001aa9bc0d6a063bc21024ec74933377
Instruction ID: e471fbaf340b937e611db96179462f6f07f59a1a9105e6dba270fd6a97168ef6
Opcode Fuzzy Hash: a3a890fbdff9a5b4308eb7590313322a001aa9bc0d6a063bc21024ec74933377
Instruction Fuzzy Hash: 47518972C0420EBAEF21BBE0DC46FEF77BC9F55354F100066F518E2182EA359A959B61

Function 0096925B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 84fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00969268

Part of subcall function 00977001: __FF_MSGBANNER.LIBCMT ref: 00977024
Part of subcall function 00977001: __NMSG_WRITE.LIBCMT ref: 0097702B
Part of subcall function 00977001: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6), ref: 00977078

__snprintf.LIBCMT ref: 00969279
FindFirstFileA.KERNEL32(00000000,009646B0,?,0096934A,009646B0,?,00964634), ref: 00969286

Part of subcall function 00976F24: __lock.LIBCMT ref: 00976F42
Part of subcall function 00976F24: ___sbh_find_block.LIBCMT ref: 00976F4D
Part of subcall function 00976F24: ___sbh_free_block.LIBCMT ref: 00976F5C
Part of subcall function 00976F24: HeapFree.KERNEL32(00000000,00000000,00991598,0000000C,0097BF8F,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C), ref: 00976F8C
Part of subcall function 00976F24: GetLastError.KERNEL32(?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6,00000000,00000000,?,0097C049,0000000D), ref: 00976F9D

_malloc.LIBCMT ref: 009692C5
__snprintf.LIBCMT ref: 009692DA

Part of subcall function 0096921E: _malloc.LIBCMT ref: 00969229
Part of subcall function 0096921E: __snprintf.LIBCMT ref: 0096923D

FindNextFileA.KERNEL32(000000FF,009646B0,?,?,?,?,?,?,?), ref: 00969307
FindClose.KERNEL32(000000FF,?,?,?,?,?,?,?), ref: 00969314

Strings

%s\*, xrefs: 00969272

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Find__snprintf_malloc$FileHeap$AllocateCloseErrorFirstFreeLastNext___sbh_find_block___sbh_free_block__lock
String ID: %s\*
API String ID: 1254174322-766152087
Opcode ID: 0ec75916b80122728e7fe6442cd790a8f0a0321da73acb0db257fe0e556abd7d
Instruction ID: 867c035da2aa00085073bbdf74130e2606582da53fb3eef8b532295287be25e8
Opcode Fuzzy Hash: 0ec75916b80122728e7fe6442cd790a8f0a0321da73acb0db257fe0e556abd7d
Instruction Fuzzy Hash: EC217C32504208BBDF216F65CC46FAF7F6DEF817A4F188024FD18A6292D6719D51EBA0

Function 0097EB2E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 009829AD
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009829C2
UnhandledExceptionFilter.KERNEL32(00989C2C), ref: 009829CD
GetCurrentProcess.KERNEL32(C0000409), ref: 009829E9
TerminateProcess.KERNEL32(00000000), ref: 009829F0

Strings

Y4K, xrefs: 009829A2

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: Y4K
API String ID: 2579439406-3322456002
Opcode ID: 63dd2db33b6bd70835f0eb1675ddae4fae0a573b8c6bc3d1c1e08f8feca890e0
Instruction ID: 586214983849e0bdc179893fcb85a879165a354d949ef4ada8ff192fbb632d1a
Opcode Fuzzy Hash: 63dd2db33b6bd70835f0eb1675ddae4fae0a573b8c6bc3d1c1e08f8feca890e0
Instruction Fuzzy Hash: C821CBB482D200AFD720DF6DEC8A6643BA4FB49354F10501BE90987370E7B49985AF9A

Function 00963374 Relevance: 9.1, APIs: 6, Instructions: 68sleepnetworkCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00963386
Sleep.KERNEL32(000003E8,?,?,?,00000001,?,00000000,?,?,00000000), ref: 009633F6
GetTickCount.KERNEL32 ref: 009633FC
Sleep.KERNEL32(000003E8,00000000,?,?,00000000,?,?,?,00000001,?,00000000,?,?,00000000), ref: 0096340F
closesocket.WS2_32(00000000), ref: 00963416
send.WS2_32(00000000,?,?,00000000), ref: 00963429

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CountSleepTick$closesocketsend
String ID:
API String ID: 1472970430-0
Opcode ID: fcc3903f5f2346ede7b8b587a20bd8f6a91a1ad4d0ef17a11ed4f0bec7669242
Instruction ID: 38f2580792eb3ee01462b131b13bef0760d95ad28c4a7f947efc8093eb1c0910
Opcode Fuzzy Hash: fcc3903f5f2346ede7b8b587a20bd8f6a91a1ad4d0ef17a11ed4f0bec7669242
Instruction Fuzzy Hash: 6F116372D08218BBDF01BBF4DC86DDEBB78EF88324F244526F111B6191EE3596449B61

Function 00967375 Relevance: 9.1, APIs: 6, Instructions: 68networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00967392
htons.WS2_32(?), ref: 009673A2
socket.WS2_32(00000002,00000002,00000000), ref: 009673B8
closesocket.WS2_32(00000000), ref: 009673C5
bind.WS2_32(00000000,?,00000010), ref: 009673F3
ioctlsocket.WS2_32(00000000,8004667E,00000001), ref: 0096740A

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonlhtonsioctlsocketsocket
String ID:
API String ID: 3910169428-0
Opcode ID: e757be7395f62eb8eedbb93d57406b54c6471048ec92d2d68b2ce7fbe5668c7d
Instruction ID: a6a466d13cdd1f7dc279a3bdc7c4ad844d38ec93b53a5ad082016faf64a1f0d7
Opcode Fuzzy Hash: e757be7395f62eb8eedbb93d57406b54c6471048ec92d2d68b2ce7fbe5668c7d
Instruction Fuzzy Hash: 58119172E042187BD710BBF89C86FAFB7ACDF44328F104626F620E72D2E67489459764

Function 00967293 Relevance: 9.1, APIs: 6, Instructions: 54networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 009672AB
htons.WS2_32(00000001), ref: 009672C7
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 009672E0
closesocket.WS2_32(00000000), ref: 009672EB
bind.WS2_32(00000000,00967345,00000010), ref: 009672F9
listen.WS2_32(00000000,?), ref: 00967307

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonsioctlsocketlistensocket
String ID:
API String ID: 1767165869-0
Opcode ID: f96b1fe05c2b50201352b379ee0803483e76abb543afcc676273a58f4042c7af
Instruction ID: 19e833e66d529322c63d9602ec5c6a52a666740fef3a4fbeca32069461c17cec
Opcode Fuzzy Hash: f96b1fe05c2b50201352b379ee0803483e76abb543afcc676273a58f4042c7af
Instruction Fuzzy Hash: 1D01B531604918BACB11BBE48C95EFEFB3DEF41714F640602F911E6291E7304A4183E5

Function 0096CAAA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0096C760: RevertToSelf.ADVAPI32(?), ref: 0096C778

LogonUserA.ADVAPI32(?,?,0096CC6B,00000009,00000003,0099E6BC), ref: 0096CACA
GetLastError.KERNEL32(?,?,0096CC6B,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0096CAD4

Part of subcall function 00966F84: _malloc.LIBCMT ref: 00966F8A
Part of subcall function 00966F84: _malloc.LIBCMT ref: 00966F9A

Part of subcall function 00962EC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,009640B2,00000400,?,00963ED7,009640B2,?,00000400), ref: 00962ED6
Part of subcall function 00962EC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,009640B2,00963ED7,?,00963ED7,009640B2,?,00000400,?,?,?,?,009640B2), ref: 00962EEF

Part of subcall function 00961683: _malloc.LIBCMT ref: 00961689

Part of subcall function 00961726: _vwprintf.LIBCMT ref: 00961730
Part of subcall function 00961726: _vswprintf_s.LIBCMT ref: 00961754

Part of subcall function 00961765: _memset.LIBCMT ref: 00961773

ImpersonateLoggedOnUser.ADVAPI32(?,?,0096CC6B,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0096CAEE
GetLastError.KERNEL32(?,?,0096CC6B,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0096CAF8

Strings

%s\%s, xrefs: 0096CBA3

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc$ByteCharErrorLastMultiUserWide$ImpersonateLoggedLogonRevertSelf_memset_vswprintf_s_vwprintf
String ID: %s\%s
API String ID: 744593125-4073750446
Opcode ID: 7a62ef717c946ca0da932b4123f6be8a98647c1e2ec7617a17f8565401c0571f
Instruction ID: 4f6ccd9133049c0972d23880adc25b6b581fb40a0afe64f2b3800bf315cc635e
Opcode Fuzzy Hash: 7a62ef717c946ca0da932b4123f6be8a98647c1e2ec7617a17f8565401c0571f
Instruction Fuzzy Hash: 6A3195B5918104BBDB01FFA5EC06FAA3B7DEB54744F144026FA04A11B2E6334510EBA1

Function 00964065 Relevance: 7.6, APIs: 5, Instructions: 65processCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32(?,00000000,00968F3F,00000000,00000000,00000001,C4830001,00000000,00000000,006A0875,5DCFE857,?,00968F3F,00000011,0096415C,?), ref: 0096408B
GetLastError.KERNEL32(?,?,00967FFC,?), ref: 0096409B
GetLastError.KERNEL32(?,?,00967FFC,?), ref: 009640B5

Part of subcall function 00963E63: _memset.LIBCMT ref: 00963E91
Part of subcall function 00963E63: _memset.LIBCMT ref: 00963EAD

CreateProcessA.KERNEL32(00000000,00968F3F,00000000,00000000,00000001,C4830001,00000000,00000000,006A0875,5DCFE857,?,00968F3F,00000011,0096415C,?,006A0875), ref: 009640DA
GetLastError.KERNEL32(?,?,00967FFC,?), ref: 009640E4

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$CreateProcess_memset$User
String ID:
API String ID: 3779600536-0
Opcode ID: 7799cf4236ff585bc2206674822fe8d46557fdd8442c4dea98c556c7a414861a
Instruction ID: cd6d39f71c051c1f459e3b92deccc4edfb6dce04466460ac77a5905b4ab23827
Opcode Fuzzy Hash: 7799cf4236ff585bc2206674822fe8d46557fdd8442c4dea98c556c7a414861a
Instruction Fuzzy Hash: 78116131158651BEDB325FE1DC48E377ABDFFC5B05B24492DFB5280460D6228490EB21

Function 0096D5DB Relevance: 7.5, APIs: 5, Instructions: 45networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 0096D5ED
closesocket.WS2_32(00000000), ref: 0096D5FA
htons.WS2_32(?), ref: 0096D60B
bind.WS2_32(00000000,?,00000010), ref: 0096D622
listen.WS2_32(00000000,00000078), ref: 0096D633

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonslistensocket
String ID:
API String ID: 564772725-0
Opcode ID: 927845e3e4591a50482ff369c88ac508eb13548e5bc5458e3475998b7689e751
Instruction ID: 1839a44599032faa79a902b8b20416572f90dd7c988c71ff943cf1fcb5c54314
Opcode Fuzzy Hash: 927845e3e4591a50482ff369c88ac508eb13548e5bc5458e3475998b7689e751
Instruction Fuzzy Hash: 3CF0F470E5571475DA003BB49C8AFFD332C9F41334F104701F97AA91D2D7B4564497AA

Function 009637C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMONLIBRARYCODE

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32(00000000,?,?), ref: 0096381F
AdjustTokenPrivileges.ADVAPI32(?,00000000,009639EF,00000000,00000000,00000000,?,?,?,00000001), ref: 00963842
GetLastError.KERNEL32(?,?,?,00000001), ref: 0096384C

Part of subcall function 00961726: _vwprintf.LIBCMT ref: 00961730
Part of subcall function 00961726: _vswprintf_s.LIBCMT ref: 00961754

Strings

%s, xrefs: 00963859

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue_vswprintf_s_vwprintf
String ID: %s
API String ID: 2004037343-620797490
Opcode ID: 216d3312369351f2fffdde007a428463157030ff066cfbf60db374b2d8232a9b
Instruction ID: deb5e056ea188d90d5a055aec266b9b83d01b0061d412d1eef75973779c525ee
Opcode Fuzzy Hash: 216d3312369351f2fffdde007a428463157030ff066cfbf60db374b2d8232a9b
Instruction Fuzzy Hash: B1115C72904118BAEB119FA9DD45AFFBBBCEB48344F104426F905E6150E631AF0887B1

Function 039101AE Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 03910298
memcmp.MSVCRT ref: 03910396

Strings

l.dl, xrefs: 039101FA
ntdl, xrefs: 039101E9

Memory Dump Source

Source File: 00000000.00000002.2937237770.0000000003910000.00000020.00001000.00020000.00000000.sdmp, Offset: 03910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3910000_loaddll32.jbxd

Similarity

API ID: memcmp
String ID: l.dl$ntdl
API String ID: 1475443563-1236859653
Opcode ID: 0f5b3dc6387e30a20ae83c9fee98fb0c13c12e8ae5b52ce1f743266dc0cfa94e
Instruction ID: 7483b41803054f30618195645a644510abb9c3c1ce64bb4b5e24138c07d42546
Opcode Fuzzy Hash: 0f5b3dc6387e30a20ae83c9fee98fb0c13c12e8ae5b52ce1f743266dc0cfa94e
Instruction Fuzzy Hash: C6811575E003098FCB14CF99C5809AEF7F9FF88310B19856AD915AB321D736A892CF94

Function 00966C1F Relevance: 6.1, APIs: 4, Instructions: 63sleepnetworkCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00966C2E
Sleep.KERNEL32(000003E8), ref: 00966C7E
GetTickCount.KERNEL32 ref: 00966C84
WSAGetLastError.WS2_32 ref: 00966C8A

Part of subcall function 00966BD9: ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00966BEB

Part of subcall function 009663AB: _memset.LIBCMT ref: 009663CC

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CountTick$ErrorLastSleep_memsetioctlsocket
String ID:
API String ID: 3301373915-0
Opcode ID: c9c447822fd538f3157cbb3745d31a7d13cd95302d10d19668a972440e60c9c9
Instruction ID: 56d8a2a891498f50aae4971ebe5f139d0d06f68774416d480857c7558ad574b1
Opcode Fuzzy Hash: c9c447822fd538f3157cbb3745d31a7d13cd95302d10d19668a972440e60c9c9
Instruction Fuzzy Hash: F0110833C08519ABDB017BB4AC86AAE7BACDB84334F240122F641B71D1ED3569859791

Function 00985B20 Relevance: 5.6, Strings: 4, Instructions: 612COMMONLIBRARYCODE

Download Yara Rule

Strings

abcdefghijklmnop, xrefs: 00985B2B
, xrefs: 00985E9C
abcdefghijklmnop, xrefs: 00985B2A
<, xrefs: 00985EA6

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $<$abcdefghijklmnop$abcdefghijklmnop
API String ID: 0-3339112986
Opcode ID: d1e6a2cded57178cac86d231bfa32809ffc7b7be134f286797e155ffd84a56f1
Instruction ID: c1ac00b4c83beac32b8f63730352dec3bfcd314db3bc5a68c43bb841cac77d7c
Opcode Fuzzy Hash: d1e6a2cded57178cac86d231bfa32809ffc7b7be134f286797e155ffd84a56f1
Instruction Fuzzy Hash: D952F475A101198FDB08CF69D491AADBBF1FF8D300F14C16AE865AB352C238E951DFA4

Function 0096CC7A Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,74DF2E90,?,?,?,00966EB5), ref: 0096CCAD
CheckTokenMembership.ADVAPI32(00000000,?,00966EB5,?,?,?,00966EB5), ref: 0096CCC2
FreeSid.ADVAPI32(?,?,?,?,00966EB5), ref: 0096CCD2

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5e710e1304b68cb6bdb49a1f85a3efd9723f1a5e0e8a467b9c7de9086a680ad7
Instruction ID: fac1abbc38998a01e05260b5f19a8d6ddf249a06ac374d3c0c07dfe8090f3f4f
Opcode Fuzzy Hash: 5e710e1304b68cb6bdb49a1f85a3efd9723f1a5e0e8a467b9c7de9086a680ad7
Instruction Fuzzy Hash: 1F013C7294528CFFDB01DFE88C84AEDBFBCAB15204F44489AE541A3242D2709B08EB25

Function 010B47AA Relevance: 2.7, Strings: 2, Instructions: 191COMMON

Download Yara Rule

Strings

l.dl, xrefs: 010B47F6
ntdl, xrefs: 010B47E5

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: l.dl$ntdl
API String ID: 0-1236859653
Opcode ID: eb7a861bcce37a4c8b14e75ca5a7465a8bfae540b2fdb9fa33f4e04c6bc83f0a
Instruction ID: 855dbde1e6c3e53e7df3bb7c22577e806a683a10eeeb3b17739cf04a18d3ae2f
Opcode Fuzzy Hash: eb7a861bcce37a4c8b14e75ca5a7465a8bfae540b2fdb9fa33f4e04c6bc83f0a
Instruction Fuzzy Hash: 6981E275E002158FDB54CF99C5C4AADBBF5FF88310F1581AAD98AAB322D734A941CF90

Function 010B479D Relevance: 2.5, Strings: 2, Instructions: 36COMMON

Download Yara Rule

Strings

l.dl, xrefs: 010B47F6
ntdl, xrefs: 010B47E5

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: l.dl$ntdl
API String ID: 0-1236859653
Opcode ID: 82ebefdf8aafa245ead5811a43e5d47b61fc1021544dcf684eb0a3e78f6b211d
Instruction ID: be5752580e51773eb3729ff88e5cde8b161ea90f28e930e240debae8a4dd57a7
Opcode Fuzzy Hash: 82ebefdf8aafa245ead5811a43e5d47b61fc1021544dcf684eb0a3e78f6b211d
Instruction Fuzzy Hash: 1DF04F34A103558FD7B0CF59C4C4F65B7E5FB59710F5981A9CA85CB713C225AD48CB90

Function 039101A1 Relevance: 2.5, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

memcmp.MSVCRT ref: 03910298

Strings

l.dl, xrefs: 039101FA
ntdl, xrefs: 039101E9

Memory Dump Source

Source File: 00000000.00000002.2937237770.0000000003910000.00000020.00001000.00020000.00000000.sdmp, Offset: 03910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3910000_loaddll32.jbxd

Similarity

API ID: memcmp
String ID: l.dl$ntdl
API String ID: 1475443563-1236859653
Opcode ID: d7abb7fa61433a944f2779dc576cdb2e4f9a469f8ae612de3899614722100775
Instruction ID: b98ac127b153f45011a6373b024a4255f5a8f52fe3a6c345bdebc0ad7613830d
Opcode Fuzzy Hash: d7abb7fa61433a944f2779dc576cdb2e4f9a469f8ae612de3899614722100775
Instruction Fuzzy Hash: FEF0C230A003088FD770CE59C4C4F22F3E9FB59750B5984AAC9446B716C332ECA4C780

Function 00963873 Relevance: 1.5, APIs: 1, Instructions: 38pipeCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32(?,00000003,00000004,00000002,00000000,00000000,00000000,00000000), ref: 009638C7

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: f92121c9daa6c30af02b303cd5f0d250dc282b5a78e8074acaabfc5c176859f4
Instruction ID: f0f6c4ce11fc754f95d1c80669beb1c965746e99a84350add4aafba646144adc
Opcode Fuzzy Hash: f92121c9daa6c30af02b303cd5f0d250dc282b5a78e8074acaabfc5c176859f4
Instruction Fuzzy Hash: 92F04CF04163087FD7109F7CAC8AFA63F9CD700364F10432AB2A4D20E0D2714A449B10

Function 00986970 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f9325b0469aff35141d872e8c63786a20553d81eaf4efde90ec8d76f2bad084
Instruction ID: 2003a99a86cdeb5a73f25738c61e82be41d36e4ebbe49c40e7ab24f598a02671
Opcode Fuzzy Hash: 1f9325b0469aff35141d872e8c63786a20553d81eaf4efde90ec8d76f2bad084
Instruction Fuzzy Hash: CD12B3319241598FDB08CF5DD8A1ABDBBF1EF49301F48816EE456AF386CA38E611DB50

Function 010A5DB8 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ffc9e7d7ac48dbd1f10dea994cfd9f9dd5b24efee4c6583d3994a083d35383
Instruction ID: 5e323ca06773a6a38d688335970b05ffc895625c9dc0b0618d34ed9a24903ec7
Opcode Fuzzy Hash: e2ffc9e7d7ac48dbd1f10dea994cfd9f9dd5b24efee4c6583d3994a083d35383
Instruction Fuzzy Hash: 791251319141698FDB08CF5DC8D1ABDBBF1EF49301F54816AE456DB386CA38EA12DB50

Function 009863A0 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b861e65eddebf31a98abeff916774899d1ee56d37ffdd3b34c8f0565c994d912
Instruction ID: a209b9e657414c8daef4eb121ffe812fc368c0546c681f6a0fe8091cbd922038
Opcode Fuzzy Hash: b861e65eddebf31a98abeff916774899d1ee56d37ffdd3b34c8f0565c994d912
Instruction Fuzzy Hash: 6E1280719241598FCB08CF5CE8919BDBBF1FF49300F49816EE456AB382C638EA11DB60

Function 010A57E8 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee21426a7293bb9793e89946cb74d85c7d078241c3289d5d319273b867ffb34
Instruction ID: 81ad88f3555dc7c7c660850bf852061ce6f39c2a8ea4ee89f856e131b08820ba
Opcode Fuzzy Hash: 1ee21426a7293bb9793e89946cb74d85c7d078241c3289d5d319273b867ffb34
Instruction Fuzzy Hash: E11260319141698FDB08CF9DC8D19BDBBF1EF49300F59826EE456AB382C638E652DB50

Function 009840FD Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: c2554984440d7e0168b5b7f1b3e58c22139c58c1123ba4ea724644e688d242ae
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: 3CD16D73C0E9B30A8736913D415862BEAA66FD1B5131FC7E19CE43F39AD22A5D0497D0

Function 00983CDD Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: ee0ce7e1f0d11ca550654addb7897a4ef27c7305b79e4acdb880c146c5cc8f68
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: B3D16D73C0E9B30A8736913D415862BEEA26FD1B4131EC7E19CD43F38AD62A5E0497D0

Function 009838D1 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 42325ce4b5d0fd4b32abe367e2b80f0839a6bdff65ee155fd91b1e115df0f684
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: 72C15B73C0E9F34A8736913D416863BEAA66FD1A5031FC7A1DCD43F39A922B5E0496D0

Function 009834FD Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: afe0d8160b2139e77f2f6abba6caff363ac2c43cf7a9d9ba28ced532c300d532
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: E8C15E73D1E9F30A8736913D415852BEEA66FD1B5032EC7E09CD42F389E62A9E0497D0

Function 00974214 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: a7b03083a0c1943bd6bc7e53da11611cdde2c534861f86c0154113eaadc09522
Instruction ID: fe99357daa21e2bbc4c8b699a43e8cd97720064efbde7bee254e803ce890b892
Opcode Fuzzy Hash: a7b03083a0c1943bd6bc7e53da11611cdde2c534861f86c0154113eaadc09522
Instruction Fuzzy Hash: 67413A72E00209AFDB14DFA8C881AAEB7B5EF88310F558169E919E7342D734AE41CB50

Function 0109365C Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: e0b0735f12899f6be2682c86242398845bc4d23d28edfaa6f93b438634913bca
Instruction ID: 711d9d95958736d1eea23493c0a90aa7a7e3f711d26004db161e1b6e68c21faf
Opcode Fuzzy Hash: e0b0735f12899f6be2682c86242398845bc4d23d28edfaa6f93b438634913bca
Instruction Fuzzy Hash: 0F4138B6E00209AFDF14DFA8C891AEEB7F6FB48310F548069E945EB341D634EA05DB50

Function 00986145 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87ec4f336fdee703b08f9657c992eb6a3e27b91e8c24ebe6f9b95a7b6a8819cc
Instruction ID: 1c6ce8289bc30c33112eda8d04354b0679b967541f14e527b50d153585576cd1
Opcode Fuzzy Hash: 87ec4f336fdee703b08f9657c992eb6a3e27b91e8c24ebe6f9b95a7b6a8819cc
Instruction Fuzzy Hash: 034185749240688FDB48CF5DE8E08EDB7F2FB4E341B45854AE542BB396C638A910DB64

Function 009677F6 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 210networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32(?), ref: 00967830
select.WS2_32(00000000,?,?,?,?), ref: 00967894
__WSAFDIsSet.WS2_32(00000000,?), ref: 009678B0
accept.WS2_32(00000000,00000000,00000000), ref: 009678C5
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 009678D8

Part of subcall function 009671FC: _malloc.LIBCMT ref: 00967203
Part of subcall function 009671FC: GetTickCount.KERNEL32 ref: 00967223

Part of subcall function 00961683: _malloc.LIBCMT ref: 00961689

Part of subcall function 009616D3: htonl.WS2_32(0000001F), ref: 009616D9

Part of subcall function 00961765: _memset.LIBCMT ref: 00961773

__WSAFDIsSet.WS2_32(00000000,?), ref: 00967965
accept.WS2_32(00000000,00000000,00000000), ref: 00967977
closesocket.WS2_32(?), ref: 00967A85

Strings

d, xrefs: 00967810

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _mallocaccepthtonl$CountTick_memsetclosesocketioctlsocketselect
String ID: d
API String ID: 4083423528-2564639436
Opcode ID: 7ea40e89122ef197fe22bd1cd11d080a30555718dac760962811275ee50bb219
Instruction ID: dce7a22c93db7a65ca61d828f2dfbfda14ba8776d8808fc1a44e1eaeee86b5af
Opcode Fuzzy Hash: 7ea40e89122ef197fe22bd1cd11d080a30555718dac760962811275ee50bb219
Instruction Fuzzy Hash: A3712AB1C04608AFDB20EFE5CC85AAFFBBCAF84304F1445AAE515E2251E731AE45DB50

Function 00962728 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147networksleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00962753
_memset.LIBCMT ref: 00962768
__snprintf.LIBCMT ref: 009627A6
__snprintf.LIBCMT ref: 009627C2
__snprintf.LIBCMT ref: 00962822
__snprintf.LIBCMT ref: 00962839

Part of subcall function 00977156: __output_l.LIBCMT ref: 009771D8

HttpOpenRequestA.WININET(00000000,?,00000000,00000000,0098F540), ref: 00962877
HttpSendRequestA.WININET(00000000,?,?,?,?), ref: 009628A0
InternetCloseHandle.WININET(00000000), ref: 009628B2
Sleep.KERNEL32(000001F4), ref: 009628B9
InternetCloseHandle.WININET(00000000), ref: 009628CA

Strings

*/*, xrefs: 00962743
%s%s, xrefs: 00962832
/OWA/, xrefs: 00962792

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: __snprintf$CloseHandleHttpInternetRequest_memset$OpenSendSleep__output_l
String ID: %s%s$*/*$/OWA/
API String ID: 894754388-1434031659
Opcode ID: 6e22bcd024275d8349c37789a3f8ae5100713c28da24c8732aac538968af0aab
Instruction ID: 097318495d677fe791945b92143228d4c1d7180c85e75075767d7a74792cba2c
Opcode Fuzzy Hash: 6e22bcd024275d8349c37789a3f8ae5100713c28da24c8732aac538968af0aab
Instruction Fuzzy Hash: 7B41BF72908118AFDB11AFA4DC85EFE7B7DEF58304F0400A6F505B7162DB369A489BA1

Function 00963E63 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 181processCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00963E91
_memset.LIBCMT ref: 00963EAD

Part of subcall function 00962EC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,009640B2,00000400,?,00963ED7,009640B2,?,00000400), ref: 00962ED6
Part of subcall function 00962EC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,009640B2,00963ED7,?,00963ED7,009640B2,?,00000400,?,?,?,?,009640B2), ref: 00962EEF

GetCurrentDirectoryW.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,009640B2,00968F3F,?,?,00967FFC,?), ref: 00963EF7
GetCurrentDirectoryW.KERNEL32(00000400,?,?,?,?,?,?,?,?,009640B2,00968F3F,?,?,00967FFC,?), ref: 00963F06
CreateProcessWithTokenW.ADVAPI32(00000002,00000000,?,C0330CC4,00000000,?,A6E8296A,83FFFFE3), ref: 00963F34

Strings

system32, xrefs: 00963FE9
sysnative, xrefs: 00963FC9

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: ByteCharCurrentDirectoryMultiWide_memset$CreateProcessTokenWith
String ID: sysnative$system32
API String ID: 2486443368-2461298002
Opcode ID: d9d4f8d1b41eb847d0e102f4d2f7e1e7881d0a4d750a9ed6a8f27de3ba2759ca
Instruction ID: 18984bbc773b9c444e13a869af4b05da066555bfe9c719b96a5709843b5f7f45
Opcode Fuzzy Hash: d9d4f8d1b41eb847d0e102f4d2f7e1e7881d0a4d750a9ed6a8f27de3ba2759ca
Instruction Fuzzy Hash: C551FB72A18215AFD7219FA4DC85FB777ACEF44310F14482AFA49C3251E731DA149B91

Function 00966772 Relevance: 18.1, APIs: 12, Instructions: 94pipesleepfileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00966781
GetTickCount.KERNEL32 ref: 0096678B
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00100000,00000000,?,?,?,?,00000001,?,?,00000000), ref: 009667A5
GetLastError.KERNEL32(?,?,?,?,00000001,?,?,00000000,?,?,00000000), ref: 009667B2
WaitNamedPipeA.KERNEL32(?,00002710), ref: 009667C7

Part of subcall function 009663AB: _memset.LIBCMT ref: 009663CC

Sleep.KERNEL32(000003E8,?,?,?,?,00000001,?,?,00000000,?,?,00000000), ref: 009667D4
GetTickCount.KERNEL32 ref: 009667DA
GetLastError.KERNEL32(?,?,?,?,00000001,?,?,00000000,?,?,00000000), ref: 009667F0
GetLastError.KERNEL32(?,?,?,?,00000001,?,?,00000000,?,?,00000000), ref: 00966800
SetNamedPipeHandleState.KERNEL32(?,?,00000000,00000000,?,?,?,?,00000001,?,?,00000000,?,?,00000000), ref: 0096681D
GetLastError.KERNEL32(?,?,?,?,00000001,?,?,00000000,?,?,00000000), ref: 00966827
DisconnectNamedPipe.KERNEL32(?), ref: 00966861

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait_memset
String ID:
API String ID: 2451114245-0
Opcode ID: cceea325c6d1dfd0a6943c010559a04c5ca1bd0c5b90158de64215321dadd07c
Instruction ID: fbe7275911bf0fa0810e690937fc0a55b63d35fb5e6a71004914665bd9a0cf58
Opcode Fuzzy Hash: cceea325c6d1dfd0a6943c010559a04c5ca1bd0c5b90158de64215321dadd07c
Instruction Fuzzy Hash: 1621D731A1C2157FEB012BB5EC8ABBD3AACAB44724F740821FA06E71D0EE659C409761

Function 009655E0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 114threadsleepprocessCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,NtQueueApcThread,00000000,00000000), ref: 00965625
GetProcAddress.KERNEL32(00000000), ref: 0096562C

Part of subcall function 0096555A: _malloc.LIBCMT ref: 00965579
Part of subcall function 0096555A: WriteProcessMemory.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,00000000,00000000), ref: 009655BF

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0096565B
Thread32First.KERNEL32(00000000,0000001C), ref: 00965670
Thread32Next.KERNEL32(00000000,0000001C), ref: 009656B0
Sleep.KERNEL32(000000C8), ref: 009656C7
ReadProcessMemory.KERNEL32(00000000,00000000,?,00000010,00000000), ref: 009656DA
WriteProcessMemory.KERNEL32(00000000,00000000,?,00000010,00000010), ref: 00965703

Strings

ntdll, xrefs: 00965610
NtQueueApcThread, xrefs: 00965609

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: MemoryProcess$Thread32Write$AddressCreateFirstHandleModuleNextProcReadSleepSnapshotToolhelp32_malloc
String ID: NtQueueApcThread$ntdll
API String ID: 346785587-1374908105
Opcode ID: 46e9437adab538117ee16911c170e2f19be83821c6e315c4b7b83e279abb3f43
Instruction ID: 3901db1f7143e4f314a414c70d146932852fc9a62744a08d7ee8e0011e7347cd
Opcode Fuzzy Hash: 46e9437adab538117ee16911c170e2f19be83821c6e315c4b7b83e279abb3f43
Instruction Fuzzy Hash: 6E31FAB2900609FFEF10EFA4DC859AEBBB9EB48344F114429FA05E7250E7719A44DB61

Function 009675F5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 69networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00967606
select.WS2_32(00000000,00000000,?,?,00000000), ref: 00967651
__WSAFDIsSet.WS2_32(00000000,?), ref: 00967661
__WSAFDIsSet.WS2_32(00000000,?), ref: 00967674
GetTickCount.KERNEL32 ref: 0096767D
gethostbyname.WS2_32(009677A4), ref: 00967688
htons.WS2_32(?), ref: 0096769B
inet_addr.WS2_32(009677A4), ref: 009676A7
sendto.WS2_32(00000000,00000000,0000000A,00000000,?,00000010), ref: 009676C1

Strings

d, xrefs: 00967614

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
String ID: d
API String ID: 1257931466-2564639436
Opcode ID: f0bd8e55fed5d2888ddd8d877a91cbc8fa3fcc575f87a83bedd6cad5a4b36413
Instruction ID: d483312c54f9a9f7dc7ce2c7298b5e4d7edee1ff1918123d28a17771328a1de2
Opcode Fuzzy Hash: f0bd8e55fed5d2888ddd8d877a91cbc8fa3fcc575f87a83bedd6cad5a4b36413
Instruction Fuzzy Hash: 0621A172904209BBDF11AFE4DC45BEEBBB9EF08304F1000A6F901E62A1E775DA559F91

Function 0096C958 Relevance: 16.6, APIs: 11, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32(?), ref: 0096C980
htonl.WS2_32(00000000), ref: 0096C990
GetLastError.KERNEL32(?,0099E6C0), ref: 0096C9AB
OpenProcessToken.ADVAPI32(00000000,00000000,00000008,?,0099E6C0), ref: 0096C9CF
GetLastError.KERNEL32 ref: 0096C9D9
ImpersonateLoggedOnUser.ADVAPI32(00000008), ref: 0096C9F8
GetLastError.KERNEL32 ref: 0096C9FE
DuplicateTokenEx.ADVAPI32(00000008,02000000,00000000,00000003,00000001,0099E6BC), ref: 0096CA1D
GetLastError.KERNEL32 ref: 0096CA27
ImpersonateLoggedOnUser.ADVAPI32 ref: 0096CA39
GetLastError.KERNEL32 ref: 0096CA3F

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$ImpersonateLoggedTokenUserhtonl$DuplicateOpenProcess
String ID:
API String ID: 332438066-0
Opcode ID: 2c718cc79a41f3eba31a7de118d3ba921594c1fa01728959ca6844dd0ecf0523
Instruction ID: 6ae5c1833dc1f0c6a8164069bc51417a6bd24b4fc86978b39390fe988c81f4dc
Opcode Fuzzy Hash: 2c718cc79a41f3eba31a7de118d3ba921594c1fa01728959ca6844dd0ecf0523
Instruction Fuzzy Hash: BC31E7B1508209BFEF20ABE1DC4DFBA3B7CEF51755F184026F985A5191EB708944DB21

Function 0096752F Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 59networksleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00967540
select.WS2_32(00000000,00000000,?,?,00000000), ref: 0096758E
__WSAFDIsSet.WS2_32(00000000,?), ref: 0096759E
__WSAFDIsSet.WS2_32(00000000,?), ref: 009675B1
send.WS2_32(00000000,00000000,?,00000000), ref: 009675C5
WSAGetLastError.WS2_32(00000000,?,00000000,?,?,00000000), ref: 009675CF
Sleep.KERNEL32(000003E8,?,00000000), ref: 009675E1
GetTickCount.KERNEL32 ref: 009675E7

Strings

d, xrefs: 0096754E

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CountTick$ErrorLastSleepselectsend
String ID: d
API String ID: 2152284305-2564639436
Opcode ID: f6ee834c6cda99214e117496c96fb19fc753636689e989ecee1177378a2be4d9
Instruction ID: 4fb86be06f0484519a0852b78b9b1571195c3bb33574006748cd9216a7b95c4d
Opcode Fuzzy Hash: f6ee834c6cda99214e117496c96fb19fc753636689e989ecee1177378a2be4d9
Instruction Fuzzy Hash: 9311B27180420DABDB119FA0DC89BEDBBBCFB04304F1046A6F606E21A0D7B49E81DF90

Function 00963430 Relevance: 15.1, APIs: 10, Instructions: 103sleepfilepipeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00963446
GetLastError.KERNEL32(?,?,?,?,?,00000001,?,?,?,?,?,?,?,00968BB2), ref: 009634A6
GetTickCount.KERNEL32 ref: 009634B1
Sleep.KERNEL32(000003E8,?,?,?,?,?,00000001,?,?,?,?,?,?,?,00968BB2), ref: 009634BC
GetLastError.KERNEL32(?,?,?,?,?,00000001,?,?,?,?,?,?,?,00968BB2), ref: 009634C8
WriteFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,00000001), ref: 009634FA
WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,00000001), ref: 00963525
FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,?,?,?,?,00968BB2), ref: 00963539
DisconnectNamedPipe.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,?,?,?,?,00968BB2), ref: 00963542
Sleep.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,?,?,?,?,00968BB2), ref: 00963557

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
String ID:
API String ID: 3101085627-0
Opcode ID: f2ab64f70a049f799a4dc1f23808df53fb098eb24f9705905971738a812d6bbb
Instruction ID: ccfc53dc538e90f0e883366ed2504e10d88ab1f3791e11c2e20f795363ce20df
Opcode Fuzzy Hash: f2ab64f70a049f799a4dc1f23808df53fb098eb24f9705905971738a812d6bbb
Instruction Fuzzy Hash: EF311E72D08219BBDB11EBE4DC89BEEB77CEB44300F144065F505A6160EB31AF44DB61

Function 0096AE96 Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00966F84: _malloc.LIBCMT ref: 00966F8A
Part of subcall function 00966F84: _malloc.LIBCMT ref: 00966F9A

_memset.LIBCMT ref: 0096AF07

Part of subcall function 0096B1CE: _memset.LIBCMT ref: 0096B2CA

_malloc.LIBCMT ref: 0096AF1A

Part of subcall function 00977001: __FF_MSGBANNER.LIBCMT ref: 00977024
Part of subcall function 00977001: __NMSG_WRITE.LIBCMT ref: 0097702B
Part of subcall function 00977001: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6), ref: 00977078

_memset.LIBCMT ref: 0096AF2C

Part of subcall function 0096D265: _malloc.LIBCMT ref: 0096D28C
Part of subcall function 0096D265: _memset.LIBCMT ref: 0096D2BA

htonl.WS2_32(00000000), ref: 0096AF5D
GetComputerNameExA.KERNEL32(00000006,?,?), ref: 0096AFCE
GetComputerNameA.KERNEL32(?,?), ref: 0096AFFF
GetUserNameA.ADVAPI32(?,?), ref: 0096B030

Part of subcall function 00962C13: WSASocketA.WS2_32(00000002,00000002,00000000,00000000,00000000,00000000), ref: 00962C37

_malloc.LIBCMT ref: 0096B108
_memset.LIBCMT ref: 0096B19A

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc_memset$Name$Computer$AllocateHeapSocketUserhtonl
String ID:
API String ID: 932012179-0
Opcode ID: 4d0247b8d59fcab1524b45a8a367528fa38ac4a4b2e308c3212057ac9756c80a
Instruction ID: 2835098d68661ef80a9163a32835f9187667de54ff7bf9d884f8d81d872a388e
Opcode Fuzzy Hash: 4d0247b8d59fcab1524b45a8a367528fa38ac4a4b2e308c3212057ac9756c80a
Instruction Fuzzy Hash: 6E81287290C3006AD721AB649C82F6FB7EDEFC9754F11081EF19897282EB75D94187A2

Function 00963C02 Relevance: 13.6, APIs: 9, Instructions: 134injectionCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00969002: GetCurrentProcess.KERNEL32(?,00963C24,006A0875,00000000,00968F3F,00968F3F), ref: 0096900E

GetLastError.KERNEL32(00000000,00968F3F,00968F3F), ref: 00963C57
ReadProcessMemory.KERNEL32(006A0875,?,?,00000004,00000000,00000000,00968F3F,00968F3F), ref: 00963C82
ReadProcessMemory.KERNEL32(006A0875,?,006A0875,00000008,00000000), ref: 00963C99
_malloc.LIBCMT ref: 00963CBE
_memset.LIBCMT ref: 00963CCF
_memset.LIBCMT ref: 00963D00
WriteProcessMemory.KERNEL32(006A0875,00968F3F,00000000,?,?), ref: 00963D25
GetLastError.KERNEL32 ref: 00963D2F
_memset.LIBCMT ref: 00963D44

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Process$Memory_memset$ErrorLastRead$CurrentWrite_malloc
String ID:
API String ID: 2732134248-0
Opcode ID: 8ba9e16d30f3e0d2b68f5c008e500c623a02b9af47162a133a1a8775a0cd5915
Instruction ID: cddd9ca5440b7e684d5ab5a591beab25181bc336e33835496e9df07c0e4b55de
Opcode Fuzzy Hash: 8ba9e16d30f3e0d2b68f5c008e500c623a02b9af47162a133a1a8775a0cd5915
Instruction Fuzzy Hash: B741E2B6A04119BEEB10ABA9DC06FBE7BBDEF44710F108051FA08E90D1EB359A50D771

Function 0109B5B0 Relevance: 13.6, APIs: 9, Instructions: 105COMMON

Download Yara Rule

APIs

__crt_waiting_on_module_handle.LIBCMT ref: 0109B5B2
__init_pointers.LIBCMT ref: 0109B66A
__encode_pointer.LIBCMT ref: 0109B675
__encode_pointer.LIBCMT ref: 0109B685
__encode_pointer.LIBCMT ref: 0109B695
__encode_pointer.LIBCMT ref: 0109B6A5
__decode_pointer.LIBCMT ref: 0109B6C6
__calloc_crt.LIBCMT ref: 0109B6DF
__decode_pointer.LIBCMT ref: 0109B6F9

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: __encode_pointer$__decode_pointer$__calloc_crt__crt_waiting_on_module_handle__init_pointers
String ID:
API String ID: 1960427394-0
Opcode ID: 563c1a9acce4eacc7033eb5bdae96d7e4e55712accac0d757ccc1c5c1a0fb50b
Instruction ID: 501a9896b1a329c72a45e3a62ad42f2d2f1a3c509b918a2074837a18d6aa0ccc
Opcode Fuzzy Hash: 563c1a9acce4eacc7033eb5bdae96d7e4e55712accac0d757ccc1c5c1a0fb50b
Instruction Fuzzy Hash: 2731C071804331AEFF12EF78EC95A993BE4FB44661B14021AE5A4CB2B1EB75C040EF50

Function 00967424 Relevance: 13.6, APIs: 9, Instructions: 101networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 00967443
htons.WS2_32(00000000), ref: 00967454
socket.WS2_32(00000002,00000001,00000000), ref: 0096748D
closesocket.WS2_32(00000000), ref: 0096749C
gethostbyname.WS2_32(00000000), ref: 009674BA
htons.WS2_32(?), ref: 009674E6
ioctlsocket.WS2_32(00000000,8004667E,?), ref: 009674F9
connect.WS2_32(00000000,?,00000010), ref: 0096750A
WSAGetLastError.WS2_32(00000000,?,00000010), ref: 00967513

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
String ID:
API String ID: 3339321253-0
Opcode ID: de7fe39a6c10bdc12163bfcc3f2b0d069defeeaa95b10f22fa731d6ca332a9ca
Instruction ID: 8e57923c690af4ed0a554b8f27bab67a60bf79c62cb1e9a5a0da0dbe62b981fc
Opcode Fuzzy Hash: de7fe39a6c10bdc12163bfcc3f2b0d069defeeaa95b10f22fa731d6ca332a9ca
Instruction Fuzzy Hash: A83133B2D04118ABDB20BBF4DC85FBEB7ACEF84314F114166F908E7251EA348A048765

Function 009681D9 Relevance: 13.6, APIs: 9, Instructions: 99threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 009681F9
UpdateProcThreadAttribute.KERNEL32(?,00000000,00020000,?,00000004,00000000,00000000), ref: 00968225
GetLastError.KERNEL32 ref: 0096822F
GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000,00000001,00000003), ref: 00968264
DuplicateHandle.KERNEL32(00000000), ref: 0096826B
GetCurrentProcess.KERNEL32(00000000,?,?,00000000,00000001,00000003), ref: 00968296
DuplicateHandle.KERNEL32(00000000), ref: 00968299
GetCurrentProcess.KERNEL32(?,?,?,00000000,00000001,00000003), ref: 009682B2
DuplicateHandle.KERNEL32(00000000), ref: 009682B5

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CurrentDuplicateHandleProcess$ErrorLast$AttributeProcThreadUpdate
String ID:
API String ID: 570851288-0
Opcode ID: c15d6073eb0620dcbd97986acd2e41ad4ae4f43244eaf355594f38ad92a33e75
Instruction ID: 97ca8c2ef114e0146b7011dc48248c8d585a856cd6bf42432bc7f2fc678b9d70
Opcode Fuzzy Hash: c15d6073eb0620dcbd97986acd2e41ad4ae4f43244eaf355594f38ad92a33e75
Instruction Fuzzy Hash: C121B471704609BBDB209FA1DC99F7B3B2DEB86B84F240508FA15DB280DA719D01D770

Function 00964161 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130processCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00966F84: _malloc.LIBCMT ref: 00966F8A
Part of subcall function 00966F84: _malloc.LIBCMT ref: 00966F9A

_memset.LIBCMT ref: 009641C4
GetStartupInfoA.KERNEL32(?), ref: 009641DC

Part of subcall function 00962EC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,009640B2,00000400,?,00963ED7,009640B2,?,00000400), ref: 00962ED6
Part of subcall function 00962EC0: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,009640B2,00963ED7,?,00963ED7,009640B2,?,00000400,?,?,?,?,009640B2), ref: 00962EEF

GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00964241
GetCurrentDirectoryW.KERNEL32(00000400,?), ref: 0096424B
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000001,00000000,00000000,00000000,00000000,00000000,?,00962FC7), ref: 00964276
GetLastError.KERNEL32 ref: 00964285

Part of subcall function 009624AC: _vswprintf_s.LIBCMT ref: 009624C8

Strings

%s as %s\%s: %d, xrefs: 00964295

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: ByteCharCurrentDirectoryMultiWide_malloc$CreateErrorInfoLastLogonProcessStartupWith_memset_vswprintf_s
String ID: %s as %s\%s: %d
API String ID: 963358868-816037529
Opcode ID: b199f72ee516d4375acec84bf29dcdcaf9ec949fb94e2afb21c91e2e347783fc
Instruction ID: e261ee7042dcc380d6f37f50b5a23c117a43f7f593bbb4b72f65d158f6c166b3
Opcode Fuzzy Hash: b199f72ee516d4375acec84bf29dcdcaf9ec949fb94e2afb21c91e2e347783fc
Instruction Fuzzy Hash: FC416A72D04208BBDF11AFE5DC45EEFBFB9EF88354F104029F618A6161D6718950DB61

Function 0096C7AA Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0096C7CE
_memset.LIBCMT ref: 0096C7DC
_memset.LIBCMT ref: 0096C7EA
GetTokenInformation.ADVAPI32(?,00000001(TokenIntegrityLevel),?,00001000,0096C889,?,?,?,?,?,0096C889,?,?), ref: 0096C807
LookupAccountSidA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 0096C836
__snprintf.LIBCMT ref: 0096C858

Strings

%s\%s, xrefs: 0096C851

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset$AccountInformationLookupToken__snprintf
String ID: %s\%s
API String ID: 2009363630-4073750446
Opcode ID: c6209a041329bc52c4ac5e2fbd2f37ff6fe56bef0edc15ca5f0289078bfdda80
Instruction ID: 34c6f7c02c39abad9e0638ce45d65cbd15516f267ddd5839908a435a87dc5cef
Opcode Fuzzy Hash: c6209a041329bc52c4ac5e2fbd2f37ff6fe56bef0edc15ca5f0289078bfdda80
Instruction Fuzzy Hash: 1D2103B290411CBADB11DB91DC85EFF77BCEB48748F0488BAB515E3141D670EB848B64

Function 0096B6AC Relevance: 12.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0096B6BD

Part of subcall function 00978876: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,0096B6C2,00000000), ref: 00978881
Part of subcall function 00978876: __aulldiv.LIBCMT ref: 009788A1

_malloc.LIBCMT ref: 0096B6E6
_strncpy.LIBCMT ref: 0096B706
_strtok.LIBCMT ref: 0096B71D
_strtok.LIBCMT ref: 0096B73C

Part of subcall function 009787B5: __getptd.LIBCMT ref: 009787D3

__time64.LIBCMT ref: 0096B74E
__time64.LIBCMT ref: 0096B7DD
__time64.LIBCMT ref: 0096B879

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: __time64$Time_strtok$FileSystem__aulldiv__getptd_malloc_strncpy
String ID:
API String ID: 2319056096-0
Opcode ID: efe9588e2cc5d22cf0748f2ce85a8a8740f2ec93b9d60797b22b5b7e2b49feea
Instruction ID: 111e8ab3d1fcdde473c833a9ee2053bafc4354856cb775e5ef4b180a23a0bd86
Opcode Fuzzy Hash: efe9588e2cc5d22cf0748f2ce85a8a8740f2ec93b9d60797b22b5b7e2b49feea
Instruction Fuzzy Hash: 0B5139B1C2A200DFCB14DF6DEDC15697BB9F699361B50812FE509C7AA0E7308981EF50

Function 0108AAF4 Relevance: 12.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0108AB05

Part of subcall function 01097CBE: __aulldiv.LIBCMT ref: 01097CE9

_malloc.LIBCMT ref: 0108AB2E
_strncpy.LIBCMT ref: 0108AB4E
_strtok.LIBCMT ref: 0108AB65
_strtok.LIBCMT ref: 0108AB84

Part of subcall function 01097BFD: __getptd.LIBCMT ref: 01097C1B

__time64.LIBCMT ref: 0108AB96
__time64.LIBCMT ref: 0108AC25
__time64.LIBCMT ref: 0108ACC1

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: __time64$_strtok$__aulldiv__getptd_malloc_strncpy
String ID:
API String ID: 3363204686-0
Opcode ID: c58aef468cca0aa84ce2cb6dc5010583bf46fb866d0932612e6161389a713d57
Instruction ID: 7c568dd1d456a5dcda1693296d7859cb5c09e73927f7c084e7993e6f1669eb06
Opcode Fuzzy Hash: c58aef468cca0aa84ce2cb6dc5010583bf46fb866d0932612e6161389a713d57
Instruction Fuzzy Hash: EC5149B5A08269DFEB56EF29EDC14587BF2FB58310710866FE1858F662E7309940DF40

Function 00963709 Relevance: 12.1, APIs: 8, Instructions: 59pipethreadfileCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00963726
GetLastError.KERNEL32 ref: 00963739
ConnectNamedPipe.KERNEL32(00000000), ref: 0096374D
ReadFile.KERNEL32(?,00000001,?,00000000), ref: 00963767
ImpersonateNamedPipeClient.ADVAPI32 ref: 00963777
GetCurrentThread.KERNEL32 ref: 0096378C
OpenThreadToken.ADVAPI32(00000000), ref: 00963793
DisconnectNamedPipe.KERNEL32(FFFFFFFF), ref: 009637A7

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken_memset
String ID:
API String ID: 3867162830-0
Opcode ID: 131bf528b44a58b74c45a344ec8b1d4f7ef4538f2d48a2bcfaa2a5b27cc2ad23
Instruction ID: 8019221f6d5e283c05e1c0e9cd9960dcc271c636f821ab607966677acfc91e6f
Opcode Fuzzy Hash: 131bf528b44a58b74c45a344ec8b1d4f7ef4538f2d48a2bcfaa2a5b27cc2ad23
Instruction Fuzzy Hash: B6118EB161C109AFDB119FA9EC8DBBA37BCEB15744F188066F601D11A1DA319E04EBA0

Function 01080FAB Relevance: 10.9, APIs: 7, Instructions: 417COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0108123B
_memset.LIBCMT ref: 0108127D
_memset.LIBCMT ref: 010812C7
_memset.LIBCMT ref: 01081311
_memset.LIBCMT ref: 0108135B
_memset.LIBCMT ref: 010813AB
_memset.LIBCMT ref: 010813D3

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 9434664bb32ed7c74f69a6b59b357e69d0ce2b0f3ec276019f4904d7244b1488
Instruction ID: 5ae4ec2283ad73765f9258e298320af49722949cd45125cda5d1b44d56cdc289
Opcode Fuzzy Hash: 9434664bb32ed7c74f69a6b59b357e69d0ce2b0f3ec276019f4904d7244b1488
Instruction Fuzzy Hash: 66D1E3B2A047029FEB60EF69CD80A9B77F5FF84204718893EE1D7C6A51E631F5568B10

Function 0097809C Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 009780FE
_memcpy_s.LIBCMT ref: 00978173
__fileno.LIBCMT ref: 009781D3
__read.LIBCMT ref: 009781DA
__filbuf.LIBCMT ref: 009781FE
_memset.LIBCMT ref: 00978244
_memset.LIBCMT ref: 0097826F

Part of subcall function 00978D72: __getptd_noexit.LIBCMT ref: 00978D72

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: 25efe052802d1f4cd78c6fd1d74d2cc46f1bf5526e6b95697180c4b228cf4b8f
Instruction ID: b8b75e3b878b845dff0cbc9bb494aebacb4b1569afebb0e38c062c9303e07a1b
Opcode Fuzzy Hash: 25efe052802d1f4cd78c6fd1d74d2cc46f1bf5526e6b95697180c4b228cf4b8f
Instruction Fuzzy Hash: 78519472A40605EBCB209F698C4C6AFBBB9EF81360F14C659F82D92191EB309D51CB51

Function 010974E4 Relevance: 10.7, APIs: 7, Instructions: 189COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01097546
_memcpy_s.LIBCMT ref: 010975BB
__fileno.LIBCMT ref: 0109761B
__read.LIBCMT ref: 01097622
__filbuf.LIBCMT ref: 01097646
_memset.LIBCMT ref: 0109768C
_memset.LIBCMT ref: 010976B7

Part of subcall function 010981BA: __getptd_noexit.LIBCMT ref: 010981BA

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
String ID:
API String ID: 3886058894-0
Opcode ID: 3ab5b0b5ebffb8c1e66b6e0b352ec067f0a67d4a440487db9b8adb8c21630672
Instruction ID: 88b7def6ef1b30c54c0104af7d869b507e905dc3b41b96efbc1ee5d4048a7b03
Opcode Fuzzy Hash: 3ab5b0b5ebffb8c1e66b6e0b352ec067f0a67d4a440487db9b8adb8c21630672
Instruction Fuzzy Hash: 5D510672A10245EFDF608F6DCC649DEBFB5EF95320F1482A9E8A5521D0D3709A50EF90

Function 00963D56 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 98processCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateProcessWithLogonW.ADVAPI32(00000002,00000000,?,C0330CC4,00000000,00963F7B,A6E8296A,83FFFFE3,009640B2,74DEE010), ref: 00963D88
GetLastError.KERNEL32 ref: 00963D9A
_memset.LIBCMT ref: 00963DE3

Strings

system32, xrefs: 00963DE8
sysnative, xrefs: 00963DC6

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CreateErrorLastLogonProcessWith_memset
String ID: sysnative$system32
API String ID: 2584212486-2461298002
Opcode ID: be6d7ea16eed7aa25065563d71a85fdea04e49084662fc6edb1f79243b48d587
Instruction ID: 94d163d9756b43319113169e60c42cb62cd51b587275739e240d6abade53b189
Opcode Fuzzy Hash: be6d7ea16eed7aa25065563d71a85fdea04e49084662fc6edb1f79243b48d587
Instruction Fuzzy Hash: EC314877508110AFCB139F64EC19FA33BADEF58710F188461F949DB261D632D614DBA0

Function 0096CE93 Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(-00000001,00000000,00000000,00000000,?,0096CFBD,?,00000000), ref: 0096CEB5
OpenProcessToken.ADVAPI32(00000000,?,00000000,-00000001,00000000,00000000,00000000,?,0096CFBD,?,00000000), ref: 0096CED3
GetLastError.KERNEL32(?,0096CFBD,?,00000000), ref: 0096CEDD

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$OpenProcessToken
String ID:
API String ID: 2009710997-0
Opcode ID: 44398647c0465867b0e892300965dc4810af367d5d738e55f8c687571be89bc4
Instruction ID: b409f35a1bee5b39e8c86e6556175db60cabdbe7ce933f58c19ffcacae1d7c25
Opcode Fuzzy Hash: 44398647c0465867b0e892300965dc4810af367d5d738e55f8c687571be89bc4
Instruction Fuzzy Hash: 7A21D3B2A18214BFEB112BE4EC0EF7E776DEB14B45F140014FA45E5191EB714E10A7A1

Function 00966A10 Relevance: 10.6, APIs: 7, Instructions: 59COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00966A1E
ioctlsocket.WS2_32(?,8004667E,?), ref: 00966A42
GetTickCount.KERNEL32 ref: 00966A79
ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00966A9E

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CountTickioctlsocket
String ID:
API String ID: 3686034022-0
Opcode ID: 22ff7025eb816043aed7bf8c4d57b2b7462819f6e9058722cea7a9a8dfdb452b
Instruction ID: dccb4454198632dfebcc560083bc93720fde671250d594dc0a798f453fff7369
Opcode Fuzzy Hash: 22ff7025eb816043aed7bf8c4d57b2b7462819f6e9058722cea7a9a8dfdb452b
Instruction Fuzzy Hash: 5D117032514109BFDB109FE0CC49BED7BACEB00365F40C565F915E61A0D7B499949F51

Function 0096D497 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0096D49E

Part of subcall function 00977001: __FF_MSGBANNER.LIBCMT ref: 00977024
Part of subcall function 00977001: __NMSG_WRITE.LIBCMT ref: 0097702B
Part of subcall function 00977001: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6), ref: 00977078

_malloc.LIBCMT ref: 0096D4AB
_malloc.LIBCMT ref: 0096D4C6
__snprintf.LIBCMT ref: 0096D4D9
_malloc.LIBCMT ref: 0096D4F8

Strings

HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 0096D4CC

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc$AllocateHeap__snprintf
String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
API String ID: 3929630252-2739389480
Opcode ID: c81499bd0ab89e423f97d1c97299fb0da458c6ec28ee366196657df8fd25b6be
Instruction ID: 3759374902622415ce0a05601f54d19e8118e44bb16324673d75827b89552f3f
Opcode Fuzzy Hash: c81499bd0ab89e423f97d1c97299fb0da458c6ec28ee366196657df8fd25b6be
Instruction Fuzzy Hash: B70162719043046FDB21AFB9C885E5ABBE8EF85764B00C829F48CC7241EA71E9448790

Function 01081B70 Relevance: 9.1, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01081B9B
_memset.LIBCMT ref: 01081BB0
__snprintf.LIBCMT ref: 01081BEE
__snprintf.LIBCMT ref: 01081C0A
__snprintf.LIBCMT ref: 01081C6A
__snprintf.LIBCMT ref: 01081C81

Part of subcall function 0109659E: __output_l.LIBCMT ref: 01096620

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: __snprintf$_memset$__output_l
String ID:
API String ID: 1270732810-0
Opcode ID: 32dc780789246640bbe81e72850a7b34c70a7b048d89887567f97762967457ae
Instruction ID: 0062beb6e412ce01a838209b44caceeebb1ee6bd1c953be9a63f6eceb6c10210
Opcode Fuzzy Hash: 32dc780789246640bbe81e72850a7b34c70a7b048d89887567f97762967457ae
Instruction Fuzzy Hash: AD41C372804129FFEF12BFA4DC84DEE7B7DEF19204F5400A6E685A7011D7369A49CB60

Function 009660AE Relevance: 9.1, APIs: 6, Instructions: 63pipefileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,?,?,00966190,009662A5,00000000,?,009662A5,?), ref: 009660D2
WaitNamedPipeA.KERNEL32(009662A5,00002710), ref: 009660E7
CreateFileA.KERNEL32(009662A5,C0000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?,?,?,00966190,009662A5,00000000), ref: 009660FF
SetNamedPipeHandleState.KERNEL32(?,009662A5,00000000,00000000,?,00000000,?,?,?,00966190,009662A5,00000000,?,009662A5,?), ref: 00966115
DisconnectNamedPipe.KERNEL32(?,?,00000000,?,?,?,00966190,009662A5,00000000,?,009662A5,?), ref: 00966121

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: NamedPipe$CreateDisconnectErrorFileHandleLastStateWait
String ID:
API String ID: 927366879-0
Opcode ID: 5e2bcccdd0ec1ab6388db6f0b5d1959e72e7c03b80288c8a26a651917dcc4c3e
Instruction ID: f626612f05469acfbb43ed30aace20e0f23b1cafee9f536ad8bdd34f09b68c2f
Opcode Fuzzy Hash: 5e2bcccdd0ec1ab6388db6f0b5d1959e72e7c03b80288c8a26a651917dcc4c3e
Instruction Fuzzy Hash: 8C11A171228110BFEF015F64DC49F7B3AACEB06310F140529F906E61A0EAB08D50AB20

Function 00963618 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32(00000000), ref: 00963673
htonl.WS2_32(?), ref: 0096367E
_malloc.LIBCMT ref: 00963695

Part of subcall function 00977001: __FF_MSGBANNER.LIBCMT ref: 00977024
Part of subcall function 00977001: __NMSG_WRITE.LIBCMT ref: 0097702B
Part of subcall function 00977001: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6), ref: 00977078

_memset.LIBCMT ref: 009636EE

Part of subcall function 0096AC36: __snprintf.LIBCMT ref: 0096AC75
Part of subcall function 0096AC36: __snprintf.LIBCMT ref: 0096AC87

Strings

zyxwvutsrqponmlk, xrefs: 009636DA

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: __snprintfhtonl$AllocateHeap_malloc_memset
String ID: zyxwvutsrqponmlk
API String ID: 1734027086-3884694604
Opcode ID: 0631e7db7e4353d3c7a422381921b7c971eefb0795e972aa109d4a0abfca4585
Instruction ID: dd1757878823a3570d6a47c3f58a72a29db4cb741490fd662ce67ab21e13ee1e
Opcode Fuzzy Hash: 0631e7db7e4353d3c7a422381921b7c971eefb0795e972aa109d4a0abfca4585
Instruction Fuzzy Hash: BF217FE2E0420077DB207BB59C83B5F7B9CDFC5360F208579F919F7283E6259A049661

Function 00965832 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtMapViewOfSection,00000000,?,00000000,0096550F,00000000,00000000,00000000), ref: 0096585F
GetProcAddress.KERNEL32(00000000), ref: 00965866
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00968F3F,00000000), ref: 009658D9

Part of subcall function 0096C3C5: GetCurrentProcess.KERNEL32(000F003F,00000000,00000000,?,00000000,00000001,00000000,DDF4A353,00000000,?,?,00961D3F,00000000,000F003F,?,00000000), ref: 0096C434

Part of subcall function 0096C482: GetCurrentProcess.KERNEL32(00000080,?,00961B17,?,00000000,00000000,00000001,?,?,0096C6B4,00000000,00000001,00000000,00000000,00000080,0096167C), ref: 0096C4C2

Strings

NtMapViewOfSection, xrefs: 00965855
ntdll.dll, xrefs: 0096585A

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CurrentProcess$AddressErrorHandleLastModuleProc
String ID: NtMapViewOfSection$ntdll.dll
API String ID: 1006775078-3170647572
Opcode ID: b9f80e23cf4179315aaa8c92e72813a069a011a29a0419d992c97664ae5b9e0d
Instruction ID: 8f3d9a63fe5120af6cde6a3ba9c07f8e1e9999a17ea0d1bee18536672957b701
Opcode Fuzzy Hash: b9f80e23cf4179315aaa8c92e72813a069a011a29a0419d992c97664ae5b9e0d
Instruction Fuzzy Hash: 3611D672904214BFDB117FF4AC4ADBE3B7CDF84760F214416F615A7192EE718900AB60

Function 009684B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009684B9
__snprintf.LIBCMT ref: 009684EC
__snprintf.LIBCMT ref: 00968505

Strings

%s&%s=%s, xrefs: 009684FC
?%s=%s, xrefs: 009684E3

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: __snprintf$_memset
String ID: %s&%s=%s$?%s=%s
API String ID: 444161222-3403399194
Opcode ID: ca9b60d7797a5f1b758651952edee89ddb180ffd6b300f6576dff2d53cae2d8b
Instruction ID: b6c1a3c59bcbcd4fbb4ecd902ece932c3129939e0fbc191b2870a9706fa2454d
Opcode Fuzzy Hash: ca9b60d7797a5f1b758651952edee89ddb180ffd6b300f6576dff2d53cae2d8b
Instruction Fuzzy Hash: E001DCB2008200ABCB14EE00CC82F6BB778EBC5B14F918599B9055B252E635ED11D776

Function 01080764 Relevance: 7.8, APIs: 5, Instructions: 280COMMON

Download Yara Rule

APIs

Part of subcall function 010863CC: _malloc.LIBCMT ref: 010863D2
Part of subcall function 010863CC: _malloc.LIBCMT ref: 010863E2

_malloc.LIBCMT ref: 010807EC

Part of subcall function 01096449: __FF_MSGBANNER.LIBCMT ref: 0109646C
Part of subcall function 01096449: __NMSG_WRITE.LIBCMT ref: 01096473

_malloc.LIBCMT ref: 010808B5
__snprintf.LIBCMT ref: 0108091E
__snprintf.LIBCMT ref: 0108093C
__snprintf.LIBCMT ref: 0108095A

Part of subcall function 0108834B: _memset.LIBCMT ref: 01088394

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc$__snprintf$_memset
String ID:
API String ID: 3514394824-0
Opcode ID: 637598e0683923cfe21186cfd80eac8b08c3106bc8d65dab26c1215210a2bdf3
Instruction ID: f1083d86030ddd733d7cedf464395aaffabc962f544406d49ef1029116103cb6
Opcode Fuzzy Hash: 637598e0683923cfe21186cfd80eac8b08c3106bc8d65dab26c1215210a2bdf3
Instruction Fuzzy Hash: 5D81267160C312AEE760BB799C01BAFBAE5AFA4310F10492EF5C49A1D4EE72C5458B53

Function 0108A2DE Relevance: 7.8, APIs: 5, Instructions: 273COMMON

Download Yara Rule

APIs

Part of subcall function 010863CC: _malloc.LIBCMT ref: 010863D2
Part of subcall function 010863CC: _malloc.LIBCMT ref: 010863E2

_memset.LIBCMT ref: 0108A34F

Part of subcall function 0108A616: _memset.LIBCMT ref: 0108A712

_malloc.LIBCMT ref: 0108A362

Part of subcall function 01096449: __FF_MSGBANNER.LIBCMT ref: 0109646C
Part of subcall function 01096449: __NMSG_WRITE.LIBCMT ref: 01096473

_memset.LIBCMT ref: 0108A374
_malloc.LIBCMT ref: 0108A550
_memset.LIBCMT ref: 0108A5E2

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc_memset
String ID:
API String ID: 4137368368-0
Opcode ID: c7ae7c1226edfb9ec08ea79c8558e60e47f7ddc655d3b010ee65069c6fd0fc28
Instruction ID: 16fb5b1154bded692de047d9774c8f191a100e34e5fb5b9c1b03f8e69f15a8d4
Opcode Fuzzy Hash: c7ae7c1226edfb9ec08ea79c8558e60e47f7ddc655d3b010ee65069c6fd0fc28
Instruction Fuzzy Hash: 84813972A0C311AAD720FB689C84BEF77E9EB98721F11441FF6C89B180DF75D5418662

Function 00967A8F Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00967AB4
GetTickCount.KERNEL32 ref: 00967ACC
shutdown.WS2_32(00000000,00000002), ref: 00967AE7
shutdown.WS2_32(00000000,00000002), ref: 00967AF4
closesocket.WS2_32(00000000), ref: 00967AF9

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CountTickshutdown$closesocket
String ID:
API String ID: 3414035747-0
Opcode ID: 9c084b3babff95ac955199a6ff06227b829c45d07b4c284e55db09e876dc0d22
Instruction ID: e1318a3059779022c148a6a0785e97edba89b948839402e6127580d508fd7312
Opcode Fuzzy Hash: 9c084b3babff95ac955199a6ff06227b829c45d07b4c284e55db09e876dc0d22
Instruction Fuzzy Hash: 7511A33260CB129FDB309FF4E844A2AF3E8BF44B18B148A19D45693A50E770ED44DF50

Function 0097F2AE Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0097F2BA

Part of subcall function 0097BF9E: __getptd_noexit.LIBCMT ref: 0097BFA1
Part of subcall function 0097BF9E: __amsg_exit.LIBCMT ref: 0097BFAE

__amsg_exit.LIBCMT ref: 0097F2DA
__lock.LIBCMT ref: 0097F2EA
InterlockedDecrement.KERNEL32(?), ref: 0097F307
InterlockedIncrement.KERNEL32(01401658), ref: 0097F332

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 58f277daf77b322c402a2dbf21471c44d1624e7b6fbf7d14dd22a2880a887ed7
Instruction ID: 57c24301dc762dd150792d8bccfb86425dfc3192456ea4b2c8a597e803fdd619
Opcode Fuzzy Hash: 58f277daf77b322c402a2dbf21471c44d1624e7b6fbf7d14dd22a2880a887ed7
Instruction Fuzzy Hash: 6201D233A09711ABCF20AF68981A76D77A4BF40B64F14C126E81CB7291CB346E41DBD5

Function 00963304 Relevance: 7.5, APIs: 5, Instructions: 45networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000000), ref: 00963311
gethostbyname.WS2_32(?), ref: 00963325
htons.WS2_32(009633E8), ref: 0096334E
connect.WS2_32(00000000,?,00000010), ref: 0096335E
closesocket.WS2_32(00000000), ref: 00963368

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: closesocketconnectgethostbynamehtonssocket
String ID:
API String ID: 530611402-0
Opcode ID: d18b9462b54346d0442f078bd9357d5654dadefa3069b873150ee311385b2eef
Instruction ID: 7fcc255cd20f25233fea80215b1390b806c8a911cb1f114a7c8e0e7bb131c19f
Opcode Fuzzy Hash: d18b9462b54346d0442f078bd9357d5654dadefa3069b873150ee311385b2eef
Instruction Fuzzy Hash: DDF0A43591061879DE1077B48C86FFE776C9F41760F818651FD24AA3D2EAB0CA049795

Function 0108C8DF Relevance: 7.5, APIs: 5, Instructions: 45COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0108C8E6

Part of subcall function 01096449: __FF_MSGBANNER.LIBCMT ref: 0109646C
Part of subcall function 01096449: __NMSG_WRITE.LIBCMT ref: 01096473

_malloc.LIBCMT ref: 0108C8F3
_malloc.LIBCMT ref: 0108C90E
__snprintf.LIBCMT ref: 0108C921
_malloc.LIBCMT ref: 0108C940

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc$__snprintf
String ID:
API String ID: 1839626857-0
Opcode ID: 61e7f9ff4ea398ad218335d0326020b1a9064be8001c7e5186826d589bb63fcb
Instruction ID: 36e4d5fe6cf01a795edc95c4c3b53ab9f8f886113ff362e15b01c20729bf527a
Opcode Fuzzy Hash: 61e7f9ff4ea398ad218335d0326020b1a9064be8001c7e5186826d589bb63fcb
Instruction Fuzzy Hash: BD016D70900305AFDF20AFBADC55AD6BBE9EF55750B00882EF4C9CB210DE31D5449BA1

Function 00976F24 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00976F42

Part of subcall function 00978FDB: __mtinitlocknum.LIBCMT ref: 00978FF1
Part of subcall function 00978FDB: __amsg_exit.LIBCMT ref: 00978FFD
Part of subcall function 00978FDB: EnterCriticalSection.KERNEL32(00000000,00000000,?,0097C049,0000000D,00991740,00000008,0097C140,00000000,?,00978C0D,00000000,?,?,?,00978C70), ref: 00979005

___sbh_find_block.LIBCMT ref: 00976F4D
___sbh_free_block.LIBCMT ref: 00976F5C
HeapFree.KERNEL32(00000000,00000000,00991598,0000000C,0097BF8F,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C), ref: 00976F8C
GetLastError.KERNEL32(?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6,00000000,00000000,?,0097C049,0000000D), ref: 00976F9D

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: f6d6722a85734e6e595d8d8af3562d5c709f370803dc63e4c51e9b0c574f4467
Instruction ID: 3b9ae1338a2fda932a45b772e4be21ab9afef66d7d2cc0cdc7cdeb967320c521
Opcode Fuzzy Hash: f6d6722a85734e6e595d8d8af3562d5c709f370803dc63e4c51e9b0c574f4467
Instruction Fuzzy Hash: 45016D3394D606EAEF306FB4FC0AB5E3AA8EF81764F148119F40CA61D1CB7589409B95

Function 00966722 Relevance: 7.5, APIs: 5, Instructions: 40sleeppipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0096672F
GetTickCount.KERNEL32 ref: 00966736
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00966749
Sleep.KERNEL32(0000000A), ref: 0096675A
GetTickCount.KERNEL32 ref: 00966760

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CountTick$NamedPeekPipeSleep
String ID:
API String ID: 1593283408-0
Opcode ID: 95bc88ccf870969d71b99a015de8183cab1adcf113cd09e10721a05d496f2665
Instruction ID: 1a3b361280e3e4c0adc2ef9efef63469b49e6ea57d5bc7f5f9adc333955a6304
Opcode Fuzzy Hash: 95bc88ccf870969d71b99a015de8183cab1adcf113cd09e10721a05d496f2665
Instruction Fuzzy Hash: 46F0A77262821DBFEB016FA4DEC48BF7B9CDB44698B280436F102D2110E6709E019B71

Function 0096AC36 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140COMMONLIBRARYCODE

Download Yara Rule

APIs

__snprintf.LIBCMT ref: 0096AC75
__snprintf.LIBCMT ref: 0096AC87
_strncmp.LIBCMT ref: 0096AD5D

Strings

abcdefghijklmnop, xrefs: 0096AD0F

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: __snprintf$_strncmp
String ID: abcdefghijklmnop
API String ID: 3493850238-2486878355
Opcode ID: a0fd90ed7f7e021b1e010d18442cd6a83999c8bebc7354fdf8f10e28d45e6cce
Instruction ID: 724dae9ce20af806e7dde5d5f97edb01679cdffc0bb4fd436527314a278fb278
Opcode Fuzzy Hash: a0fd90ed7f7e021b1e010d18442cd6a83999c8bebc7354fdf8f10e28d45e6cce
Instruction Fuzzy Hash: F9418F73900509BFEB01DEE8D9519EFB3BAAE88344B114531E905F7151FA71AE098BA2

Function 0109A5BA Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133COMMON

Download Yara Rule

Strings

, xrefs: 0109A608
l, xrefs: 0109A5E1
2, xrefs: 0109A63B

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $2$l
API String ID: 0-3132104027
Opcode ID: f0d739d8cfcab27e5a30adc0bc973be2223b85723898f5a3eb7a7f4809bc7d15
Instruction ID: e6204eb3a3dcca29a2fb06116638ab2a7af09790791596c246ad57c5581d1400
Opcode Fuzzy Hash: f0d739d8cfcab27e5a30adc0bc973be2223b85723898f5a3eb7a7f4809bc7d15
Instruction Fuzzy Hash: 8241C430A06269CBEF758E1C88F83E87BE1AB05316F0441DAC1D967191CB784EC6EF41

Function 00961FA2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?,00000000,?), ref: 00962092
LoadLibraryA.KERNEL32(00000000,?,00000000,?), ref: 0096209D
GetProcAddress.KERNEL32(00000000,00000000), ref: 009620A5

Part of subcall function 009624AC: _vswprintf_s.LIBCMT ref: 009624C8

Strings

%s!%s, xrefs: 009620E2

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: AddressHandleLibraryLoadModuleProc_vswprintf_s
String ID: %s!%s
API String ID: 2092861438-2935588013
Opcode ID: b77ee30f6c9bf5a62e611a376f9740e94077b7e26c88a61730502368a64b2d02
Instruction ID: 750df7bf3c80da1b62c63e6f45d7b1dfca79ba5149988d7b47d7b35ad7636a5a
Opcode Fuzzy Hash: b77ee30f6c9bf5a62e611a376f9740e94077b7e26c88a61730502368a64b2d02
Instruction Fuzzy Hash: D241187290C4009BDF28DFA0D849ABB7769EB84720F754455EA02AF282DB75DC42D751

Function 01099862 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON

Download Yara Rule

Strings

l, xrefs: 01099889
2, xrefs: 010998E3
, xrefs: 010998B0

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID:
String ID: $2$l
API String ID: 0-3132104027
Opcode ID: 2b532c40938db45bcdedad8c1537ae72f072915b5be4b2ebdb3dd94668a952ef
Instruction ID: 37a08849b41dd0a3d2df5600bfc4bb816f75580391abc02a8cbb309d31e5c4f5
Opcode Fuzzy Hash: 2b532c40938db45bcdedad8c1537ae72f072915b5be4b2ebdb3dd94668a952ef
Instruction Fuzzy Hash: 6941F431905269CAEFB58E6C88B83E8BBB1EB41319F1401CED1D66B191C7754AC6FF40

Function 00968662 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0096866A
__snprintf.LIBCMT ref: 009686AC
__snprintf.LIBCMT ref: 009686CE

Strings

%s%s, xrefs: 009686A3, 009686C5

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: __snprintf$_memset
String ID: %s%s
API String ID: 444161222-3438391663
Opcode ID: 137d42bfac6379f83fdfc43dd1894ab0efd7a7f1d5a25467a16ed1053a4c6c0f
Instruction ID: de2999941cdf1180b3fe80e9562a8f201ef8cf160602a918791a8b1815ce5595
Opcode Fuzzy Hash: 137d42bfac6379f83fdfc43dd1894ab0efd7a7f1d5a25467a16ed1053a4c6c0f
Instruction Fuzzy Hash: 8101DE72108200EBCB01EF00C884F9BBBB9BFC9718F548A68F9448B262E735D915CB61

Function 0096B40C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0096B417
GetCurrentProcess.KERNEL32(0096B487), ref: 0096B431

Part of subcall function 0096B374: _memset.LIBCMT ref: 0096B38E
Part of subcall function 0096B374: __snprintf.LIBCMT ref: 0096B3ED

Strings

system32, xrefs: 0096B45C
syswow64, xrefs: 0096B44A

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset$CurrentProcess__snprintf
String ID: system32$syswow64
API String ID: 3270679572-3098820961
Opcode ID: 18e44ccceba84e8a587ec4761d5d699feba3d1dd7694e8c797998d75ac02bfa4
Instruction ID: 9cba6effb049e912b6017ddfc7ddde8fd9805d1f80a59537535951868a6bd333
Opcode Fuzzy Hash: 18e44ccceba84e8a587ec4761d5d699feba3d1dd7694e8c797998d75ac02bfa4
Instruction Fuzzy Hash: E7F0E232649300AEE7042B50AC07F3A334CEF40714F044028F9088A3E2FFA1A5808659

Function 00965B14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,RtlCreateUserThread,00000000,?,?,0096521C,00000000,00000000,00000000,00000000,?,0096550F,00000000,00000000,00000000), ref: 00965B2A
GetProcAddress.KERNEL32(00000000), ref: 00965B31

Strings

RtlCreateUserThread, xrefs: 00965B1B
ntdll.dll, xrefs: 00965B22

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: RtlCreateUserThread$ntdll.dll
API String ID: 1646373207-2935400652
Opcode ID: b68ead6ca2f726f793cc8dd6b06bac17e2c8af786c939eae1becd181bed03b7e
Instruction ID: c38bdc574008825b1b40b56670bef8de4bf99b2b3aceeb0fa2cd1b1d23e0b946
Opcode Fuzzy Hash: b68ead6ca2f726f793cc8dd6b06bac17e2c8af786c939eae1becd181bed03b7e
Instruction Fuzzy Hash: AFF03932919219FBCF11EFE1CD0ACEE7F69EF44B10B598954F505A2160E6748B50EB90

Function 00965714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,NtQueueApcThread,?,00965300,00000000,00000000), ref: 00965721
GetProcAddress.KERNEL32(00000000), ref: 00965728

Strings

ntdll, xrefs: 0096571C
NtQueueApcThread, xrefs: 00965717

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: NtQueueApcThread$ntdll
API String ID: 1646373207-1374908105
Opcode ID: f7157c4bcce58aadf5e8e51747fdcf7af0bfcd84034b91b5bae127c3e0d574ad
Instruction ID: b36daca702388170a936bb295056e53ce5116590ec09ec3b18e1bed4345e38a4
Opcode Fuzzy Hash: f7157c4bcce58aadf5e8e51747fdcf7af0bfcd84034b91b5bae127c3e0d574ad
Instruction Fuzzy Hash: BCE0D83228C705BBDF201BB0AC0AB5A37599F40B24F108124F119D41E0FB21D5106704

Function 009685D3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 009685DB
__snprintf.LIBCMT ref: 0096860B

Strings

%s&%s, xrefs: 0096861E
?%s, xrefs: 00968602

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: __snprintf_memset
String ID: %s&%s$?%s
API String ID: 2657849664-1750478248
Opcode ID: 316b04d92b7decd40d5c91ce93e6b1f6ce194a7d10f5160e3d7199d8c561494a
Instruction ID: 4d4a6db50488a46b56ceb64d52b49dae7c7a39bb928770259d74bca2318f27cd
Opcode Fuzzy Hash: 316b04d92b7decd40d5c91ce93e6b1f6ce194a7d10f5160e3d7199d8c561494a
Instruction Fuzzy Hash: 87F0E5B2148204BFD710EB54CC82F6BB3BCEFC5704F909A9AF94586152EA30EA00C732

Function 0096394C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,00966EA7), ref: 0096395E
GetProcAddress.KERNEL32(00000000), ref: 00963965

Strings

IsWow64Process, xrefs: 00963954
kernel32, xrefs: 00963959

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: a72365a011c10058b98aefb516bdbcb7d346fea64c72febaaaa358281bf9769c
Instruction ID: 6f66666f978ae1f5471bc0670c859c993e817fc7a69ebcf32958d918c5a27e72
Opcode Fuzzy Hash: a72365a011c10058b98aefb516bdbcb7d346fea64c72febaaaa358281bf9769c
Instruction Fuzzy Hash: 53E0E670654206F7DF00DFE5DD1EAAD77BC9B8074DF245054B401E1290DBB4DB00AB50

Function 00964A37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,Wow64DisableWow64FsRedirection,?,00963154,?), ref: 00964A44
GetProcAddress.KERNEL32(00000000), ref: 00964A4B

Strings

kernel32, xrefs: 00964A3F
Wow64DisableWow64FsRedirection, xrefs: 00964A3A

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 1646373207-736604160
Opcode ID: 36c1b47fba4946f9d5b18cedf0b57270b345695d419f2641c79d78d03fc11a4f
Instruction ID: e5a30591da2873eb568f4c866359d541b5d54ddab65ff6453262d0a8be9d4cb3
Opcode Fuzzy Hash: 36c1b47fba4946f9d5b18cedf0b57270b345695d419f2641c79d78d03fc11a4f
Instruction Fuzzy Hash: 9AC08C3029C3097B8F003FF2EC0D82A3B9CEBC4B467142020B509E23A0DE71C400A764

Function 00964A5C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32,Wow64RevertWow64FsRedirection,?,00963173,?,00000000,00000002), ref: 00964A69
GetProcAddress.KERNEL32(00000000), ref: 00964A70

Strings

Wow64RevertWow64FsRedirection, xrefs: 00964A5F
kernel32, xrefs: 00964A64

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 1646373207-3900151262
Opcode ID: 8b8409f8e88457470268d233452ee5f8861ddb13df33fdf00106b6a3ff06bd31
Instruction ID: fe8aa0ea44f58849a9cb9a743c2bca88b489bc979ad829d63ee581cdc58868b0
Opcode Fuzzy Hash: 8b8409f8e88457470268d233452ee5f8861ddb13df33fdf00106b6a3ff06bd31
Instruction Fuzzy Hash: F5C0123029C2097B8F003BF2AC0D82A3A1CAAD0B467141020F408E13A0DA618910A764

Function 009689BB Relevance: 6.4, APIs: 4, Instructions: 380threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0096C8F3
OpenThreadToken.ADVAPI32(00000000), ref: 0096C8FA

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Thread$CurrentOpenToken
String ID:
API String ID: 4162712786-0
Opcode ID: b3a272f1ec251dc1531fa1a1b5662e48ed21178f87ef068c56a53a5ebcd0a5c9
Instruction ID: 73adf091067cfb4f8de7d50ca2b5132de0f3dccf00e9f9e45f1896e2851b1d44
Opcode Fuzzy Hash: b3a272f1ec251dc1531fa1a1b5662e48ed21178f87ef068c56a53a5ebcd0a5c9
Instruction Fuzzy Hash: C6911DA636D611F5D13C37B66C56FBB494CDF817A5F204F2BB247A40828C6EC540A2BB

Function 01081DB3 Relevance: 6.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01081DF4
__snprintf.LIBCMT ref: 01081E1B

Part of subcall function 01087729: _memset.LIBCMT ref: 0108774A

__snprintf.LIBCMT ref: 01081E62
__snprintf.LIBCMT ref: 01081E79

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: __snprintf$_memset
String ID:
API String ID: 444161222-0
Opcode ID: 488a0c6b5b57531908c682104d139c967d6658d41fcf70ce9851d33302e9c55b
Instruction ID: 88beaf5d5a7c093b8381fb9c2f9afb4e1d3bc4a62b59b27ac58187cc4e330011
Opcode Fuzzy Hash: 488a0c6b5b57531908c682104d139c967d6658d41fcf70ce9851d33302e9c55b
Instruction Fuzzy Hash: E8519A7290411ABFEF11BFA8DC84DEE7BBDEF15350F104069F694A7191DB319A068B60

Function 009642B4 Relevance: 6.1, APIs: 4, Instructions: 143COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00966F84: _malloc.LIBCMT ref: 00966F8A
Part of subcall function 00966F84: _malloc.LIBCMT ref: 00966F9A

Part of subcall function 00977A18: __fsopen.LIBCMT ref: 00977A25

_fseek.LIBCMT ref: 0096432A

Part of subcall function 00978052: __lock_file.LIBCMT ref: 00978061
Part of subcall function 00978052: __ftelli64_nolock.LIBCMT ref: 0097806E

_fseek.LIBCMT ref: 00964343

Part of subcall function 009783E3: __lock_file.LIBCMT ref: 0097842E
Part of subcall function 009783E3: __fseek_nolock.LIBCMT ref: 0097843E

GetFullPathNameA.KERNEL32(0098F70C,00000800,?,00000000,?,?,?,?,?,?,?,?,?,?,?,0096156B), ref: 00964370
_malloc.LIBCMT ref: 0096438A

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _malloc$__lock_file_fseek$FullNamePath__fseek_nolock__fsopen__ftelli64_nolock
String ID:
API String ID: 73014519-0
Opcode ID: 8b38d2bd82913d1d287940607ee8aef03cd685f6acd640004cc5a2dd6d207e65
Instruction ID: 93ead04d91841995254dc711c8adfa6690b51e1555148e30ef5592d7404dfa7d
Opcode Fuzzy Hash: 8b38d2bd82913d1d287940607ee8aef03cd685f6acd640004cc5a2dd6d207e65
Instruction Fuzzy Hash: C641A772C04208ABCF11BBE4DC87F9FBBFCAF88710F144526F514B62A2EA7595549B60

Function 00977A2F Relevance: 6.1, APIs: 4, Instructions: 137COMMONLIBRARYCODE

Download Yara Rule

APIs

__flush.LIBCMT ref: 00977AF3
__fileno.LIBCMT ref: 00977B13
__locking.LIBCMT ref: 00977B1A
__flsbuf.LIBCMT ref: 00977B45

Part of subcall function 00978D72: __getptd_noexit.LIBCMT ref: 00978D72

Part of subcall function 0097AE3A: __decode_pointer.LIBCMT ref: 0097AE45

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
String ID:
API String ID: 3240763771-0
Opcode ID: d5a94692dbf7c0478365355007d43b7eda750aa83342b03f2bff25de31914d1d
Instruction ID: a401973463f83ad2441c7cbd5df5c9cc721dad588cc4424ae2b4dfb632fbf524
Opcode Fuzzy Hash: d5a94692dbf7c0478365355007d43b7eda750aa83342b03f2bff25de31914d1d
Instruction Fuzzy Hash: FE417233A08605EBDB289FE9884569EF7BAEFC0720F24C529E41D97240E771DE518B50

Function 009661EA Relevance: 6.1, APIs: 4, Instructions: 106sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00966204
_memset.LIBCMT ref: 0096621C

Part of subcall function 0096705B: htons.WS2_32(?), ref: 00967073

Part of subcall function 00966147: GetLastError.KERNEL32(00000000,00000000,?,009662A5,?), ref: 00966161

Sleep.KERNEL32(000001F4), ref: 009662AF
GetLastError.KERNEL32 ref: 009662BB

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLast_memset$Sleephtons
String ID:
API String ID: 2264653377-0
Opcode ID: 84c0ce47409182f44b359b881e797a11d66adcfb68f5642beda097e059a90651
Instruction ID: 9040260394458c4dec4bd56ea29b626af9bf057061d57728be1e2fef0f3d9c42
Opcode Fuzzy Hash: 84c0ce47409182f44b359b881e797a11d66adcfb68f5642beda097e059a90651
Instruction Fuzzy Hash: 9E31937390821DAEDF11ABE4DC42FEE77BCEF85314F140066F619E6091FA35AA488760

Function 009658F1 Relevance: 6.1, APIs: 4, Instructions: 105injectionCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000000,?,0096550F,00000000,00000000,00000000), ref: 00965931
WriteProcessMemory.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,0096550F,00000000,00000000,00000000), ref: 00965966
GetLastError.KERNEL32(00000000,?,00000000,?,0096550F,00000000,00000000,00000000), ref: 009659B5
GetLastError.KERNEL32(?,0096550F,00000000,00000000,00000000), ref: 009659C8

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$MemoryProcessWrite
String ID:
API String ID: 3937020117-0
Opcode ID: 2070e15072076c763d798abe267341f48040d214b8587d82a143ffb595f55642
Instruction ID: bb7506c29bf06936c1817918c28b9a16251b84bc47500d5257bb77144a774662
Opcode Fuzzy Hash: 2070e15072076c763d798abe267341f48040d214b8587d82a143ffb595f55642
Instruction Fuzzy Hash: 31310B72A04615FBDF217FA59C46BAE7768EF80760FA14016FA04EB2C1DF318D409B51

Function 009820D8 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0098210C
__isleadbyte_l.LIBCMT ref: 00982140
MultiByteToWideChar.KERNEL32(488D10C4,00000009,00000000,53DC458D,0098F5C0,00000000,?,?,?,0096ABC4,00000000,0098F5C0,00000000), ref: 00982171
MultiByteToWideChar.KERNEL32(488D10C4,00000009,00000000,00000001,0098F5C0,00000000,?,?,?,0096ABC4,00000000,0098F5C0,00000000), ref: 009821DF

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 23e396e433474369bfc5ae919fbe4b93ba0cdc2cea73e79a91c643ab7394bb42
Instruction ID: 2fb27788fb796bbf4b13af348a7414bcb47452f67dcea36bc45c336a6dd6cdcc
Opcode Fuzzy Hash: 23e396e433474369bfc5ae919fbe4b93ba0cdc2cea73e79a91c643ab7394bb42
Instruction Fuzzy Hash: 62318031A0C246EFDB21EF64CC89AAE7BA9BF01310F258569E6669B291D730DD40DB50

Function 00965B65 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00965B7E
GetVersionExA.KERNEL32(?,?,?,00000000), ref: 00965B97
SetLastError.KERNEL32(00000005,?,?,00000000), ref: 00965BBC

Part of subcall function 0096BD3C: GetCurrentProcess.KERNEL32(00000180,?,?,?,?,00961D93,00000000,00000180,?,00000000,00000080,00964B37,009959A8,00000000), ref: 0096BD85

Part of subcall function 0096BD3C: VirtualAlloc.KERNELBASE(00000000,00961D93,00003000,00000000,00000180,?,?,?,?,00961D93,00000000,00000180,?,00000000,00000080,00964B37), ref: 0096BDE6

SetLastError.KERNEL32(00000006,?,?,00000000), ref: 00965C39

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: ErrorLast$AllocCurrentProcessVersionVirtual_memset
String ID:
API String ID: 3952774693-0
Opcode ID: f18e8d0b697ba737a721e40bf8e5c39030f6e9de4eea6599bd3f98e9abb3c844
Instruction ID: dff2256563326e6c994a115a231cf74765660d5401d6b8558c40ac37af34720f
Opcode Fuzzy Hash: f18e8d0b697ba737a721e40bf8e5c39030f6e9de4eea6599bd3f98e9abb3c844
Instruction Fuzzy Hash: 07212872A00B28AFDB309F749C42B9B77E8EB44710F260465F64EEB281D7789E418794

Function 00964FA6 Relevance: 6.1, APIs: 4, Instructions: 92sleeppipeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00964FC1
CreatePipe.KERNEL32(?,00000000,?,00100000,?,00000000), ref: 00964FF8
GetStartupInfoA.KERNEL32(?), ref: 00965002
Sleep.KERNEL32(00000064,?,?,?,?,?,00000000), ref: 0096503E

Part of subcall function 0096619F: GetTickCount.KERNEL32 ref: 009661B1
Part of subcall function 0096619F: GetTickCount.KERNEL32 ref: 009661DF

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CountTick$CreateInfoPipeSleepStartup_memset
String ID:
API String ID: 2883758626-0
Opcode ID: 9ba242efad53af7c7185f2e9ffb1c288ce58c13ca70210215af3aa89c08b9ed0
Instruction ID: 196a94928b94bfec18a38c8f28f8aa003885235e982f25788e88e9a4aba3648d
Opcode Fuzzy Hash: 9ba242efad53af7c7185f2e9ffb1c288ce58c13ca70210215af3aa89c08b9ed0
Instruction Fuzzy Hash: C531DA7280020DAFDF11EFA4DC4ABDEBBB9EF48314F140116FA05A6161EB729654DB91

Function 00962FE4 Relevance: 6.1, APIs: 4, Instructions: 72synchronizationpipeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00962FF7
CreatePipe.KERNEL32(00000000,00000002,?,00100000,?,00000000,00002000), ref: 0096302D
GetStartupInfoA.KERNEL32(?), ref: 00963037
WaitForSingleObject.KERNEL32(?,00002710,?,?,?,?,?,?,?,00000000,00002000), ref: 0096307B

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CreateInfoObjectPipeSingleStartupWait_memset
String ID:
API String ID: 468459245-0
Opcode ID: 77bd1b09a077f349d692678c9aac8d1c31d6aded205bd79a9b916619a96c5eff
Instruction ID: 47b7e54177d2534a35ff9025346f0509d507448c20834ce85f0f4a87b35d789a
Opcode Fuzzy Hash: 77bd1b09a077f349d692678c9aac8d1c31d6aded205bd79a9b916619a96c5eff
Instruction Fuzzy Hash: 5F210772900518BADB11DFE8CD49ADEBBBCFF48300F100056FA04E6251D7729A058BA1

Function 0096113A Relevance: 6.1, APIs: 4, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0096114F

Part of subcall function 00977001: __FF_MSGBANNER.LIBCMT ref: 00977024
Part of subcall function 00977001: __NMSG_WRITE.LIBCMT ref: 0097702B
Part of subcall function 00977001: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6), ref: 00977078

Part of subcall function 009649F4: ExpandEnvironmentStringsA.KERNEL32(0096B42D,00000000,00000000,00968F3F,00000100,?,0096B405,?,0096B42D,00000100,?,?,?,?,?,00968F3F), ref: 00964A06

_memset.LIBCMT ref: 009611A4
_memset.LIBCMT ref: 009611B3
_memset.LIBCMT ref: 009611CA

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset$AllocateEnvironmentExpandHeapStrings_malloc
String ID:
API String ID: 2041733451-0
Opcode ID: d04a9c296981b24685af9fe9b4bf51b10b970d2b043669cf674784b3e8bb30a0
Instruction ID: 878f9e426f1b30c97db0658484734182a20740d75da4a963c0137e6ae85f367c
Opcode Fuzzy Hash: d04a9c296981b24685af9fe9b4bf51b10b970d2b043669cf674784b3e8bb30a0
Instruction Fuzzy Hash: BB112B726081457AD7115B748CC1FBABB7EDF57364F194994FA5893143E222AD04C7A0

Function 01080582 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 01080597

Part of subcall function 01096449: __FF_MSGBANNER.LIBCMT ref: 0109646C
Part of subcall function 01096449: __NMSG_WRITE.LIBCMT ref: 01096473

_memset.LIBCMT ref: 010805EC
_memset.LIBCMT ref: 010805FB
_memset.LIBCMT ref: 01080612

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset$_malloc
String ID:
API String ID: 3506388080-0
Opcode ID: 41aee874816658a3c121aa378c42034847776bb726cf30f16a1b2ffde5c25493
Instruction ID: a0262bff6d4db7926a47af9092daf5456633868921f67e949e7ebfbda7701e7a
Opcode Fuzzy Hash: 41aee874816658a3c121aa378c42034847776bb726cf30f16a1b2ffde5c25493
Instruction Fuzzy Hash: D3110B71508246BADB117B79CC91AF77BADDF53164F1000A6F9C497142E6229D08C2B0

Function 0096B5E4 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0096B606
_strncpy.LIBCMT ref: 0096B626
_strtok.LIBCMT ref: 0096B63E
_strtok.LIBCMT ref: 0096B65E

Part of subcall function 009787B5: __getptd.LIBCMT ref: 009787D3

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _strtok$__getptd_malloc_strncpy
String ID:
API String ID: 4272429445-0
Opcode ID: ca57fd26f4d256e8271b79cbb2aaf059c296d87e83a431127869613520e59172
Instruction ID: a82c8e3904f56ba0c29061dbbb8471d55ad4e2daba842ca5fbf6329a6690ef0d
Opcode Fuzzy Hash: ca57fd26f4d256e8271b79cbb2aaf059c296d87e83a431127869613520e59172
Instruction Fuzzy Hash: 6011D6B2028205AFDB189F7CFD957B63B69F751334F10421AE44AC76A1FB329841DB80

Function 0108AA2C Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0108AA4E
_strncpy.LIBCMT ref: 0108AA6E
_strtok.LIBCMT ref: 0108AA86
_strtok.LIBCMT ref: 0108AAA6

Part of subcall function 01097BFD: __getptd.LIBCMT ref: 01097C1B

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: _strtok$__getptd_malloc_strncpy
String ID:
API String ID: 4272429445-0
Opcode ID: 7cf94bc152efbd3d71f3f56310b9ede4b0769e53a734d187919b6b8b7aefc940
Instruction ID: 529c246d633627cd29623633014867b1d3dbfd8f5f3147a2970b88333c0aacd9
Opcode Fuzzy Hash: 7cf94bc152efbd3d71f3f56310b9ede4b0769e53a734d187919b6b8b7aefc940
Instruction Fuzzy Hash: 0211EB71208256EFEB06BF24EDE9AB57F95EB11360F00421AE5D6CFDA3DB3294018B40

Function 0096B2D7 Relevance: 6.1, APIs: 4, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0096B339
_memset.LIBCMT ref: 0096B34D
_memset.LIBCMT ref: 0096B35E
_memset.LIBCMT ref: 0096B367

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 834b056de8ca587104025a3cbecdf85a0285ba7fc05e683cd7e84b2a21ad8485
Instruction ID: 73e73b4894c120c3fcfa934f151234c853b400911218c67e887c6c2d71b82f78
Opcode Fuzzy Hash: 834b056de8ca587104025a3cbecdf85a0285ba7fc05e683cd7e84b2a21ad8485
Instruction Fuzzy Hash: E201C872206108BBDF206F654C81EBF3A6CEF893A4F418425F50896142F7359880D7B1

Function 0108A71F Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0108A781
_memset.LIBCMT ref: 0108A795
_memset.LIBCMT ref: 0108A7A6
_memset.LIBCMT ref: 0108A7AF

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset
String ID:
API String ID: 2102423945-0
Opcode ID: 114e4abad4c11624546c29d2ca88addcdf7fe84ee9773abc521b0309d3cb51dd
Instruction ID: 93d920901386a42ca15360755d2741c7223b606f8d086bde9d9a0cadcdeb52fe
Opcode Fuzzy Hash: 114e4abad4c11624546c29d2ca88addcdf7fe84ee9773abc521b0309d3cb51dd
Instruction Fuzzy Hash: 8E01C4B1205215FBEB117F658CC0DEF3AADEB656A0B014022F5C99B541D6398840E6B1

Function 0109B286 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

__crt_waiting_on_module_handle.LIBCMT ref: 0109B2A3
__lock.LIBCMT ref: 0109B2FE
__lock.LIBCMT ref: 0109B31F
___addlocaleref.LIBCMT ref: 0109B33D

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: __lock$___addlocaleref__crt_waiting_on_module_handle
String ID:
API String ID: 1628550938-0
Opcode ID: 0c4c65b69fa96458f3b4f3a86092bb4a97a4495a3fdd785d27837cba3328870a
Instruction ID: 0964c6b68e96c00b813e7ce678759ed3ec4bca36ba5d0afa6724f713b9f997ba
Opcode Fuzzy Hash: 0c4c65b69fa96458f3b4f3a86092bb4a97a4495a3fdd785d27837cba3328870a
Instruction Fuzzy Hash: EE118C71804706EEEB21EF29A850B8ABBE0EF04320F50855EE5A9972A0CB749A41DB55

Function 0096D734 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

_clock.LIBCMT ref: 0096D750
_clock.LIBCMT ref: 0096D75E
_clock.LIBCMT ref: 0096D768
_clock.LIBCMT ref: 0096D776

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _clock
String ID:
API String ID: 876827150-0
Opcode ID: 7b603e9661d6cdae74affffe1825a31006b956bdeef00b0561502bfb61481e34
Instruction ID: 846137dcb74cb81df1f74ea52940001412f2c86a4bd037aeed52e388af4370ae
Opcode Fuzzy Hash: 7b603e9661d6cdae74affffe1825a31006b956bdeef00b0561502bfb61481e34
Instruction Fuzzy Hash: 150152B1E05619EFCF11EFE8D4C15AEFBB4EF40354F2044BAE425A6201D6309E44DBA2

Function 0108CB7C Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

_clock.LIBCMT ref: 0108CB98
_clock.LIBCMT ref: 0108CBA6
_clock.LIBCMT ref: 0108CBB0
_clock.LIBCMT ref: 0108CBBE

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: _clock
String ID:
API String ID: 876827150-0
Opcode ID: 7b603e9661d6cdae74affffe1825a31006b956bdeef00b0561502bfb61481e34
Instruction ID: e6608a4a5b2b855786099277e0519531ec9a3532a2071f572c412a8dfa737850
Opcode Fuzzy Hash: 7b603e9661d6cdae74affffe1825a31006b956bdeef00b0561502bfb61481e34
Instruction Fuzzy Hash: 9B018C70D08A19EFDF51EFE886806EDBBF8EF50290F5484AAD5C1A7201E6704A45DBA1

Function 0096B549 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

_strtok.LIBCMT ref: 0096B55E

Part of subcall function 009787B5: __getptd.LIBCMT ref: 009787D3

Part of subcall function 00976F24: __lock.LIBCMT ref: 00976F42
Part of subcall function 00976F24: ___sbh_find_block.LIBCMT ref: 00976F4D
Part of subcall function 00976F24: ___sbh_free_block.LIBCMT ref: 00976F5C
Part of subcall function 00976F24: HeapFree.KERNEL32(00000000,00000000,00991598,0000000C,0097BF8F,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C), ref: 00976F8C
Part of subcall function 00976F24: GetLastError.KERNEL32(?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6,00000000,00000000,?,0097C049,0000000D), ref: 00976F9D

_malloc.LIBCMT ref: 0096B587
_strncpy.LIBCMT ref: 0096B5A7
_strtok.LIBCMT ref: 0096B5B3

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _strtok$ErrorFreeHeapLast___sbh_find_block___sbh_free_block__getptd__lock_malloc_strncpy
String ID:
API String ID: 1160209254-0
Opcode ID: 7be906e4e07ef22288bf323faab8dd6602a5cc1450aba5406f5216efa7ac9030
Instruction ID: ff7c71cb24a90bd862c301b92017989eae7a346fd8e9633ba42145b846f4be97
Opcode Fuzzy Hash: 7be906e4e07ef22288bf323faab8dd6602a5cc1450aba5406f5216efa7ac9030
Instruction Fuzzy Hash: E101F933118101A9CB196F6CEC5AFF63F6EDB92355B14402AF94EC7162FB329949C690

Function 0108A991 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

_strtok.LIBCMT ref: 0108A9A6

Part of subcall function 01097BFD: __getptd.LIBCMT ref: 01097C1B

Part of subcall function 0109636C: __lock.LIBCMT ref: 0109638A
Part of subcall function 0109636C: ___sbh_find_block.LIBCMT ref: 01096395
Part of subcall function 0109636C: ___sbh_free_block.LIBCMT ref: 010963A4

_malloc.LIBCMT ref: 0108A9CF
_strncpy.LIBCMT ref: 0108A9EF
_strtok.LIBCMT ref: 0108A9FB

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: _strtok$___sbh_find_block___sbh_free_block__getptd__lock_malloc_strncpy
String ID:
API String ID: 4231573641-0
Opcode ID: 62604de10dbbf941476aa68a1f19cf44e924482cf142621a737c4c71ea1ce4ea
Instruction ID: 3e6870e091a15bce999e3965ae59d7f5b2241e13dbee790aa5df35e0b36b73d3
Opcode Fuzzy Hash: 62604de10dbbf941476aa68a1f19cf44e924482cf142621a737c4c71ea1ce4ea
Instruction Fuzzy Hash: 66012B36108542ADDF066F28DC6AFF67FA9EB11364B000159F5C9CB563CB339405D550

Function 0096C690 Relevance: 6.0, APIs: 4, Instructions: 45sleepsynchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,00000000,00000000,00000080,0096167C), ref: 0096C6C8
ExitThread.KERNEL32 ref: 0096C6D2
WaitForSingleObject.KERNEL32(00000000,00000000,00000080,0096167C), ref: 0096C6F3
ExitProcess.KERNEL32 ref: 0096C6FF

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Exit$ObjectProcessSingleSleepThreadWait
String ID:
API String ID: 2040395460-0
Opcode ID: da461db129fab7a1280e3e393e11caf03da8cc54ae666bdcfe23a7c3c15a9cd0
Instruction ID: 84ef11f4ec78efa49f1c4572cd9d1d6bfb4afe8f165168c8cbf1ffc1ec8971cf
Opcode Fuzzy Hash: da461db129fab7a1280e3e393e11caf03da8cc54ae666bdcfe23a7c3c15a9cd0
Instruction Fuzzy Hash: E5F0BBF264C352B6EE303BA5AC8EF7A2609D785B67F140115F255292D19E620C00A569

Function 009617AF Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_vwprintf.LIBCMT ref: 009617BA

Part of subcall function 009773CD: __vscwprintf_helper.LIBCMT ref: 009773DF

_malloc.LIBCMT ref: 009617CD

Part of subcall function 00977001: __FF_MSGBANNER.LIBCMT ref: 00977024
Part of subcall function 00977001: __NMSG_WRITE.LIBCMT ref: 0097702B
Part of subcall function 00977001: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6), ref: 00977078

_vswprintf_s.LIBCMT ref: 009617E1

Part of subcall function 00977359: __vsprintf_s_l.LIBCMT ref: 0097736C

_memset.LIBCMT ref: 009617F4

Part of subcall function 00976F24: __lock.LIBCMT ref: 00976F42
Part of subcall function 00976F24: ___sbh_find_block.LIBCMT ref: 00976F4D
Part of subcall function 00976F24: ___sbh_free_block.LIBCMT ref: 00976F5C
Part of subcall function 00976F24: HeapFree.KERNEL32(00000000,00000000,00991598,0000000C,0097BF8F,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C), ref: 00976F8C
Part of subcall function 00976F24: GetLastError.KERNEL32(?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6,00000000,00000000,?,0097C049,0000000D), ref: 00976F9D

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Heap$AllocateErrorFreeLast___sbh_find_block___sbh_free_block__lock__vscwprintf_helper__vsprintf_s_l_malloc_memset_vswprintf_s_vwprintf
String ID:
API String ID: 3037472818-0
Opcode ID: c07deb22136079b0894bf741ec6ffa137936bf91a12575e3d4cfbb5c6b995ab5
Instruction ID: cdc63debb70176f3e77e19dfb1651c2e4d5dcd594801dc04dcde70dde106451b
Opcode Fuzzy Hash: c07deb22136079b0894bf741ec6ffa137936bf91a12575e3d4cfbb5c6b995ab5
Instruction Fuzzy Hash: CEF0B4770041197AD7116A94EC82FFF7B5CDFC57A4F144415FD1895041E622A91092B4

Function 01080BF6 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_vwprintf.LIBCMT ref: 01080C02

Part of subcall function 01096815: __vscwprintf_helper.LIBCMT ref: 01096827

_malloc.LIBCMT ref: 01080C15

Part of subcall function 01096449: __FF_MSGBANNER.LIBCMT ref: 0109646C
Part of subcall function 01096449: __NMSG_WRITE.LIBCMT ref: 01096473

_vswprintf_s.LIBCMT ref: 01080C29

Part of subcall function 010967A1: __vsprintf_s_l.LIBCMT ref: 010967B4

_memset.LIBCMT ref: 01080C3C

Part of subcall function 0109636C: __lock.LIBCMT ref: 0109638A
Part of subcall function 0109636C: ___sbh_find_block.LIBCMT ref: 01096395
Part of subcall function 0109636C: ___sbh_free_block.LIBCMT ref: 010963A4

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: ___sbh_find_block___sbh_free_block__lock__vscwprintf_helper__vsprintf_s_l_malloc_memset_vswprintf_s_vwprintf
String ID:
API String ID: 104857598-0
Opcode ID: 38fabf2f3e46de8e4b01c6dd87b6e8f155eb3598ca77ff48d252fa4aafb1d1f2
Instruction ID: 2d1f43a54b3cc5ebaaef1997c7d536d64c6d09214a47e604baa181a4f0bab0ef
Opcode Fuzzy Hash: 38fabf2f3e46de8e4b01c6dd87b6e8f155eb3598ca77ff48d252fa4aafb1d1f2
Instruction Fuzzy Hash: 9DF0B47740411ABEEF217EA4ECC0EFF3BACEFA1560F104119F98895040DA329915A7B1

Function 01080BF7 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_vwprintf.LIBCMT ref: 01080C02

Part of subcall function 01096815: __vscwprintf_helper.LIBCMT ref: 01096827

_malloc.LIBCMT ref: 01080C15

Part of subcall function 01096449: __FF_MSGBANNER.LIBCMT ref: 0109646C
Part of subcall function 01096449: __NMSG_WRITE.LIBCMT ref: 01096473

_vswprintf_s.LIBCMT ref: 01080C29

Part of subcall function 010967A1: __vsprintf_s_l.LIBCMT ref: 010967B4

_memset.LIBCMT ref: 01080C3C

Part of subcall function 0109636C: __lock.LIBCMT ref: 0109638A
Part of subcall function 0109636C: ___sbh_find_block.LIBCMT ref: 01096395
Part of subcall function 0109636C: ___sbh_free_block.LIBCMT ref: 010963A4

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: ___sbh_find_block___sbh_free_block__lock__vscwprintf_helper__vsprintf_s_l_malloc_memset_vswprintf_s_vwprintf
String ID:
API String ID: 104857598-0
Opcode ID: bc3ec67ef03fce20e37587a3174a72625d85f4ff414d6c9b45db4c2e64d876a5
Instruction ID: a14dacdf2e2a3d04887f659ef59491928d8c500f7b1ad05c2b7ac9de7ff88992
Opcode Fuzzy Hash: bc3ec67ef03fce20e37587a3174a72625d85f4ff414d6c9b45db4c2e64d876a5
Instruction Fuzzy Hash: 70F0E97700421E7AEF117E95ECC0EFF3B9CEF52560F104119F98895040DA339915A3B1

Function 0096D577 Relevance: 6.0, APIs: 4, Instructions: 40networkCOMMON

Download Yara Rule

APIs

accept.WS2_32(?,00000000,00000000), ref: 0096D585
send.WS2_32(00000000,?,?,00000000), ref: 0096D5B2
send.WS2_32(00000000,?,?,00000000), ref: 0096D5C0
closesocket.WS2_32(00000000), ref: 0096D5CB

Part of subcall function 0096D507: closesocket.WS2_32(?), ref: 0096D509

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: closesocketsend$accept
String ID:
API String ID: 2168303407-0
Opcode ID: b3e3f17ae9f63458df19be4f57e633e1891455326733d366e931a6455b954a6f
Instruction ID: 2eee0c1a9a4348c7659adf4df60d077c30dc234854f4244665e2020d4f855974
Opcode Fuzzy Hash: b3e3f17ae9f63458df19be4f57e633e1891455326733d366e931a6455b954a6f
Instruction Fuzzy Hash: 49F0B476A01B00BBDA303BB4ECC2F5BB76CEF48724F244A06F26755996C671A4005761

Function 00967EBE Relevance: 6.0, APIs: 4, Instructions: 39memorythreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeProcThreadAttributeList.KERNEL32(00000000,00967F62,00000000,00000000,00968F3F,?,00968F3F,?,?,00967F62,00000000,?), ref: 00967ED9
GetProcessHeap.KERNEL32(00000000,00000000,?,?,00967F62,00000000,?), ref: 00967EDF
HeapAlloc.KERNEL32(00000000,?,?,00967F62,00000000,?), ref: 00967EE6
InitializeProcThreadAttributeList.KERNEL32(00000000,00967F62,00000000,00000000,?,?,00967F62,00000000,?), ref: 00967EFB

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: AttributeHeapInitializeListProcThread$AllocProcess
String ID:
API String ID: 1212816094-0
Opcode ID: de44797b453d0f36a0c5ed352127b456ef2b6faf8bd8e3575bb3b7dc4a1363a6
Instruction ID: 82374ebcb68fac3e77f1e45abc9fd5b83eb3b7b1722501046f330af91c4824a3
Opcode Fuzzy Hash: de44797b453d0f36a0c5ed352127b456ef2b6faf8bd8e3575bb3b7dc4a1363a6
Instruction Fuzzy Hash: FAF05E76604108BB8B129FE5DD88CAFBEBCDB896947140065FA01D3200D6719A00EB70

Function 0096619F Relevance: 6.0, APIs: 4, Instructions: 35sleeppipeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 009661B1
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,?,009662DD,?), ref: 009661C5
Sleep.KERNEL32(000001F4,?,00000000,00000000,?,?,009662DD,?), ref: 009661D9
GetTickCount.KERNEL32 ref: 009661DF

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: CountTick$NamedPeekPipeSleep
String ID:
API String ID: 1593283408-0
Opcode ID: bcf26cbade13c52b498ddf78587f7513ef75c9a93e37bf7c22bc2bb91485c00c
Instruction ID: d81f819896d450e55de8f8f0ba93f26200d3097fd610268fc9a736d602e2fe59
Opcode Fuzzy Hash: bcf26cbade13c52b498ddf78587f7513ef75c9a93e37bf7c22bc2bb91485c00c
Instruction Fuzzy Hash: B6F030B161811DBFEB005F94DC888AFB7ADEB857A87150476F502E6111E6B1EE409B60

Function 0097FA1A Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0097FA26

Part of subcall function 0097BF9E: __getptd_noexit.LIBCMT ref: 0097BFA1
Part of subcall function 0097BF9E: __amsg_exit.LIBCMT ref: 0097BFAE

__getptd.LIBCMT ref: 0097FA3D
__amsg_exit.LIBCMT ref: 0097FA4B
__lock.LIBCMT ref: 0097FA5B

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: a6842339695342f15f75a34c4a71ba6c6a2135acb890c508a6745773a5ba292d
Instruction ID: 7c38d6295c4fb5d28e72b37c9a735f1ce850ad9195a551d808e2b596fbea214f
Opcode Fuzzy Hash: a6842339695342f15f75a34c4a71ba6c6a2135acb890c508a6745773a5ba292d
Instruction Fuzzy Hash: CFF090339447009EDB24FBB8981775973A0AF80B20F14C56AE44CBB2D1DB3499019B51

Function 0109EE62 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0109EE6E

Part of subcall function 0109B3E6: __getptd_noexit.LIBCMT ref: 0109B3E9
Part of subcall function 0109B3E6: __amsg_exit.LIBCMT ref: 0109B3F6

__getptd.LIBCMT ref: 0109EE85
__amsg_exit.LIBCMT ref: 0109EE93
__lock.LIBCMT ref: 0109EEA3

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 0e63234c195ec53b9e9f1b227147411f1af18321cc1fcdb129126502f8c210b1
Instruction ID: 5217fe3346fa825045af291f4555028834c1e26cf80fad268ca6d192405a1304
Opcode Fuzzy Hash: 0e63234c195ec53b9e9f1b227147411f1af18321cc1fcdb129126502f8c210b1
Instruction Fuzzy Hash: D8F06D719006068BEF21EB74C565BCD73E0AF10320F10C15AE5D06B391CB209D40EA91

Function 0096B9CC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0096BA5F

Strings

ntdl, xrefs: 0096BA18
l.dl, xrefs: 0096BA29

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: l.dl$ntdl
API String ID: 2102423945-1236859653
Opcode ID: 1fa81a2a2cbbb61675b1149e2676844100b29c6b66f61cbe1bcb22762e416b2a
Instruction ID: e58a662ad327f793fbe971cb673a41361a05ee0b3be6cb5ebe3be6b34c942170
Opcode Fuzzy Hash: 1fa81a2a2cbbb61675b1149e2676844100b29c6b66f61cbe1bcb22762e416b2a
Instruction Fuzzy Hash: C6512875A00619DFCB24CF98C481AADB7F5FF48314F6584A9D948EB365E730AE81CB90

Function 0108AE14 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0108AEA7

Strings

ntdl, xrefs: 0108AE60
l.dl, xrefs: 0108AE71

Memory Dump Source

Source File: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, Offset: 01080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_1080000_loaddll32.jbxd

Yara matches

Similarity

API ID: _memset
String ID: l.dl$ntdl
API String ID: 2102423945-1236859653
Opcode ID: 66f4404577cec48e68b74343d72ba55979407611c7aca8b3784e31e81a7827e6
Instruction ID: dee845e0f587a369fa789513837621068023bd3cf3a191797015fbbea75a417e
Opcode Fuzzy Hash: 66f4404577cec48e68b74343d72ba55979407611c7aca8b3784e31e81a7827e6
Instruction Fuzzy Hash: AB516C75A04615DFCB60DF98C480AADBBF1FF48315F15849AE989AB752D330EE41CB90

Function 0096ABAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

__snprintf.LIBCMT ref: 0096ABBF
__snprintf.LIBCMT ref: 0096ABF9

Strings

%c%c%c%c, xrefs: 0096ABEE

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: __snprintf
String ID: %c%c%c%c
API String ID: 2633826957-103593547
Opcode ID: c6652946d95e712258dc064360c231f2c7916d938d0930cb0c126b157aef2080
Instruction ID: ec001da409cbe33464291d29b8009450c33340a457e17f650f93b34d572b587e
Opcode Fuzzy Hash: c6652946d95e712258dc064360c231f2c7916d938d0930cb0c126b157aef2080
Instruction Fuzzy Hash: 02F0F67180854E6DDB05EBE48C9AEFFBFFC8B04704F400191AA51D3142E525D3498B90

Function 00964634 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 0096463F

Part of subcall function 00977001: __FF_MSGBANNER.LIBCMT ref: 00977024
Part of subcall function 00977001: __NMSG_WRITE.LIBCMT ref: 0097702B
Part of subcall function 00977001: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6), ref: 00977078

__snprintf.LIBCMT ref: 00964653

Part of subcall function 0097858A: RemoveDirectoryA.KERNEL32(009646B7,?,009646B7,00000000,?,?,?,00000000), ref: 00978592
Part of subcall function 0097858A: GetLastError.KERNEL32(?,009646B7,00000000,?,?,?,00000000), ref: 0097859C
Part of subcall function 0097858A: __dosmaperr.LIBCMT ref: 009785AB

Strings

%s\%s, xrefs: 0096464C

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: AllocateDirectoryErrorHeapLastRemove__dosmaperr__snprintf_malloc
String ID: %s\%s
API String ID: 47932920-4073750446
Opcode ID: d4378ed6b25a904f4f13356d3e17dba7a0dee8f41f96eed8c6b73876d8a5e5c4
Instruction ID: 542ebab682074b193ebc890cbf2cabf66d3dd28b784bd4aab24de1482815e557
Opcode Fuzzy Hash: d4378ed6b25a904f4f13356d3e17dba7a0dee8f41f96eed8c6b73876d8a5e5c4
Instruction Fuzzy Hash: D5E0DF23508114B6CA223B95EC06FAFBA6CCFC2B74F188026F90C14141AEB6191185FB

Function 00968515 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0096851D
__snprintf.LIBCMT ref: 00968547

Strings

%s%s: %s, xrefs: 0096853E

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: __snprintf_memset
String ID: %s%s: %s
API String ID: 2657849664-533130479
Opcode ID: 80394d2d44d6888712ce81af0b1ba960f646b0fbefa418fea08725650caee246
Instruction ID: 6d13b194e50954296d56722563d93ce52d92bc308d36ea8c976a7224edc5009e
Opcode Fuzzy Hash: 80394d2d44d6888712ce81af0b1ba960f646b0fbefa418fea08725650caee246
Instruction Fuzzy Hash: 6DF0ED73108208ABCF00EE50CC81F8BB7BDEFCAB14F104565FA009B251E635E912EB62

Function 0096921E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 00969229

Part of subcall function 00977001: __FF_MSGBANNER.LIBCMT ref: 00977024
Part of subcall function 00977001: __NMSG_WRITE.LIBCMT ref: 0097702B
Part of subcall function 00977001: RtlAllocateHeap.NTDLL(00000000,-0000000F,00000001,00000000,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6), ref: 00977078

__snprintf.LIBCMT ref: 0096923D

Part of subcall function 0096925B: _malloc.LIBCMT ref: 00969268
Part of subcall function 0096925B: __snprintf.LIBCMT ref: 00969279
Part of subcall function 0096925B: FindFirstFileA.KERNEL32(00000000,009646B0,?,0096934A,009646B0,?,00964634), ref: 00969286
Part of subcall function 0096925B: _malloc.LIBCMT ref: 009692C5
Part of subcall function 0096925B: __snprintf.LIBCMT ref: 009692DA
Part of subcall function 0096925B: FindNextFileA.KERNEL32(000000FF,009646B0,?,?,?,?,?,?,?), ref: 00969307
Part of subcall function 0096925B: FindClose.KERNEL32(000000FF,?,?,?,?,?,?,?), ref: 00969314

Part of subcall function 00976F24: __lock.LIBCMT ref: 00976F42
Part of subcall function 00976F24: ___sbh_find_block.LIBCMT ref: 00976F4D
Part of subcall function 00976F24: ___sbh_free_block.LIBCMT ref: 00976F5C
Part of subcall function 00976F24: HeapFree.KERNEL32(00000000,00000000,00991598,0000000C,0097BF8F,00000000,?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C), ref: 00976F8C
Part of subcall function 00976F24: GetLastError.KERNEL32(?,00980019,00000000,00000001,00000000,?,00978F65,00000018,009916F8,0000000C,00978FF6,00000000,00000000,?,0097C049,0000000D), ref: 00976F9D

Strings

%s\%s, xrefs: 00969236

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Find__snprintf_malloc$FileHeap$AllocateCloseErrorFirstFreeLastNext___sbh_find_block___sbh_free_block__lock
String ID: %s\%s
API String ID: 1254174322-4073750446
Opcode ID: 677f6972eb88943870830cf4f6fbc36c6c539be201904ca4b2c2ac58a3eee39a
Instruction ID: 92a5cf60f92dd091f89d43becd54d274fb4622dc65a4af32dbbff46811a861bc
Opcode Fuzzy Hash: 677f6972eb88943870830cf4f6fbc36c6c539be201904ca4b2c2ac58a3eee39a
Instruction Fuzzy Hash: 83E08C33500018368B123F929C42EBFBF2DEFC6BA0B008025FE0C212119A364921A7A2

Function 009875D9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

_RTC_Failure.LIBCMT ref: 009875EC

Strings

abcdefghijklmnop, xrefs: 009875E6
abcdefghijklmnop, xrefs: 009875E5

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: Failure
String ID: abcdefghijklmnop$abcdefghijklmnop
API String ID: 3995482717-935656707
Opcode ID: 4d1227ede6a145633f070787483e74cd4d58cfad1496ae03b9bb51402f780a7b
Instruction ID: ca3e8407c2879308df97098333b260f0967c13279b2c1f57946fe6b1decfc605
Opcode Fuzzy Hash: 4d1227ede6a145633f070787483e74cd4d58cfad1496ae03b9bb51402f780a7b
Instruction Fuzzy Hash: 72D0C97720D2083DFA20B49ABD07FB7BB9CD7C1775F70417BF9088529069026C1552B9

Function 00968628 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00968630
__snprintf.LIBCMT ref: 00968655

Strings

%s%s, xrefs: 0096864C

Memory Dump Source

Source File: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Associated: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.0000000000999000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.000000000099B000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A1000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.2936432455.00000000009A3000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_960000_loaddll32.jbxd

Yara matches

Similarity

API ID: __snprintf_memset
String ID: %s%s
API String ID: 2657849664-3438391663
Opcode ID: a34729b2c9014584882a340c3c7821b0d4a8799d8db0f8fcde4283904ba14b38
Instruction ID: 56447522325a3420a00864c29128322a6f35cbf9ff9cffdb926d5494d5989166
Opcode Fuzzy Hash: a34729b2c9014584882a340c3c7821b0d4a8799d8db0f8fcde4283904ba14b38
Instruction Fuzzy Hash: 8FE01273108304BBCB10AE95CCC2F9BB7BCEFCAB18F408569F505C6151E631D9149722

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LX4CUQO8qI.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

\Device\Mailslot\slot-3457

\Device\Mailslot\slot-457

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
LX4CUQO8qI.dll

Function 0096296B Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 169
networkfileCOMMONLIBRARYCODE

Function 00966CD1 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 123
COMMONLIBRARYCODE

Function 0096D7AA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44
encryptionCOMMONLIBRARYCODE

Function 00961B63 Relevance: 15.4, APIs: 10, Instructions: 417
COMMONLIBRARYCODE

Function 00966E28 Relevance: 12.1, APIs: 8, Instructions: 124
COMMONLIBRARYCODE

Function 0096131C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 280
COMMONLIBRARYCODE

Function 00962506 Relevance: 9.1, APIs: 6, Instructions: 114
networkCOMMONLIBRARYCODE

Function 00967B2D Relevance: 9.1, APIs: 6, Instructions: 113
networkCOMMONLIBRARYCODE

Function 00962C13 Relevance: 4.6, APIs: 3, Instructions: 68
networkCOMMONLIBRARYCODE

Function 0096BD3C Relevance: 4.6, APIs: 3, Instructions: 68
memoryCOMMONLIBRARYCODE

Function 0096BDFB Relevance: 4.6, APIs: 3, Instructions: 63
memoryCOMMONLIBRARYCODE

Function 00966F84 Relevance: 4.5, APIs: 3, Instructions: 35
COMMONLIBRARYCODE

Function 00964AFA Relevance: 3.1, APIs: 2, Instructions: 66
COMMONLIBRARYCODE

Function 00962B66 Relevance: 3.0, APIs: 2, Instructions: 50
networkCOMMONLIBRARYCODE

Function 0391061C Relevance: 3.0, APIs: 2, Instructions: 31
synchronizationCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre