Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
oLiA3yj6Cq.dll

Overview

General Information

Sample name:oLiA3yj6Cq.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:e43d6309199e04b80a93fb0ccc44545c42fca0627d50496f356d01cd552061ec.exe
Analysis ID:1542739
MD5:4886943161951b6be845188a19c82de5
SHA1:f8bd367eb8cc58e05f10697ae4e27c190bd7662d
SHA256:e43d6309199e04b80a93fb0ccc44545c42fca0627d50496f356d01cd552061ec
Tags:20-25-126-96exeuser-JAMESWT_MHT
Infos:

Detection

CobaltStrike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found direct / indirect Syscall (likely to bypass EDR)
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 1912 cmdline: loaddll64.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 3728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6248 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 2120 cmdline: rundll32.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • regsvr32.exe (PID: 2784 cmdline: regsvr32.exe /s C:\Users\user\Desktop\oLiA3yj6Cq.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
      • WerFault.exe (PID: 2096 cmdline: C:\Windows\system32\WerFault.exe -u -p 2784 -s 412 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 3060 cmdline: rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllGetClassObject MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 5676 cmdline: rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllMain MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 4948 cmdline: rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "20.25.126.96,/pixel", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmpJoeSecurity_CobaltStrike_2Yara detected CobaltStrikeJoe Security
    00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmpJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
      00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmpJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
        00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
          00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmpWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
          • 0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
          • 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
          • 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes!
          • 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
          • 0x3136a:$a11: Could not open service control manager on %s: %d
          • 0x3189c:$a12: %d is an x64 process (can't inject x86 content)
          • 0x318cc:$a13: %d is an x86 process (can't inject x64 content)
          • 0x31bed:$a14: Failed to impersonate logged on user %d (%u)
          • 0x31855:$a15: could not create remote thread in %d: %d
          • 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31803:$a17: could not write to process memory: %d
          • 0x3139b:$a18: Could not create service %s on %s: %d
          • 0x31424:$a19: Could not delete service %s on %s: %d
          • 0x31289:$a20: Could not open process token: %d (%u)
          Click to see the 122 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.rundll32.exe.1e583ce0000.0.unpackJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
            5.2.rundll32.exe.1e583ce0000.0.unpackJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
              5.2.rundll32.exe.1e583ce0000.0.unpackJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
                5.2.rundll32.exe.1e583ce0000.0.unpackWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
                • 0x303a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
                • 0x3041b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
                • 0x3047e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
                • 0x304c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
                • 0x30502:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
                • 0x30538:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
                • 0x30160:$a39: %s as %s\%s: %d
                • 0x30394:$a40: %s.1%x.%x%x.%s
                • 0x3e7e2:$a41: beacon.x64.dll
                • 0x30387:$a43: www6.%x%x.%s
                • 0x3037b:$a44: cdn.%x%x.%s
                • 0x30360:$a47: beacon.dll
                • 0x302d8:$a48: %s%s: %s
                • 0x3018c:$a50: %02d/%02d/%02d %02d:%02d:%02d
                • 0x301b8:$a50: %02d/%02d/%02d %02d:%02d:%02d
                5.2.rundll32.exe.1e583ce0000.0.unpackWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
                • 0x1c13c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
                Click to see the 141 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "20.25.126.96,/pixel", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
                Multi AV Scanner detection for submitted file
                Source: oLiA3yj6Cq.dllReversingLabs: Detection: 57%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69421184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_000001BF69421184
                Source: oLiA3yj6Cq.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69439220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,0_2_000001BF69439220
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69431C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_000001BF69431C30

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 20.25.126.96
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69435BB8 recv,0_2_000001BF69435BB8
                Source: rundll32.exe, 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:%u/
                Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 5.2.rundll32.exe.1e583ce0000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 5.2.rundll32.exe.1e583ce0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 5.2.rundll32.exe.1e583ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 5.2.rundll32.exe.1e583ce0000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 0.2.loaddll64.exe.1bf693b0000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 0.2.loaddll64.exe.1bf693b0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 0.2.loaddll64.exe.1bf693b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 0.2.loaddll64.exe.1bf693b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 6.2.rundll32.exe.29e27c60000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 6.2.rundll32.exe.29e27c60000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 6.2.rundll32.exe.29e27c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 6.2.rundll32.exe.29e27c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 10.2.rundll32.exe.20650830000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 10.2.rundll32.exe.20650830000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 10.2.rundll32.exe.20650830000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 10.2.rundll32.exe.20650830000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 11.2.rundll32.exe.16e0d6d0000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 11.2.rundll32.exe.16e0d6d0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 11.2.rundll32.exe.16e0d6d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 11.2.rundll32.exe.16e0d6d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                Source: Process Memory Space: loaddll64.exe PID: 1912, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: Process Memory Space: loaddll64.exe PID: 1912, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: Process Memory Space: loaddll64.exe PID: 1912, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: Process Memory Space: rundll32.exe PID: 2120, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: Process Memory Space: rundll32.exe PID: 2120, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: Process Memory Space: rundll32.exe PID: 2120, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: Process Memory Space: rundll32.exe PID: 3060, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: Process Memory Space: rundll32.exe PID: 3060, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: Process Memory Space: rundll32.exe PID: 3060, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: Process Memory Space: rundll32.exe PID: 5676, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: Process Memory Space: rundll32.exe PID: 5676, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: Process Memory Space: rundll32.exe PID: 5676, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: Process Memory Space: rundll32.exe PID: 4948, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                Source: Process Memory Space: rundll32.exe PID: 4948, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                Source: Process Memory Space: rundll32.exe PID: 4948, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69431268 CreateProcessWithLogonW,GetLastError,0_2_000001BF69431268
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693C03340_2_000001BF693C0334
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693D239C0_2_000001BF693D239C
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693DC3970_2_000001BF693DC397
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693D03740_2_000001BF693D0374
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693D12640_2_000001BF693D1264
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693DAAB00_2_000001BF693DAAB0
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693CF5A80_2_000001BF693CF5A8
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693C6F380_2_000001BF693C6F38
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693DB7B00_2_000001BF693DB7B0
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693DE6000_2_000001BF693DE600
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693BCE3C0_2_000001BF693BCE3C
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693B96800_2_000001BF693B9680
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693DC6800_2_000001BF693DC680
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693D59140_2_000001BF693D5914
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693D19280_2_000001BF693D1928
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693B916C0_2_000001BF693B916C
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693DCFF00_2_000001BF693DCFF0
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69437B380_2_000001BF69437B38
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF6944C3B00_2_000001BF6944C3B0
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF6942DA3C0_2_000001BF6942DA3C
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF6944F2000_2_000001BF6944F200
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF6942A2800_2_000001BF6942A280
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF6944D2800_2_000001BF6944D280
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF694425280_2_000001BF69442528
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF694465140_2_000001BF69446514
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69429D6C0_2_000001BF69429D6C
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF6944DBF00_2_000001BF6944DBF0
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69430F340_2_000001BF69430F34
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69440F740_2_000001BF69440F74
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69442F9C0_2_000001BF69442F9C
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF6944CF970_2_000001BF6944CF97
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF6944B6B00_2_000001BF6944B6B0
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69441E640_2_000001BF69441E64
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF6943867C0_2_000001BF6943867C
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF694401A80_2_000001BF694401A8
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6F591411_2_0000016E0D6F5914
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6F192811_2_0000016E0D6F1928
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6D916C11_2_0000016E0D6D916C
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6FCFF011_2_0000016E0D6FCFF0
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6FB7B011_2_0000016E0D6FB7B0
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6FAAB011_2_0000016E0D6FAAB0
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6F239C11_2_0000016E0D6F239C
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6FC39711_2_0000016E0D6FC397
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6F037411_2_0000016E0D6F0374
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6E033411_2_0000016E0D6E0334
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6F126411_2_0000016E0D6F1264
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6EF5A811_2_0000016E0D6EF5A8
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6E6F3811_2_0000016E0D6E6F38
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6FE60011_2_0000016E0D6FE600
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6FC68011_2_0000016E0D6FC680
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6D968011_2_0000016E0D6D9680
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D6DCE3C11_2_0000016E0D6DCE3C
                Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2784 -s 412
                Source: oLiA3yj6Cq.dllStatic PE information: Number of sections : 11 > 10
                Source: 5.2.rundll32.exe.1e583ce0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 5.2.rundll32.exe.1e583ce0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 5.2.rundll32.exe.1e583ce0000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 5.2.rundll32.exe.1e583ce0000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.loaddll64.exe.1bf693b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 0.2.loaddll64.exe.1bf693b0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 0.2.loaddll64.exe.1bf693b0000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 0.2.loaddll64.exe.1bf693b0000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 6.2.rundll32.exe.29e27c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 6.2.rundll32.exe.29e27c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 6.2.rundll32.exe.29e27c60000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 6.2.rundll32.exe.29e27c60000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                Source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                Source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                Source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 10.2.rundll32.exe.20650830000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 10.2.rundll32.exe.20650830000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 10.2.rundll32.exe.20650830000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 10.2.rundll32.exe.20650830000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                Source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                Source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 11.2.rundll32.exe.16e0d6d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 11.2.rundll32.exe.16e0d6d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 11.2.rundll32.exe.16e0d6d0000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 11.2.rundll32.exe.16e0d6d0000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                Source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                Source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                Source: Process Memory Space: loaddll64.exe PID: 1912, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: Process Memory Space: loaddll64.exe PID: 1912, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: Process Memory Space: loaddll64.exe PID: 1912, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: Process Memory Space: rundll32.exe PID: 2120, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: Process Memory Space: rundll32.exe PID: 2120, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: Process Memory Space: rundll32.exe PID: 2120, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: Process Memory Space: rundll32.exe PID: 3060, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: Process Memory Space: rundll32.exe PID: 3060, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: Process Memory Space: rundll32.exe PID: 3060, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: Process Memory Space: rundll32.exe PID: 5676, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: Process Memory Space: rundll32.exe PID: 5676, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: Process Memory Space: rundll32.exe PID: 5676, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: Process Memory Space: rundll32.exe PID: 4948, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                Source: Process Memory Space: rundll32.exe PID: 4948, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                Source: Process Memory Space: rundll32.exe PID: 4948, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: classification engineClassification label: mal100.troj.evad.winDLL@15/5@0/0
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69430B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_000001BF69430B70
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69433A64 CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32Next,Sleep,0_2_000001BF69433A64
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3728:120:WilError_03
                Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2784
                Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\85427e93-8362-410f-ac2d-6427164523e9Jump to behavior
                Source: oLiA3yj6Cq.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll",#1
                Source: oLiA3yj6Cq.dllReversingLabs: Detection: 57%
                Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll"
                Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll",#1
                Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\oLiA3yj6Cq.dll
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll",#1
                Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllGetClassObject
                Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2784 -s 412
                Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllMain
                Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllRegisterServer
                Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll",#1Jump to behavior
                Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\oLiA3yj6Cq.dllJump to behavior
                Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllGetClassObjectJump to behavior
                Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllMainJump to behavior
                Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllRegisterServerJump to behavior
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll",#1Jump to behavior
                Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\loaddll64.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\System32\loaddll64.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\loaddll64.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\loaddll64.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\loaddll64.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\loaddll64.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\loaddll64.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\loaddll64.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\loaddll64.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\loaddll64.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: oLiA3yj6Cq.dllStatic PE information: Image base 0x2fbac0000 > 0x60000000
                Source: oLiA3yj6Cq.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69449744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_000001BF69449744
                Source: oLiA3yj6Cq.dllStatic PE information: section name: .xdata
                Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\oLiA3yj6Cq.dll
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693E1CF0 push rcx; iretd 0_2_000001BF693E1CFE
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF693E776C push 0000006Ah; retf 0_2_000001BF693E7784
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF694536F0 push rcx; iretd 0_2_000001BF694536FE
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF6945916C push 0000006Ah; retf 0_2_000001BF69459184
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D701CF0 push rcx; iretd 11_2_0000016E0D701CFE
                Source: C:\Windows\System32\rundll32.exeCode function: 11_2_0000016E0D70776C push 0000006Ah; retf 11_2_0000016E0D707784
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF694401A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_000001BF694401A8
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Contains functionality to detect sleep reduction / modifications
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF6942FA1C0_2_000001BF6942FA1C
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF694358540_2_000001BF69435854
                Source: C:\Windows\System32\loaddll64.exeAPI coverage: 4.2 %
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF694358540_2_000001BF69435854
                Source: C:\Windows\System32\loaddll64.exe TID: 2012Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69439220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,0_2_000001BF69439220
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69431C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_000001BF69431C30
                Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
                Source: Amcache.hve.9.drBinary or memory string: VMware
                Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
                Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
                Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
                Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
                Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.9.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
                Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                Source: loaddll64.exe, 00000000.00000002.2230753419.000001BF6919D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: Amcache.hve.9.drBinary or memory string: vmci.sys
                Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
                Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
                Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                Source: Amcache.hve.9.drBinary or memory string: VMware20,1
                Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
                Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
                Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
                Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
                Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
                Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69448B30 IsDebuggerPresent,0_2_000001BF69448B30
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69449744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_000001BF69449744
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69449744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_000001BF69449744
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF694503C8 VirtualQuery,GetModuleFileNameW,GetPdbDllFromInstallPath,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_000001BF694503C8
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF694524C8 DeleteCriticalSection,SetUnhandledExceptionFilter,0_2_000001BF694524C8
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF694524D0 RtlCaptureContext,SetUnhandledExceptionFilter,0_2_000001BF694524D0

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: loaddll64.exe PID: 1912, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2120, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3060, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4948, type: MEMORYSTR
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Windows\System32\loaddll64.exeNtMapViewOfSection: Indirect: 0x7FFDA3581C34Jump to behavior
                Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Indirect: 0x7FFDA35814C3Jump to behavior
                Source: C:\Windows\System32\loaddll64.exeNtCreateThreadEx: Indirect: 0x7FFDA35816E1Jump to behavior
                Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Indirect: 0x7FFDA3581526Jump to behavior
                Source: C:\Windows\System32\loaddll64.exeNtProtectVirtualMemory: Indirect: 0x7FFDA3581698Jump to behavior
                Source: C:\Windows\System32\loaddll64.exeNtCreateThreadEx: Indirect: 0x7FFDA3582971Jump to behavior
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF6943DF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,0_2_000001BF6943DF50
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll",#1Jump to behavior
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF6943DEC8 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_000001BF6943DEC8
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69430920 CreateNamedPipeA,0_2_000001BF69430920
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF694522F0 GetLocalTime,0_2_000001BF694522F0
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69435E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,0_2_000001BF69435E28
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69435E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,0_2_000001BF69435E28
                Source: C:\Windows\System32\loaddll64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
                Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

                Remote Access Functionality

                barindex
                Yara detected CobaltStrike
                Source: Yara matchFile source: Process Memory Space: loaddll64.exe PID: 1912, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2120, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3060, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5676, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4948, type: MEMORYSTR
                Source: Yara matchFile source: 5.2.rundll32.exe.1e583ce0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll64.exe.1bf693b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.rundll32.exe.16e0d720000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.rundll32.exe.20650830000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.rundll32.exe.16e0d6d0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.rundll32.exe.16e0d720000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.rundll32.exe.29e27c60000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 5.2.rundll32.exe.1e583ce0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll64.exe.1bf693b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll64.exe.1bf69420000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.rundll32.exe.29e27c60000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll64.exe.1bf69420000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.rundll32.exe.20650830000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.rundll32.exe.16e0d6d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69436A78 socket,htons,ioctlsocket,closesocket,bind,listen,0_2_000001BF69436A78
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF69436670 htonl,htons,socket,closesocket,bind,ioctlsocket,0_2_000001BF69436670
                Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_000001BF6943EE8C socket,closesocket,htons,bind,listen,0_2_000001BF6943EE8C

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		2
                Valid Accounts                		2
                Valid Accounts                		2
                Valid Accounts                		OS Credential Dumping1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/Job1
                DLL Side-Loading                		21
                Access Token Manipulation                		11
                Virtualization/Sandbox Evasion                		LSASS Memory151
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
                Process Injection                		21
                Access Token Manipulation                		Security Account Manager11
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Abuse Elevation Control Mechanism                		12
                Process Injection                		NTDS1
                Process Discovery                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Regsvr32                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Rundll32                		Proc Filesystem4
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                DLL Side-Loading                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1542739 Sample: oLiA3yj6Cq.exe Startdate: 26/10/2024 Architecture: WINDOWS Score: 100 22 Found malware configuration 2->22 24 Malicious sample detected (through community Yara rule) 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 4 other signatures 2->28 7 loaddll64.exe 1 2->7         started        process3 signatures4 30 Found direct / indirect Syscall (likely to bypass EDR) 7->30 32 Contains functionality to detect sleep reduction / modifications 7->32 10 regsvr32.exe 7->10         started        12 cmd.exe 1 7->12         started        14 conhost.exe 7->14         started        16 3 other processes 7->16 process5 process6 18 WerFault.exe 23 16 10->18         started        20 rundll32.exe 12->20         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                oLiA3yj6Cq.dll58%ReversingLabsWin64.Trojan.CobaltStrike

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://upx.sf.net0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                20.25.126.96true
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://upx.sf.netAmcache.hve.9.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://127.0.0.1:%u/rundll32.exe, 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmpfalse
                    		unknown

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1542739
                    Start date and time:2024-10-26 09:09:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 4m 49s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:16
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:oLiA3yj6Cq.dll
                    (renamed file extension from exe to dll, renamed because original name is a hash value)
                    Original Sample Name:e43d6309199e04b80a93fb0ccc44545c42fca0627d50496f356d01cd552061ec.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winDLL@15/5@0/0
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 7
                    • Number of non-executed functions: 190

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 20.189.173.20
                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • VT rate limit hit for: oLiA3yj6Cq.dll

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    03:10:02API Interceptor1x Sleep call for process: WerFault.exe modified
                    03:10:08API Interceptor1x Sleep call for process: loaddll64.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_12aa84f81d99ae7eee3b83fc11c16348eb77b7_e29f7403_3efe9483-1171-4cd2-ae68-ab22ee01a16b\Report.wer

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.7942221846725064
                    Encrypted:false
                    SSDEEP:192:RrozcoESjlx0JEb70rjeTozuiFgZ24lO8w:9KcpSjgJEb70rjeczuiFgY4lO8w
                    MD5:234B9DDF730C75CA054753B263981FB4
                    SHA1:8BEE95B63B69AC4EBEA9C607988591EE7358A8A1
                    SHA-256:1B4A1703D849DB7D3133124066F27DD1C2B90C94639B35EAB86691B360E323B1
                    SHA-512:FDD93FDB0B4166EC2D076D08091D76D6D88846224E4CCD71D8A033BDEE4C3374BFC2C9D83305625298C53AAFE83FEAFC37EFAA46002CCEE5F700F967B6A34DFE
                    Malicious:false
                    Reputation:low
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.4.0.0.1.9.9.9.3.5.7.5.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.4.0.0.2.0.0.1.8.5.7.5.7.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.f.e.9.4.8.3.-.1.1.7.1.-.4.c.d.2.-.a.e.6.8.-.a.b.2.2.e.e.0.1.a.1.6.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.6.3.d.f.6.0.-.4.b.4.9.-.4.4.8.e.-.8.1.1.b.-.4.2.f.2.8.a.7.e.3.8.2.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.e.g.s.v.r.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.E.G.S.V.R.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.e.0.-.0.0.0.1.-.0.0.1.5.-.b.2.c.6.-.c.3.1.1.7.6.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.d.7.c.2.f.d.3.5.4.3.6.3.d.a.e.e.6.3.e.8.f.5.9.1.e.c.5.2.f.a.5.d.0.e.2.3.f.6.f.!.r.e.g.s.v.r.3.2...e.x.e.....T.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA60A.tmp.dmp

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Sat Oct 26 07:10:00 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):66202
                    Entropy (8bit):1.4780462755680313
                    Encrypted:false
                    SSDEEP:96:5U78ckXhFa56Dds3EiteI8e/Qqoi75BL6GhLw9grx3Q/33l14qa1Nmfkoi+ZWIq4:hlaUa8OQzO50GhLw9grzyfzdWZd5qp
                    MD5:7AB8ECCAE4E2946BE455AAC69E887905
                    SHA1:11631082A2890D9CCEC1DF1CAEC674E31A5A4797
                    SHA-256:51AA4B7DF6A8B71CE0CCB5BC00FF0703C0B5F34CBCACEB3E7833477FBF2338A4
                    SHA-512:F97DE757FE4B51F4BD76303F4207E28ACC1362B3C9F241FCC127410971D3E92AF37FE0901B54E23A2A463BCFF943038DDE55BC440BAE63295E26177B16B93969
                    Malicious:false
                    Reputation:low
                    Preview:MDMP..a..... .........g....................................$...........4....0..........`.......8...........T...........x...".......................................................................................................eJ......|.......Lw......................T.............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA669.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8570
                    Entropy (8bit):3.6833216891099965
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJeHb86Ya7lCgmf8UNCXcpDRC89blALfrXm:R6lXJuw6YWlCgmf8UNCXW7lUfS
                    MD5:87CC57E39A6692EFC266165DAEB8CDE1
                    SHA1:05AB46FECBD027C4FF3FABBF32A93BEF97753EE1
                    SHA-256:1BCEFC5D4A15CD6080031C6DF70EB360790D2D6E4650B60CEBD2D5DB0EE2D3FF
                    SHA-512:6DB8B5012EAF7C391BD5E30D7F1821C7F5396CBD5675E6039C386AC7ED758A34369B7AAE1F7DF660D9C2BC8C23F3A956256BA299E06757711D00C3439C1B928E
                    Malicious:false
                    Reputation:low
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.8.4.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA699.tmp.xml

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4828
                    Entropy (8bit):4.43345472258423
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zsIVrJg771I9ikgWpW8VYoPYm8M4JPNYgFCzyq8vkNYLfs5gd:uIjfUFI7AZ7V5SJPOWkQfs5gd
                    MD5:809E7BB5BC439AD3749795C31A65D4D1
                    SHA1:39194B32ECE0BA836883DBC021ED2685CC649090
                    SHA-256:CFC15BC2A083303BB5B7079D6B5389C36DF092B4CC851445A0DBC51E1C02AC4D
                    SHA-512:714B4C1085625DF1DD812773F4444B86844861BAC118099A980DB72A4C86D5BFE9599F0BB29FC3A983C499623273E84951C226EEFF4071A04B1F318541C8EB21
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="560052" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\Windows\appcompat\Programs\Amcache.hve

                    Download File
                    Process:C:\Windows\System32\WerFault.exe
                    File Type:MS Windows registry file, NT/2000 or above
                    Category:dropped
                    Size (bytes):1835008
                    Entropy (8bit):4.46943898637942
                    Encrypted:false
                    SSDEEP:6144:RzZfpi6ceLPx9skLmb0fYZWSP3aJG8nAgeiJRMMhA2zX4WABluuNejDH5S:JZHtYZWOKnMM6bFp0j4
                    MD5:AFB01510CC287B17C3900409D7636520
                    SHA1:CA8C7B7F2CCED24E97F1E5CBB8BDFC4B75290471
                    SHA-256:E45C73F15615BEEAAB69F2FDA0C75B5A292D1573CE23CE959D5E005646F1D401
                    SHA-512:7C4E6728B6AF961F94BA48FE1AFA12FC8FA30FB6EF1D6677E898B5FB27697F0DD21DBC1FBA8BF46E82424D1216AFE311445ED9F7B8566AF73E25C3BE569327D0
                    Malicious:false
                    Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmNA..v'.................................................................................................................................................................................................................................................................................................................................................%........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    Static File Info

                    General

                    File type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                    Entropy (8bit):6.910554120501998
                    TrID:
                    • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
                    • Win64 Executable (generic) (12005/4) 10.17%
                    • Generic Win/DOS Executable (2004/3) 1.70%
                    • DOS Executable Generic (2002/1) 1.70%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
                    File name:oLiA3yj6Cq.dll
                    File size:381'952 bytes
                    MD5:4886943161951b6be845188a19c82de5
                    SHA1:f8bd367eb8cc58e05f10697ae4e27c190bd7662d
                    SHA256:e43d6309199e04b80a93fb0ccc44545c42fca0627d50496f356d01cd552061ec
                    SHA512:c131e6c33132c8106bc5275464adc20468779e50dcc88914b141810b51aabbab35fafe2a3b5b15d998d769ef504a65ed46aa61f03bfddc40b9642be0b7bbb0fd
                    SSDEEP:6144:gih0ZgnQQdQdGP8Ra6YE4nz/l4ekMXLou0t+a4tmOVh1qvROQHz:KgnQ6QdPqE4nzN4ekM7oua+kOVjqvR3
                    TLSH:2E84BD83F74301DED6021CF03B62D96BECB4C9D4328EF662D56C877A61BDE11D929688
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g..........."...+.,......."..0................................................}....`... ............................

                    File Icon

                    Icon Hash:7ae282899bbab082

                    Static PE Info

                    General

                    Entrypoint:0x2fbac1330
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x2fbac0000
                    Subsystem:windows cui
                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED, DLL
                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0x6718BD0F [Wed Oct 23 09:08:31 2024 UTC]
                    TLS Callbacks:0xfbac2ab0, 0x2, 0xfbac2a80, 0x2
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:9eaa24f9e5d2fd104fe4ac79aa5c044b

                    Entrypoint Preview

                    Instruction
                    dec eax
                    mov eax, dword ptr [0005BF09h]
                    mov dword ptr [eax], 00000000h
                    jmp 00007F71A880D3A3h
                    nop word ptr [eax+eax+00000000h]
                    nop dword ptr [eax]
                    dec eax
                    mov edx, ecx
                    dec eax
                    lea ecx, dword ptr [0005ECA6h]
                    jmp 00007F71A880F986h
                    nop
                    dec eax
                    lea ecx, dword ptr [00000009h]
                    jmp 00007F71A880D4F9h
                    nop dword ptr [eax+00h]
                    ret
                    nop
                    nop
                    nop
                    nop
                    nop
                    nop
                    nop
                    nop
                    nop
                    nop
                    nop
                    nop
                    nop
                    nop
                    nop
                    push ebx
                    dec eax
                    sub esp, 20h
                    dec eax
                    mov eax, dword ptr [00000020h]
                    dec eax
                    mov eax, dword ptr [eax]
                    mov ebx, dword ptr [eax]
                    call dword ptr [00062E37h]
                    dec eax
                    mov ecx, eax
                    mov edx, ebx
                    call dword ptr [00062E9Ch]
                    dec eax
                    mov ecx, dword ptr [0005EC7Dh]
                    dec eax
                    add esp, 20h
                    pop ebx
                    dec eax
                    jmp dword ptr [00062E69h]
                    push ebx
                    dec eax
                    sub esp, 20h
                    dec eax
                    mov ebx, ecx
                    call dword ptr [00062E13h]
                    mov dword ptr [0005EC55h], eax
                    dec eax
                    mov eax, ebx
                    dec eax
                    add esp, 20h
                    pop ebx
                    dec eax
                    jmp eax
                    dec eax
                    arpl word ptr [00002C53h], ax
                    test eax, eax
                    jle 00007F71A880D538h
                    cmp dword ptr [00002C4Ch], 00000000h
                    jle 00007F71A880D52Fh
                    dec eax
                    mov edx, dword ptr [00062DFFh]
                    dec eax
                    mov dword ptr [ecx+eax], edx
                    dec eax
                    mov edx, dword ptr [00000000h]

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x630000xaa.edata
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x640000x638.idata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5e0000x420.pdata
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x670000x60.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x5d0400x28.rdata
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x641a80x168.idata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x2aa80x2c0080dcabb486ac0320b8107f6fb61a1f46False0.5140269886363636data6.128075480207132IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .data0x40000x582d00x58400f425d425d482c7d0427708254e5c6e54False0.5794861012747875dBase III DBT, version number 0, next free block index 1, 1st item "\310\373H\224!\350iv\310\373H\224!\350iv\310\020K\224Q\350iv\310\373H\224!\350iv\310\333K\224Q\356iv\310\373H\224!\350iv\310\373H\224!\350iv\310\373H\224!\350iv\346\217-\354U\350ivJ\372K\224!\370iv\310\371K\224!\354iv\310\373H\224!\350iv\310\373H\224\001\350i\026\346\211,\365U\211iv\312\007H\224!\310jv\310\005H\224!\356j"6.95266435819705IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rdata0x5d0000x5d00x60038ece8b89d2607176782f11cbc2aea88False0.2265625data3.9046999817791903IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .pdata0x5e0000x4200x60009d86492997fabcc3acb4c2f8c4841daFalse0.3483072916666667data3.3630058682714674IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .xdata0x5f0000x2c00x400377742ba7013f102de8668f1fbfd1e13False0.267578125data2.9261463837859796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .bss0x600000x20f00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .edata0x630000xaa0x20034e6ccc0e0f15540da6c40933543e3f3False0.265625data1.9876842911409685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .idata0x640000x6380x8005a3c3da5e46c1ce76e4cfec80ed9a5c6False0.2919921875data3.504409780230131IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .CRT0x650000x580x20076ed0b612acfb49deb9614a76b1b5624False0.05859375data0.25323120180391656IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .tls0x660000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .reloc0x670000x600x20034c130ef3b64e5ff719bd7dcc6db1ddaFalse0.197265625data1.1005696276589663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Imports

                    DLLImport
                    KERNEL32.dllConvertThreadToFiber, CreateFiber, DeleteCriticalSection, DeleteFiber, EnterCriticalSection, GetCurrentProcess, GetCurrentThreadId, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, InitializeCriticalSection, LeaveCriticalSection, Sleep, SleepEx, SwitchToFiber, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject
                    msvcrt.dll__iob_func, _amsg_exit, _initterm, _lock, _unlock, abort, calloc, fclose, fopen, fread, free, fsetpos, fwrite, malloc, mbstowcs, memcmp, rand, realloc, strlen, strncmp, vfprintf, wcsncat, wcsncpy

                    Exports

                    NameOrdinalAddress
                    DllGetClassObject10x2fbac2981
                    DllMain20x2fbac2917
                    DllRegisterServer30x2fbac297b
                    DllUnregisterServer40x2fbac297e
                    StartW50x2fbac298a

                    Network Behavior

                    No network behavior found

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:03:09:59
                    Start date:26/10/2024
                    Path:C:\Windows\System32\loaddll64.exe
                    Wow64 process (32bit):false
                    Commandline:loaddll64.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll"
                    Imagebase:0x7ff617a50000
                    File size:165'888 bytes
                    MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Author: yara@s3c.za.net
                    • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Author: @VK_Intel
                    • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Author: ditekSHen
                    • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                    • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                    • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:1
                    Start time:03:09:59
                    Start date:26/10/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff66e660000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:03:09:59
                    Start date:26/10/2024
                    Path:C:\Windows\System32\cmd.exe
                    Wow64 process (32bit):false
                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll",#1
                    Imagebase:0x7ff75b9f0000
                    File size:289'792 bytes
                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:03:09:59
                    Start date:26/10/2024
                    Path:C:\Windows\System32\regsvr32.exe
                    Wow64 process (32bit):false
                    Commandline:regsvr32.exe /s C:\Users\user\Desktop\oLiA3yj6Cq.dll
                    Imagebase:0x7ff791410000
                    File size:25'088 bytes
                    MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:03:09:59
                    Start date:26/10/2024
                    Path:C:\Windows\System32\rundll32.exe
                    Wow64 process (32bit):false
                    Commandline:rundll32.exe "C:\Users\user\Desktop\oLiA3yj6Cq.dll",#1
                    Imagebase:0x7ff6222c0000
                    File size:71'680 bytes
                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, Author: yara@s3c.za.net
                    • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, Author: @VK_Intel
                    • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, Author: ditekSHen
                    • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000005.00000002.2140499107.000001E583CE0000.00000020.10000000.00040000.00000000.sdmp, Author: ditekSHen
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:6
                    Start time:03:09:59
                    Start date:26/10/2024
                    Path:C:\Windows\System32\rundll32.exe
                    Wow64 process (32bit):false
                    Commandline:rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllGetClassObject
                    Imagebase:0x7ff6222c0000
                    File size:71'680 bytes
                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, Author: yara@s3c.za.net
                    • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, Author: @VK_Intel
                    • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, Author: ditekSHen
                    • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000006.00000002.2140711176.0000029E27C60000.00000020.10000000.00040000.00000000.sdmp, Author: ditekSHen
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:9
                    Start time:03:09:59
                    Start date:26/10/2024
                    Path:C:\Windows\System32\WerFault.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\WerFault.exe -u -p 2784 -s 412
                    Imagebase:0x7ff6cc740000
                    File size:570'736 bytes
                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:10
                    Start time:03:10:02
                    Start date:26/10/2024
                    Path:C:\Windows\System32\rundll32.exe
                    Wow64 process (32bit):false
                    Commandline:rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllMain
                    Imagebase:0x7ff6222c0000
                    File size:71'680 bytes
                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, Author: yara@s3c.za.net
                    • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, Author: @VK_Intel
                    • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, Author: ditekSHen
                    • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 0000000A.00000002.2170605012.0000020650830000.00000020.10000000.00040000.00000000.sdmp, Author: ditekSHen
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:11
                    Start time:03:10:05
                    Start date:26/10/2024
                    Path:C:\Windows\System32\rundll32.exe
                    Wow64 process (32bit):false
                    Commandline:rundll32.exe C:\Users\user\Desktop\oLiA3yj6Cq.dll,DllRegisterServer
                    Imagebase:0x7ff6222c0000
                    File size:71'680 bytes
                    MD5 hash:EF3179D498793BF4234F708D3BE28633
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Author: unknown
                    • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Author: yara@s3c.za.net
                    • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Author: @VK_Intel
                    • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                    • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Author: ditekSHen
                    • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                    • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                    • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                    • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 0000000B.00000002.2199778105.0000016E0D720000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                    Reputation:high
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:0.9%
                      Dynamic/Decrypted Code Coverage:97.1%
                      Signature Coverage:5.9%
                      Total number of Nodes:204
                      Total number of Limit Nodes:4
                      execution_graph 38833 1bf693c88d4 38837 1bf693c8911 38833->38837 38834 1bf693c8d40 VirtualAlloc 38836 1bf693c8d98 38834->38836 38835 1bf693c8ea5 LoadLibraryA 38835->38836 38836->38835 38838 1bf693c8ff6 38836->38838 38837->38834 38839 1bf69441b48 38840 1bf69441b64 38839->38840 38843 1bf69441b69 38839->38843 38853 1bf694492d0 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId __security_init_cookie 38840->38853 38842 1bf69441bf4 38850 1bf69441bbe 38842->38850 38899 1bf694393e0 38842->38899 38843->38842 38843->38850 38854 1bf694419e8 38843->38854 38845 1bf69441c12 38846 1bf69441c3b 38845->38846 38848 1bf694393e0 _DllMainCRTStartup 123 API calls 38845->38848 38849 1bf694419e8 _CRT_INIT 44 API calls 38846->38849 38846->38850 38851 1bf69441c2e 38848->38851 38849->38850 38852 1bf694419e8 _CRT_INIT 44 API calls 38851->38852 38852->38846 38853->38843 38855 1bf69441a77 38854->38855 38860 1bf694419fa _heap_init 38854->38860 38856 1bf69441acd 38855->38856 38862 1bf69441a7b _CRT_INIT 38855->38862 38857 1bf69441b30 38856->38857 38858 1bf69441ad2 38856->38858 38868 1bf69441a03 _CRT_INIT 38857->38868 38937 1bf69445808 5 API calls 3 library calls 38857->38937 38936 1bf694440a8 TlsGetValue 38858->38936 38860->38868 38909 1bf694459b0 9 API calls 6 library calls 38860->38909 38862->38868 38932 1bf6943ff6c 6 API calls 2 library calls 38862->38932 38866 1bf69441a0f _RTC_Initialize 38866->38868 38873 1bf69441a1f GetCommandLineA 38866->38873 38867 1bf69441aa3 38878 1bf69441ab2 _CRT_INIT 38867->38878 38933 1bf6944816c 5 API calls 2 library calls 38867->38933 38868->38842 38872 1bf69441aad 38934 1bf69445a30 TlsFree _mtterm 38872->38934 38910 1bf6944937c 38873->38910 38878->38868 38935 1bf69445a30 TlsFree _mtterm 38878->38935 38879 1bf69441a31 38916 1bf69447e40 38879->38916 38884 1bf69441a3d 38886 1bf69441a41 38884->38886 38887 1bf69441a48 38884->38887 38927 1bf69445a30 TlsFree _mtterm 38886->38927 38928 1bf69448ee0 28 API calls 3 library calls 38887->38928 38891 1bf69441a4d 38892 1bf69441a61 38891->38892 38929 1bf6944919c 27 API calls 4 library calls 38891->38929 38898 1bf69441a65 38892->38898 38931 1bf6944816c 5 API calls 2 library calls 38892->38931 38895 1bf69441a56 38895->38892 38930 1bf694400ec 31 API calls 4 library calls 38895->38930 38896 1bf69441a75 38896->38886 38898->38868 38900 1bf694394bb 38899->38900 38905 1bf69439402 _DllMainCRTStartup 38899->38905 39009 1bf6943b47c 38900->39009 38902 1bf69439407 _DllMainCRTStartup 38902->38845 38903 1bf69439465 _DllMainCRTStartup 38953 1bf6942ca74 38903->38953 38905->38902 38905->38903 39028 1bf6943d2ec VirtualFree _DllMainCRTStartup 38905->39028 38907 1bf69439487 38907->38903 39029 1bf6943d2ec VirtualFree _DllMainCRTStartup 38907->39029 38909->38866 38911 1bf6944939b __crtGetEnvironmentStringsA __crtLCMapStringA_stat 38910->38911 38914 1bf69449439 __crtGetEnvironmentStringsA 38911->38914 38938 1bf694447a8 20 API calls 2 library calls 38911->38938 38913 1bf69449401 __crtLCMapStringA_stat 38913->38914 38939 1bf6943f244 5 API calls 3 library calls 38913->38939 38914->38879 38917 1bf69447e6f 38916->38917 38940 1bf69444728 38917->38940 38919 1bf69447e93 _ioinit 38919->38884 38920 1bf694480a3 GetStdHandle 38922 1bf69448058 _ioinit 38920->38922 38921 1bf69444728 _calloc_crt 5 API calls 38924 1bf69447e83 _ioinit 38921->38924 38922->38919 38922->38920 38926 1bf694480fe InitializeCriticalSectionAndSpinCount 38922->38926 38923 1bf69447f74 _ioinit 38923->38922 38925 1bf69448006 InitializeCriticalSectionAndSpinCount 38923->38925 38924->38919 38924->38921 38924->38922 38924->38923 38925->38923 38926->38922 38928->38891 38929->38895 38930->38892 38931->38896 38932->38867 38933->38872 38937->38868 38938->38913 38939->38914 38943 1bf6944474d _calloc_crt 38940->38943 38942 1bf6944478a 38942->38924 38943->38942 38944 1bf69449cec 38943->38944 38945 1bf69449d01 38944->38945 38949 1bf69449d1e _chsize_nolock 38944->38949 38946 1bf69449d0f 38945->38946 38945->38949 38951 1bf69441d18 5 API calls _getptd_noexit 38946->38951 38950 1bf69449d14 38949->38950 38952 1bf69441db4 DecodePointer 38949->38952 38950->38943 38951->38950 38952->38949 39030 1bf69435fec 38953->39030 38955 1bf6942ca92 _DllMainCRTStartup 39037 1bf6943f284 38955->39037 38957 1bf6942cb40 _DllMainCRTStartup 39053 1bf6943c230 29 API calls 6 library calls 38957->39053 38959 1bf6942cb87 39054 1bf694334a0 27 API calls 2 library calls 38959->39054 38961 1bf6942cb94 39055 1bf6943eaa8 21 API calls 3 library calls 38961->39055 38963 1bf6942cbb5 39056 1bf6943eaa8 21 API calls 3 library calls 38963->39056 38965 1bf6942cbcf _DllMainCRTStartup 38967 1bf6942cbdd _DllMainCRTStartup 38965->38967 39094 1bf6943da74 10 API calls 3 library calls 38965->39094 38968 1bf6942cbf9 38967->38968 39095 1bf6943da74 10 API calls 3 library calls 38967->39095 39057 1bf6942f1f8 36 API calls _DllMainCRTStartup 38968->39057 38971 1bf6942cc05 38972 1bf6942cc0e 38971->38972 39096 1bf6943da74 10 API calls 3 library calls 38971->39096 39058 1bf6942f274 38 API calls 5 library calls 38972->39058 38975 1bf6942cc13 38977 1bf6942cc1c _DllMainCRTStartup 38975->38977 39097 1bf6943da74 10 API calls 3 library calls 38975->39097 38978 1bf6943f284 malloc 20 API calls 38977->38978 38979 1bf6942cc4f 38978->38979 38980 1bf6942cc5c _DllMainCRTStartup 38979->38980 39098 1bf6943da74 10 API calls 3 library calls 38979->39098 39059 1bf6943eaa8 21 API calls 3 library calls 38980->39059 38983 1bf6942cc78 _DllMainCRTStartup 39060 1bf69435c60 GetACP GetOEMCP 38983->39060 39010 1bf69435fec _DllMainCRTStartup 20 API calls 39009->39010 39011 1bf6943b4a0 _snprintf _DllMainCRTStartup 39010->39011 39012 1bf6943f284 malloc 20 API calls 39011->39012 39013 1bf6943b52d _snprintf 39012->39013 39162 1bf6943eaa8 21 API calls 3 library calls 39013->39162 39015 1bf6943b55e _DllMainCRTStartup 39019 1bf6943b575 _DllMainCRTStartup 39015->39019 39163 1bf6942f014 39015->39163 39017 1bf6943b5ff _DllMainCRTStartup 39020 1bf6943b611 GetComputerNameA 39017->39020 39026 1bf6943b634 GetPdbDllFromInstallPath _DllMainCRTStartup 39017->39026 39018 1bf6943b5d7 GetComputerNameExA 39018->39017 39019->39017 39019->39018 39168 1bf6943baa8 _DllMainCRTStartup 39020->39168 39022 1bf6943b802 39170 1bf694360e0 5 API calls 2 library calls 39022->39170 39025 1bf6943f284 malloc 20 API calls 39025->39026 39026->39022 39026->39025 39169 1bf6943eaa8 21 API calls 3 library calls 39026->39169 39028->38907 39029->38903 39031 1bf6943f284 malloc 20 API calls 39030->39031 39032 1bf6943600d 39031->39032 39033 1bf6943f284 malloc 20 API calls 39032->39033 39036 1bf69436015 _snprintf _DllMainCRTStartup 39032->39036 39034 1bf69436021 39033->39034 39034->39036 39099 1bf6943f244 5 API calls 3 library calls 39034->39099 39036->38955 39038 1bf6943f29c _chsize_nolock 39037->39038 39039 1bf6943f318 39037->39039 39041 1bf6943f2b4 39038->39041 39046 1bf6943f2fd 39038->39046 39050 1bf6943f302 39038->39050 39052 1bf6943f30d 39038->39052 39103 1bf69441db4 DecodePointer 39038->39103 39106 1bf69441db4 DecodePointer 39039->39106 39041->39038 39100 1bf69441df0 19 API calls 2 library calls 39041->39100 39101 1bf69441e64 19 API calls 5 library calls 39041->39101 39102 1bf6943ff54 GetModuleHandleExW __crtCorExitProcess malloc 39041->39102 39042 1bf6943f31d 39107 1bf69441d18 5 API calls _getptd_noexit 39042->39107 39104 1bf69441d18 5 API calls _getptd_noexit 39046->39104 39105 1bf69441d18 5 API calls _getptd_noexit 39050->39105 39052->38957 39053->38959 39054->38961 39055->38963 39056->38965 39057->38971 39058->38975 39059->38983 39108 1bf69421218 39060->39108 39064 1bf69435ca8 GetCurrentProcessId 39065 1bf69435cb6 _DllMainCRTStartup 39064->39065 39114 1bf6944044c 25 API calls _getptd 39065->39114 39067 1bf69435cbf 39115 1bf6942cfa4 5 API calls _DllMainCRTStartup 39067->39115 39069 1bf69435cc4 _DllMainCRTStartup 39116 1bf6943dec8 AllocateAndInitializeSid CheckTokenMembership FreeSid 39069->39116 39071 1bf69435d06 39117 1bf6942e2a8 htonl htonl 39071->39117 39073 1bf69435d1c 39118 1bf6942e200 htonl GetPdbDllFromInstallPath 39073->39118 39075 1bf69435d2f 39119 1bf6942e200 htonl GetPdbDllFromInstallPath 39075->39119 39077 1bf69435d3f 39120 1bf6942e200 htonl GetPdbDllFromInstallPath 39077->39120 39079 1bf69435d4f 39121 1bf6942e248 htonl htonl _DllMainCRTStartup 39079->39121 39081 1bf69435d5e GetCurrentProcessId 39122 1bf6942e248 htonl htonl _DllMainCRTStartup 39081->39122 39083 1bf69435d6f 39123 1bf6942e278 htonl _DllMainCRTStartup 39083->39123 39085 1bf69435d7a 39124 1bf6942e1e0 htonl _DllMainCRTStartup 39085->39124 39087 1bf69435d85 39125 1bf69435e28 39087->39125 39099->39036 39100->39041 39101->39041 39103->39038 39104->39050 39105->39052 39106->39042 39107->39052 39154 1bf69421184 CryptAcquireContextA 39108->39154 39111 1bf69421245 39113 1bf6943b0b4 20 API calls _DllMainCRTStartup 39111->39113 39113->39064 39114->39067 39115->39069 39116->39071 39117->39073 39118->39075 39119->39077 39120->39079 39121->39081 39122->39083 39123->39085 39124->39087 39126 1bf69435fec _DllMainCRTStartup 20 API calls 39125->39126 39127 1bf69435e51 _DllMainCRTStartup 39126->39127 39128 1bf69435eb5 GetComputerNameA 39127->39128 39161 1bf6942f008 39128->39161 39155 1bf694211c2 CryptAcquireContextA 39154->39155 39156 1bf694211e6 CryptGenRandom 39154->39156 39155->39156 39157 1bf6942120c 39155->39157 39158 1bf694211fd CryptReleaseContext 39156->39158 39159 1bf694211fb 39156->39159 39157->39111 39160 1bf694210d0 GetSystemTimeAsFileTime clock 39157->39160 39158->39157 39159->39158 39160->39111 39162->39015 39171 1bf6942f118 39163->39171 39165 1bf6942f02f _DllMainCRTStartup 39166 1bf6942f058 WSAIoctl 39165->39166 39167 1bf6942f051 _DllMainCRTStartup 39165->39167 39166->39167 39167->39019 39168->39026 39169->39026 39172 1bf6942f12c _DllMainCRTStartup 39171->39172 39175 1bf6942f144 _DllMainCRTStartup 39171->39175 39173 1bf6942f1d2 WSACleanup 39172->39173 39172->39175 39174 1bf6942f1e2 _DllMainCRTStartup 39173->39174 39175->39165

                      Executed Functions

                      Function 000001BF69435E28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116stringCOMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: Name$ComputerFileModuleUserVersion_snprintfmallocstrrchr
                      • String ID: %s%s%s
                      • API String ID: 1671524875-1891519693
                      • Opcode ID: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                      • Instruction ID: 5a31e36297baae68f8c6e9141f209901a4037372d6cc504b0e6b9d546daa53c5
                      • Opcode Fuzzy Hash: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                      • Instruction Fuzzy Hash: CC41583060428146EA04AB62AD556EB7791F78DBD4F48C23DAE5A4B79ACF3CC4438740
                      Function 000001BF69421184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39encryptionCOMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: Crypt$Context$Acquire$RandomRelease
                      • String ID: ($Microsoft Base Cryptographic Provider v1.0
                      • API String ID: 685801729-4046902070
                      • Opcode ID: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                      • Instruction ID: 54f7d7e8b22c05e0104e88c4bad813bdebe69141231262eb70aa1616b0e7e368
                      • Opcode Fuzzy Hash: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                      • Instruction Fuzzy Hash: F0012D3570064092E750CFA5ED887EAB7A1F7DCB88F84C43ADA4983664DF79C54AC740
                      Function 000001BF6942EA48 Relevance: 9.1, APIs: 6, Instructions: 109networkCOMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$Option$ConnectOpenRevertSelf
                      • String ID:
                      • API String ID: 1513466045-0
                      • Opcode ID: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                      • Instruction ID: 956b9e2846d13d86971e5d077a297b56465e7eb8544e2b938c9b475f5cf74fad
                      • Opcode Fuzzy Hash: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                      • Instruction Fuzzy Hash: 62416B76204B8182EB249B62EC957E97751F798788F04C03DDE5A17B96CF79C507C704
                      Function 000001BF6942F014 Relevance: 4.6, APIs: 3, Instructions: 66networkCOMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 100 1bf6942f014-1bf6942f04f call 1bf6942f118 call 1bf69452660 105 1bf6942f051-1bf6942f053 100->105 106 1bf6942f058-1bf6942f097 WSAIoctl 100->106 107 1bf6942f0f6-1bf6942f10a 105->107 108 1bf6942f0b4-1bf6942f0be 106->108 109 1bf6942f099-1bf6942f0b0 106->109 110 1bf6942f0c0 108->110 111 1bf6942f0eb-1bf6942f0ee call 1bf694525e8 108->111 109->108 112 1bf6942f0c5-1bf6942f0cf 110->112 116 1bf6942f0f4 111->116 114 1bf6942f0d1-1bf6942f0d4 112->114 115 1bf6942f0d6-1bf6942f0e2 112->115 114->115 117 1bf6942f0e6 114->117 115->111 118 1bf6942f0e4 115->118 116->107 117->111 118->112
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: IoctlSocketStartupclosesocket
                      • String ID:
                      • API String ID: 365704328-0
                      • Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
                      • Instruction ID: 7dc71e06ce6563295e7a146eb4c79f9f862c61c00f6884efe99bcd39011894ea
                      • Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
                      • Instruction Fuzzy Hash: EA21A37260478442E7608F54F9407DAB795F38C7E8F90C679DE9943B85DF39C5468B00
                      Function 000001BF693C88D4 Relevance: 3.7, APIs: 2, Instructions: 671memorylibraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 119 1bf693c88d4-1bf693c8911 call 1bf693c9241 122 1bf693c8915-1bf693c8920 119->122 123 1bf693c8955-1bf693c895a 122->123 124 1bf693c8922-1bf693c8934 122->124 123->122 124->123 125 1bf693c8936-1bf693c893e 124->125 125->123 126 1bf693c8940-1bf693c8953 125->126 126->123 127 1bf693c895c-1bf693c898f 126->127 128 1bf693c8d32-1bf693c8d37 127->128 129 1bf693c8d3d 128->129 130 1bf693c8994-1bf693c89ac 128->130 132 1bf693c8d40-1bf693c8d96 VirtualAlloc 129->132 131 1bf693c89b4-1bf693c89e8 130->131 133 1bf693c89ea-1bf693c89fd 131->133 134 1bf693c89ff-1bf693c8a09 131->134 135 1bf693c8dbb-1bf693c8dca 132->135 136 1bf693c8a0d-1bf693c8a1c 133->136 134->136 137 1bf693c8dcc-1bf693c8df8 135->137 138 1bf693c8d98-1bf693c8db9 135->138 136->131 139 1bf693c8a1e-1bf693c8a27 136->139 140 1bf693c8e6a-1bf693c8e79 137->140 138->135 143 1bf693c8a2d-1bf693c8a9d 139->143 144 1bf693c8bc0-1bf693c8bc9 139->144 141 1bf693c8dfa-1bf693c8e2f 140->141 142 1bf693c8e7f-1bf693c8ea0 140->142 145 1bf693c8e54-1bf693c8e63 141->145 146 1bf693c8fe7-1bf693c8ff0 142->146 147 1bf693c8bb0-1bf693c8bb5 143->147 148 1bf693c8d0b-1bf693c8d10 144->148 149 1bf693c8bcf-1bf693c8c3f 144->149 152 1bf693c8e65 145->152 153 1bf693c8e31-1bf693c8e52 145->153 150 1bf693c8ea5-1bf693c8eec LoadLibraryA 146->150 151 1bf693c8ff6-1bf693c9020 146->151 156 1bf693c8bbb 147->156 157 1bf693c8aa2-1bf693c8ab5 147->157 154 1bf693c8d27-1bf693c8d2e 148->154 155 1bf693c8d12-1bf693c8d17 148->155 158 1bf693c8d00-1bf693c8d05 149->158 163 1bf693c8fd2-1bf693c8fdc 150->163 159 1bf693c91ea-1bf693c9240 151->159 160 1bf693c9026-1bf693c9039 151->160 152->140 153->145 154->128 155->154 162 1bf693c8d19-1bf693c8d1e 155->162 156->148 164 1bf693c8aba-1bf693c8af7 157->164 158->148 161 1bf693c8c44-1bf693c8c57 158->161 165 1bf693c91db-1bf693c91e4 160->165 167 1bf693c8c5c-1bf693c8c99 161->167 162->154 166 1bf693c8d20-1bf693c8d25 162->166 169 1bf693c8ef1-1bf693c8ef6 163->169 170 1bf693c8fe2 163->170 164->164 168 1bf693c8af9-1bf693c8b05 164->168 165->159 171 1bf693c903e-1bf693c9071 165->171 166->154 173 1bf693c8d3f 166->173 167->167 176 1bf693c8c9b-1bf693c8ca7 167->176 177 1bf693c8b1d-1bf693c8b4a 168->177 178 1bf693c8b07-1bf693c8b0e 168->178 174 1bf693c8efc-1bf693c8f06 169->174 175 1bf693c8f8f-1bf693c8fbe 169->175 170->146 181 1bf693c91b9-1bf693c91c8 171->181 173->132 174->175 182 1bf693c8f0c-1bf693c8f8d 174->182 190 1bf693c8fc1-1bf693c8fcb 175->190 183 1bf693c8ca9-1bf693c8cd6 176->183 184 1bf693c8cf6-1bf693c8cfb 176->184 179 1bf693c8b4c-1bf693c8b5f 177->179 180 1bf693c8b61-1bf693c8b68 177->180 178->177 185 1bf693c8b10-1bf693c8b17 178->185 186 1bf693c8b9b-1bf693c8ba2 179->186 187 1bf693c8b6a-1bf693c8b7d 180->187 188 1bf693c8b7f-1bf693c8b86 180->188 192 1bf693c91ce-1bf693c91d7 181->192 193 1bf693c9076-1bf693c9083 181->193 182->190 194 1bf693c8ceb-1bf693c8cf2 183->194 195 1bf693c8cd8-1bf693c8ce7 183->195 184->158 185->177 196 1bf693c8ba6-1bf693c8bab 185->196 186->196 187->186 188->186 197 1bf693c8b88-1bf693c8b97 188->197 190->163 200 1bf693c8fcd 190->200 192->165 198 1bf693c90c4-1bf693c90d1 193->198 199 1bf693c9085-1bf693c90bf 193->199 194->184 195->194 196->147 197->186 202 1bf693c90d3-1bf693c910f 198->202 203 1bf693c9114-1bf693c9121 198->203 201 1bf693c91b4 199->201 200->163 201->181 202->201 204 1bf693c9167-1bf693c9174 203->204 205 1bf693c9123-1bf693c9165 203->205 204->201 206 1bf693c9176-1bf693c91b1 204->206 205->201 206->201
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocLibraryLoadVirtual
                      • String ID:
                      • API String ID: 3550616410-0
                      • Opcode ID: e5779a8fec03a52a41f730243e1c668b38c4984dd735e796280ec9111f67fa25
                      • Instruction ID: 97c45bc2f111b1e7e9cb78480c7f89e345e9e9a66d0b304ee569ceaa74c66642
                      • Opcode Fuzzy Hash: e5779a8fec03a52a41f730243e1c668b38c4984dd735e796280ec9111f67fa25
                      • Instruction Fuzzy Hash: 6A62B376601B988EDB50CF6AC88139C37F5F748B9CF11912AEE4D87B68DB38C5918740
                      Function 000001BF6942F118 Relevance: 3.0, APIs: 2, Instructions: 42networkCOMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CleanupStartup
                      • String ID:
                      • API String ID: 915672949-0
                      • Opcode ID: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
                      • Instruction ID: 709aa66fe42db35619a642fbe5fcc4c95feb92e15f40e2db843477df1d69fafe
                      • Opcode Fuzzy Hash: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
                      • Instruction Fuzzy Hash: EE11D670605B4586FB28AB61EC593E43395E798304F84C03E9E550A2D7DF7A855B9B00

                      Non-executed Functions

                      Function 000001BF69446514 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 562 1bf69446514-1bf6944655c call 1bf69440ac0 565 1bf69446565-1bf69446568 562->565 566 1bf6944655e-1bf69446560 562->566 568 1bf69446589-1bf694465bb 565->568 569 1bf6944656a-1bf69446584 call 1bf69441ca8 call 1bf69441d18 call 1bf69442340 565->569 567 1bf69446c26-1bf69446c4f call 1bf69447e20 566->567 571 1bf694465c6-1bf694465cc 568->571 572 1bf694465bd-1bf694465c4 568->572 569->567 575 1bf694465db-1bf694465e4 call 1bf694499bc 571->575 576 1bf694465ce-1bf694465d6 call 1bf69447cec 571->576 572->569 572->571 584 1bf694468a6-1bf694468b7 575->584 585 1bf694465ea-1bf694465fb 575->585 576->575 586 1bf694468bd-1bf694468c9 584->586 587 1bf69446b88-1bf69446ba4 WriteFile 584->587 585->584 589 1bf69446601-1bf69446635 call 1bf69445844 call 1bf69452408 585->589 593 1bf694468cf-1bf694468d2 586->593 594 1bf69446997-1bf6944699b 586->594 591 1bf69446ba6-1bf69446bac 587->591 592 1bf69446bae-1bf69446bb4 call 1bf69452328 587->592 589->584 617 1bf6944663b-1bf6944663d 589->617 598 1bf69446bb6-1bf69446bb8 591->598 592->598 600 1bf69446be6-1bf69446bfc 593->600 601 1bf694468d8 593->601 596 1bf69446a76-1bf69446a79 594->596 597 1bf694469a1-1bf694469a4 594->597 596->600 610 1bf69446a7f 596->610 597->600 603 1bf694469aa 597->603 607 1bf69446c20-1bf69446c24 598->607 608 1bf69446bba-1bf69446bbc 598->608 604 1bf69446bfe-1bf69446c02 600->604 605 1bf69446c08-1bf69446c18 call 1bf69441d18 call 1bf69441ca8 600->605 609 1bf694468db-1bf694468e6 601->609 612 1bf694469af-1bf694469ba 603->612 604->566 604->605 605->607 607->567 608->600 614 1bf69446bbe-1bf69446bc1 608->614 615 1bf694468e8-1bf694468f1 609->615 616 1bf69446a85-1bf69446a8a 610->616 618 1bf694469bc-1bf694469c5 612->618 620 1bf69446bc3-1bf69446bd3 call 1bf69441d18 call 1bf69441ca8 614->620 621 1bf69446bda-1bf69446be1 call 1bf69441cc8 614->621 622 1bf694468f3-1bf694468fc 615->622 623 1bf69446919-1bf6944695c WriteFile 615->623 624 1bf69446a8c-1bf69446a95 616->624 627 1bf6944663f-1bf69446642 617->627 628 1bf69446648-1bf6944665c call 1bf69452410 617->628 629 1bf694469c7-1bf694469d4 618->629 630 1bf694469f8-1bf69446a3b WriteFile 618->630 620->621 621->600 633 1bf694468fe-1bf69446905 622->633 634 1bf69446908-1bf69446917 622->634 623->592 635 1bf69446962-1bf69446978 623->635 625 1bf69446ac6-1bf69446b0f call 1bf69452418 624->625 626 1bf69446a97-1bf69446aa4 624->626 625->592 653 1bf69446b15 625->653 638 1bf69446aa6-1bf69446aae 626->638 639 1bf69446ab2-1bf69446ac4 626->639 627->584 627->628 654 1bf69446662-1bf69446665 628->654 655 1bf6944689d-1bf694468a1 628->655 641 1bf694469e4-1bf694469f6 629->641 642 1bf694469d6-1bf694469e0 629->642 630->592 645 1bf69446a41-1bf69446a57 630->645 633->634 634->615 634->623 635->598 647 1bf6944697e-1bf6944698c 635->647 638->639 639->624 639->625 641->618 641->630 642->641 645->598 650 1bf69446a5d-1bf69446a6b 645->650 647->609 652 1bf69446992 647->652 650->612 656 1bf69446a71 650->656 652->598 658 1bf69446b17-1bf69446b51 WriteFile 653->658 659 1bf694467ef-1bf694467f4 654->659 660 1bf6944666b-1bf6944668a 654->660 655->608 656->598 663 1bf69446b53-1bf69446b5d 658->663 664 1bf69446b61-1bf69446b69 call 1bf69452328 658->664 661 1bf69446814 659->661 662 1bf694467f6-1bf69446812 659->662 665 1bf694466ac-1bf694466b6 call 1bf69448738 660->665 666 1bf6944668c-1bf694466aa 660->666 667 1bf69446819-1bf6944681e 661->667 662->667 663->658 668 1bf69446b5f 663->668 675 1bf69446b6d-1bf69446b6f 664->675 682 1bf694466ec-1bf694466f2 665->682 683 1bf694466b8-1bf694466c5 665->683 670 1bf694466f5-1bf69446702 call 1bf6944adec 666->670 672 1bf6944685f 667->672 673 1bf69446820-1bf6944682f call 1bf6944adf4 667->673 668->675 687 1bf69446894-1bf69446898 670->687 688 1bf69446708-1bf69446745 call 1bf69452418 670->688 680 1bf69446864-1bf6944686c 672->680 673->592 692 1bf69446835-1bf6944683b 673->692 675->598 681 1bf69446b71-1bf69446b80 675->681 680->687 689 1bf6944686e 680->689 681->616 690 1bf69446b86 681->690 682->670 684 1bf69446873-1bf6944688b 683->684 685 1bf694466cb-1bf694466e1 call 1bf6944adec 683->685 684->687 685->687 697 1bf694466e7-1bf694466ea 685->697 687->598 688->687 699 1bf6944674b-1bf6944677a WriteFile 688->699 689->654 690->598 692->672 695 1bf6944683d-1bf69446853 call 1bf6944adf4 692->695 695->592 702 1bf69446859-1bf6944685b 695->702 697->688 699->592 701 1bf69446780-1bf6944678e 699->701 701->687 703 1bf69446794-1bf6944679e 701->703 702->672 703->680 704 1bf694467a4-1bf694467d6 WriteFile 703->704 704->592 705 1bf694467dc-1bf694467e1 704->705 705->687 706 1bf694467e7-1bf694467ed 705->706 706->680
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: __doserrno_errno_invalid_parameter_noinfo
                      • String ID: U
                      • API String ID: 3902385426-4171548499
                      • Opcode ID: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                      • Instruction ID: 24ef45645d55900385cf900b11e27bd27abba5bcf96a519b14e1c7015085f914
                      • Opcode Fuzzy Hash: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                      • Instruction Fuzzy Hash: B612C172214A8186EB208F24DC843EA77A1F79DF58F54C13AEE8947A9DDB39C547CB10
                      Function 000001BF6943867C Relevance: 46.6, APIs: 22, Strings: 4, Instructions: 1078processCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateCurrentFirstProcessProcess32SnapshotToolhelp32
                      • String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
                      • API String ID: 718051232-1833344708
                      • Opcode ID: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
                      • Instruction ID: efab1268f64c13343b30e001d2f79e3f7905c78bfec4a131984426ff95a91578
                      • Opcode Fuzzy Hash: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
                      • Instruction Fuzzy Hash: 79827C31B1564182FA68DB379C513E97391E78DB80F94C13E9E0A87BDAEF28C9439700
                      Function 000001BF69442F9C Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                      • String ID: $@
                      • API String ID: 3318157856-1077428164
                      • Opcode ID: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                      • Instruction ID: 1013b7aae78364f14ec96eb79353f75719655bee00673951f195a051420e881f
                      • Opcode Fuzzy Hash: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                      • Instruction Fuzzy Hash: 4E52EF7260868586FB798B159E443EE7BA0F749F94F24C12DDE4607ADDEB38C842CB00
                      Function 000001BF69442528 Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 687COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                      • String ID:
                      • API String ID: 3318157856-3916222277
                      • Opcode ID: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                      • Instruction ID: f667d9f93ffd91b5dcbaec883d00bc4f618485db4d895d72b78ec874a3aacb04
                      • Opcode Fuzzy Hash: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                      • Instruction Fuzzy Hash: F652DD72618A9486FB648A159D443EE7BA0F749F94F24D12DDE4A97ADCDF38C843CB00
                      Function 000001BF693D239C Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 694COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                      • String ID: $@
                      • API String ID: 3318157856-1077428164
                      • Opcode ID: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
                      • Instruction ID: ecd9a81070ddb6bb92a2915376c29cadb267447661bc3ef2a6f9da67c57656af
                      • Opcode Fuzzy Hash: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
                      • Instruction Fuzzy Hash: 9B52357220468486FB648B95DE623EE7BA8F7CD740F14A22DDE46076D4DB78C96BC700
                      Function 000001BF693D1928 Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 645COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$Locale_invalid_parameter_noinfo$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexitwrite_multi_charwrite_string
                      • String ID: -$0
                      • API String ID: 3246410048-417717675
                      • Opcode ID: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
                      • Instruction ID: 11a436da9678915563ac65910a8d3a87e618e7139cf7d4d951388bf4fca0de27
                      • Opcode Fuzzy Hash: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
                      • Instruction Fuzzy Hash: BC42E37260868486FB698BD59E623F97BA8F7C9740F14E22DDE46076D4D738C86BC700
                      Function 000001BF693D5914 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2410 1bf693d5914-1bf693d595c call 1bf693cfec0 2413 1bf693d595e-1bf693d5960 2410->2413 2414 1bf693d5965-1bf693d5968 2410->2414 2415 1bf693d6026-1bf693d604f call 1bf693d7220 2413->2415 2416 1bf693d596a-1bf693d5984 call 1bf693d10a8 call 1bf693d1118 call 1bf693d1740 2414->2416 2417 1bf693d5989-1bf693d59bb 2414->2417 2416->2415 2418 1bf693d59bd-1bf693d59c4 2417->2418 2419 1bf693d59c6-1bf693d59cc 2417->2419 2418->2416 2418->2419 2422 1bf693d59db-1bf693d59e4 call 1bf693d8dbc 2419->2422 2423 1bf693d59ce-1bf693d59d6 call 1bf693d70ec 2419->2423 2431 1bf693d59ea-1bf693d59fb 2422->2431 2432 1bf693d5ca6-1bf693d5cb7 2422->2432 2423->2422 2431->2432 2436 1bf693d5a01-1bf693d5a35 call 1bf693d4c44 call 1bf693e1808 2431->2436 2434 1bf693d5cbd-1bf693d5cc9 2432->2434 2435 1bf693d5f88-1bf693d5fa4 call 1bf693e1700 2432->2435 2438 1bf693d5d97-1bf693d5d9b 2434->2438 2439 1bf693d5ccf-1bf693d5cd2 2434->2439 2450 1bf693d5fae-1bf693d5fb4 call 1bf693e1728 2435->2450 2451 1bf693d5fa6-1bf693d5fac 2435->2451 2436->2432 2471 1bf693d5a3b-1bf693d5a3d 2436->2471 2442 1bf693d5e76-1bf693d5e79 2438->2442 2443 1bf693d5da1-1bf693d5da4 2438->2443 2444 1bf693d5cd8 2439->2444 2445 1bf693d5fe6-1bf693d5ffc 2439->2445 2442->2445 2455 1bf693d5e7f 2442->2455 2443->2445 2448 1bf693d5daa 2443->2448 2449 1bf693d5cdb-1bf693d5ce6 2444->2449 2452 1bf693d5ffe-1bf693d6002 2445->2452 2453 1bf693d6008-1bf693d6018 call 1bf693d1118 call 1bf693d10a8 2445->2453 2456 1bf693d5daf-1bf693d5dba 2448->2456 2457 1bf693d5ce8-1bf693d5cf1 2449->2457 2458 1bf693d5fb6-1bf693d5fb8 2450->2458 2451->2458 2452->2413 2452->2453 2469 1bf693d6020-1bf693d6024 2453->2469 2462 1bf693d5e85-1bf693d5e8a 2455->2462 2464 1bf693d5dbc-1bf693d5dc5 2456->2464 2465 1bf693d5d19-1bf693d5d5c call 1bf693e1700 2457->2465 2466 1bf693d5cf3-1bf693d5cfc 2457->2466 2468 1bf693d5fba-1bf693d5fbc 2458->2468 2458->2469 2463 1bf693d5e8c-1bf693d5e95 2462->2463 2472 1bf693d5e97-1bf693d5ea4 2463->2472 2473 1bf693d5ec6-1bf693d5f0f call 1bf693e1818 2463->2473 2474 1bf693d5df8-1bf693d5e3b call 1bf693e1700 2464->2474 2475 1bf693d5dc7-1bf693d5dd4 2464->2475 2465->2450 2498 1bf693d5d62-1bf693d5d78 2465->2498 2476 1bf693d5cfe-1bf693d5d05 2466->2476 2477 1bf693d5d08-1bf693d5d17 2466->2477 2468->2445 2479 1bf693d5fbe-1bf693d5fc1 2468->2479 2469->2415 2481 1bf693d5a48-1bf693d5a5c call 1bf693e1810 2471->2481 2482 1bf693d5a3f-1bf693d5a42 2471->2482 2484 1bf693d5ea6-1bf693d5eae 2472->2484 2485 1bf693d5eb2-1bf693d5ec4 2472->2485 2473->2450 2503 1bf693d5f15 2473->2503 2474->2450 2504 1bf693d5e41-1bf693d5e57 2474->2504 2487 1bf693d5de4-1bf693d5df6 2475->2487 2488 1bf693d5dd6-1bf693d5de0 2475->2488 2476->2477 2477->2457 2477->2465 2491 1bf693d5fda-1bf693d5fe1 call 1bf693d10c8 2479->2491 2492 1bf693d5fc3-1bf693d5fd3 call 1bf693d1118 call 1bf693d10a8 2479->2492 2500 1bf693d5c9d-1bf693d5ca1 2481->2500 2501 1bf693d5a62-1bf693d5a65 2481->2501 2482->2432 2482->2481 2484->2485 2485->2463 2485->2473 2487->2464 2487->2474 2488->2487 2491->2445 2492->2491 2498->2458 2505 1bf693d5d7e-1bf693d5d8c 2498->2505 2500->2468 2508 1bf693d5a6b-1bf693d5a8a 2501->2508 2509 1bf693d5bef-1bf693d5bf4 2501->2509 2510 1bf693d5f17-1bf693d5f51 call 1bf693e1700 2503->2510 2504->2458 2511 1bf693d5e5d-1bf693d5e6b 2504->2511 2505->2449 2512 1bf693d5d92 2505->2512 2514 1bf693d5aac-1bf693d5ab6 call 1bf693d7b38 2508->2514 2515 1bf693d5a8c-1bf693d5aaa 2508->2515 2518 1bf693d5c14 2509->2518 2519 1bf693d5bf6-1bf693d5c12 2509->2519 2527 1bf693d5f53-1bf693d5f5d 2510->2527 2528 1bf693d5f61-1bf693d5f69 call 1bf693e1728 2510->2528 2511->2456 2517 1bf693d5e71 2511->2517 2512->2458 2532 1bf693d5aec-1bf693d5af2 2514->2532 2533 1bf693d5ab8-1bf693d5ac5 2514->2533 2521 1bf693d5af5-1bf693d5b02 call 1bf693da1ec 2515->2521 2517->2458 2520 1bf693d5c19-1bf693d5c1e 2518->2520 2519->2520 2524 1bf693d5c20-1bf693d5c2f call 1bf693da1f4 2520->2524 2525 1bf693d5c5f 2520->2525 2537 1bf693d5b08-1bf693d5b45 call 1bf693e1818 2521->2537 2538 1bf693d5c94-1bf693d5c98 2521->2538 2524->2450 2547 1bf693d5c35-1bf693d5c3b 2524->2547 2534 1bf693d5c64-1bf693d5c6c 2525->2534 2527->2510 2535 1bf693d5f5f 2527->2535 2543 1bf693d5f6d-1bf693d5f6f 2528->2543 2532->2521 2540 1bf693d5acb-1bf693d5ae1 call 1bf693da1ec 2533->2540 2541 1bf693d5c73-1bf693d5c8b 2533->2541 2534->2538 2542 1bf693d5c6e 2534->2542 2535->2543 2537->2538 2553 1bf693d5b4b-1bf693d5b7a call 1bf693e1700 2537->2553 2538->2458 2540->2538 2555 1bf693d5ae7-1bf693d5aea 2540->2555 2541->2538 2542->2501 2543->2458 2545 1bf693d5f71-1bf693d5f80 2543->2545 2545->2462 2549 1bf693d5f86 2545->2549 2547->2525 2551 1bf693d5c3d-1bf693d5c53 call 1bf693da1f4 2547->2551 2549->2458 2551->2450 2559 1bf693d5c59-1bf693d5c5b 2551->2559 2553->2450 2560 1bf693d5b80-1bf693d5b8e 2553->2560 2555->2537 2559->2525 2560->2538 2561 1bf693d5b94-1bf693d5b9e 2560->2561 2561->2534 2562 1bf693d5ba4-1bf693d5bd6 call 1bf693e1700 2561->2562 2562->2450 2565 1bf693d5bdc-1bf693d5be1 2562->2565 2565->2538 2566 1bf693d5be7-1bf693d5bed 2565->2566 2566->2534
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: __doserrno_errno_invalid_parameter_noinfo
                      • String ID: U
                      • API String ID: 3902385426-4171548499
                      • Opcode ID: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                      • Instruction ID: c3a6a997b4f5103316e9a1a08a504dcb6b1421762c43f03b52207924f003e5c7
                      • Opcode Fuzzy Hash: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                      • Instruction Fuzzy Hash: 6412263221464186EB208FA4D8953DEB7A9F7CD754F50923AEF4987698CB3DC46ACB10
                      Function 000001BF69437B38 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 545COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2567 1bf69437b38-1bf69437bad call 1bf6943f530 call 1bf6943b454 call 1bf69436104 2574 1bf69437bb1-1bf69437bbf call 1bf69436114 2567->2574 2577 1bf69437bc5 2574->2577 2578 1bf69437f4a-1bf69437f4d 2574->2578 2579 1bf69437f29 2577->2579 2580 1bf69437bcb-1bf69437bcd 2577->2580 2581 1bf69437f53-1bf69437f55 2578->2581 2582 1bf69438218-1bf69438250 call 1bf6943f530 call 1bf69436284 2578->2582 2583 1bf69437f2b-1bf69437f3d call 1bf69430de0 2579->2583 2584 1bf694382f5-1bf694382f8 2580->2584 2585 1bf69437bd3-1bf69437bd5 2580->2585 2586 1bf69438162-1bf694381bb call 1bf6943f530 call 1bf69436284 call 1bf6943f63c 2581->2586 2587 1bf69437f5b-1bf69437f5d 2581->2587 2618 1bf69438252-1bf69438263 call 1bf6943f63c 2582->2618 2619 1bf69438265-1bf69438276 call 1bf6943f63c 2582->2619 2600 1bf69437f42-1bf69437f45 2583->2600 2596 1bf694383a3-1bf694383c3 2584->2596 2597 1bf694382fe-1bf69438301 2584->2597 2591 1bf69437ed6-1bf69437f16 call 1bf6943f530 call 1bf69436284 call 1bf6943f920 2585->2591 2592 1bf69437bdb-1bf69437bdd 2585->2592 2640 1bf694382e5 2586->2640 2676 1bf694381c1-1bf694381c4 2586->2676 2593 1bf69437f63-1bf69437f65 2587->2593 2594 1bf6943815b-1bf6943815d 2587->2594 2678 1bf69437f19-1bf69437f20 2591->2678 2601 1bf69437be3-1bf69437be5 2592->2601 2602 1bf69437e4b-1bf69437e8b call 1bf6943f530 call 1bf69436284 call 1bf6943f920 2592->2602 2604 1bf694380cb-1bf694380fe call 1bf6943f63c 2593->2604 2605 1bf69437f6b-1bf69437f6d 2593->2605 2594->2583 2597->2596 2598 1bf69438307-1bf6943830f 2597->2598 2598->2598 2608 1bf69438311-1bf69438314 2598->2608 2610 1bf694380b4-1bf694380c6 call 1bf6943f530 2600->2610 2612 1bf69437e0e-1bf69437e2b call 1bf69421258 2601->2612 2613 1bf69437beb-1bf69437bed 2601->2613 2694 1bf69437e8e-1bf69437e95 2602->2694 2604->2640 2641 1bf69438104-1bf69438107 2604->2641 2616 1bf69437f73-1bf69437f76 2605->2616 2617 1bf6943808c-1bf694380a9 call 1bf69430d04 2605->2617 2608->2596 2620 1bf6943831a-1bf69438349 call 1bf6943f63c 2608->2620 2612->2596 2656 1bf69437e31-1bf69437e49 call 1bf6943f530 2612->2656 2626 1bf69437df6-1bf69437e09 call 1bf6943f920 2613->2626 2627 1bf69437bf3-1bf69437bf5 2613->2627 2630 1bf69438074-1bf69438087 call 1bf69430eac 2616->2630 2631 1bf69437f7c-1bf69437f7e 2616->2631 2617->2596 2655 1bf694380af 2617->2655 2654 1bf6943827b-1bf6943828c 2618->2654 2619->2654 2673 1bf6943839b-1bf6943839e call 1bf6943f920 2620->2673 2674 1bf6943834b 2620->2674 2626->2574 2646 1bf69437d17-1bf69437d53 call 1bf6943f530 call 1bf69436284 2627->2646 2647 1bf69437bfb-1bf69437bfd 2627->2647 2630->2600 2631->2574 2643 1bf69437f84-1bf69437fac call 1bf6943f530 call 1bf69436284 2631->2643 2657 1bf694382eb-1bf694382f0 call 1bf6943f920 2640->2657 2658 1bf6943810d-1bf69438154 2641->2658 2703 1bf69437fe5-1bf69438002 call 1bf6943f63c 2643->2703 2704 1bf69437fae 2643->2704 2705 1bf69437d55-1bf69437d6b call 1bf6943f63c 2646->2705 2706 1bf69437d6d-1bf69437d83 call 1bf6943f63c 2646->2706 2648 1bf69437bff-1bf69437c01 2647->2648 2649 1bf69437c58-1bf69437cba call 1bf6943f530 call 1bf69436284 call 1bf6943f63c 2647->2649 2648->2574 2664 1bf69437c03-1bf69437c13 call 1bf69436114 2648->2664 2649->2640 2725 1bf69437cc0-1bf69437cc3 2649->2725 2654->2640 2666 1bf6943828e-1bf69438291 2654->2666 2655->2610 2692 1bf69437ec9-1bf69437ed1 2656->2692 2657->2574 2658->2658 2670 1bf69438156 2658->2670 2699 1bf69437c15-1bf69437c2b call 1bf6943f920 2664->2699 2700 1bf69437c2d-1bf69437c30 2664->2700 2679 1bf69438297-1bf694382de 2666->2679 2670->2574 2673->2596 2685 1bf69438350-1bf69438397 2674->2685 2688 1bf694381ca-1bf69438211 2676->2688 2678->2678 2690 1bf69437f22-1bf69437f24 2678->2690 2679->2679 2691 1bf694382e0 2679->2691 2685->2685 2696 1bf69438399 2685->2696 2688->2688 2698 1bf69438213 2688->2698 2690->2574 2691->2574 2692->2657 2694->2694 2702 1bf69437e97-1bf69437ea9 call 1bf6943f920 2694->2702 2696->2596 2698->2574 2699->2574 2700->2574 2708 1bf69437c36-1bf69437c53 call 1bf6943f920 2700->2708 2726 1bf69437eac-1bf69437eb3 2702->2726 2721 1bf69438007-1bf69438017 2703->2721 2711 1bf69437fb1-1bf69437fb9 2704->2711 2722 1bf69437d88-1bf69437d99 2705->2722 2706->2722 2708->2574 2711->2711 2719 1bf69437fbb-1bf69437fbe 2711->2719 2719->2703 2727 1bf69437fc0-1bf69437fe3 call 1bf6943f63c 2719->2727 2721->2640 2728 1bf6943801d-1bf69438020 2721->2728 2722->2640 2723 1bf69437d9f-1bf69437da2 2722->2723 2729 1bf69437da8-1bf69437def 2723->2729 2730 1bf69437cc9-1bf69437d10 2725->2730 2726->2726 2731 1bf69437eb5-1bf69437ec6 call 1bf6943f530 2726->2731 2727->2721 2733 1bf69438026-1bf6943806d 2728->2733 2729->2729 2735 1bf69437df1 2729->2735 2730->2730 2736 1bf69437d12 2730->2736 2731->2692 2733->2733 2734 1bf6943806f 2733->2734 2734->2574 2735->2574 2736->2574
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _snprintf$_errno_invalid_parameter_noinfo
                      • String ID: %s%s$%s%s$%s%s: %s$%s&%s$%s&%s=%s$?%s$?%s=%s
                      • API String ID: 3442832105-1222817042
                      • Opcode ID: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                      • Instruction ID: 2dc4b5e11b069fad534880cb02dbff33f9b3595ab0c752cb125940226d4b03d7
                      • Opcode Fuzzy Hash: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                      • Instruction Fuzzy Hash: F8429272614E8592FA258B7AE4013E9B3A0FF98759F04D119DF8917B61EF38D2A3D340
                      Function 000001BF69431C30 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150filetimeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: Time$FileFind_errno$ErrorHeapLastSystemfreemalloc$AllocCloseCurrentDirectoryFirstFreeLocalNextSpecific_callnewhhtonl
                      • String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
                      • API String ID: 723279517-1754256099
                      • Opcode ID: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                      • Instruction ID: 853e1cfc7af902d13b6a61ec5fcd20494328f348b4037988dc2692894658c2fc
                      • Opcode Fuzzy Hash: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                      • Instruction Fuzzy Hash: 3F615E7130475186EB10DB62E8416EEB7A1F789B94F40C02EEE4943B99EF79C60BCB40
                      Function 000001BF693C6F38 Relevance: 18.5, APIs: 10, Strings: 2, Instructions: 545COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _snprintf$_errno_invalid_parameter_noinfo
                      • String ID: nop -exec bypass -EncodedCommand "%s"$not create token: %d
                      • API String ID: 3442832105-3652497171
                      • Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                      • Instruction ID: 35ad5441480a3d763ba5d2f1f22955d2bacf68d26b0821ecbbb6401e77c42faa
                      • Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                      • Instruction Fuzzy Hash: 1D429172614E85D2EA258B29D4022E9B3B4FFD8799F049115EF8917B61EF38D6B3C340
                      Function 000001BF69430F34 Relevance: 18.2, APIs: 12, Instructions: 163processCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateErrorLastProcess$ByteCharCurrentDirectoryMultiWide$TokenUserWith
                      • String ID:
                      • API String ID: 3044875250-0
                      • Opcode ID: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
                      • Instruction ID: bf3588846f3a768ac53f1eda17e7773b7fbe1d4b6917abc36acd0eb16d7b335e
                      • Opcode Fuzzy Hash: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
                      • Instruction Fuzzy Hash: A2714772215B4086EB609F76E8843DE73A1F75CB98F50C13EEE4943A95DF78C8968B40
                      Function 000001BF69439220 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87fileCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$Find$FileHeap_snprintffreemalloc$AllocCloseErrorFirstFreeLastNext_callnewh_invalid_parameter_noinfo
                      • String ID: %s\*
                      • API String ID: 2620626937-766152087
                      • Opcode ID: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                      • Instruction ID: 9329d88ab2f5a633c0db26a3bf165821b629d4e55420774ec92623ce3f1f1b14
                      • Opcode Fuzzy Hash: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                      • Instruction Fuzzy Hash: FF318A7130468185EA199BA36C103EA7B61E74EFD0F88C16E9EA5077DACF39C443D300
                      Function 000001BF69433A64 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113sleepprocesslibraryCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressCreateHandleModuleNextProcSleepSnapshotThread32Toolhelp32freemalloc
                      • String ID: NtQueueApcThread$ntdll
                      • API String ID: 1427994231-1374908105
                      • Opcode ID: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                      • Instruction ID: 11f49cf2c8ef4942b9b8695f74d6864ae8f494e6166b166ea291e47b5a647e0f
                      • Opcode Fuzzy Hash: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                      • Instruction Fuzzy Hash: 1A41F432601B4199EB60DBB2A8403DD73A5FB4CB88F94C13EAE4957B99EF38C546C740
                      Function 000001BF69436A78 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: bindclosesockethtonsioctlsocketlistensocket
                      • String ID:
                      • API String ID: 1767165869-0
                      • Opcode ID: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                      • Instruction ID: e2d72b337567bd5e8831b3820b0f848f8f55dc061e63d7f9842aceb9e5fbaf12
                      • Opcode Fuzzy Hash: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                      • Instruction Fuzzy Hash: 4721DF71210A5482EB249F66AC112D9B7A0F78CFA4F94C63DDE5A477A4CF3CD84B8B00
                      Function 000001BF69436670 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: bindclosesockethtonlhtonsioctlsocketsocket
                      • String ID:
                      • API String ID: 3910169428-0
                      • Opcode ID: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                      • Instruction ID: 1aa49d63405f8d10545a17476d8eccac528d737bf1739c3bf8c5796c13b2c4de
                      • Opcode Fuzzy Hash: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                      • Instruction Fuzzy Hash: BC218C75211A5486E7289F62E8143D93760F78CBA4F94C23D9E5A433D4DF3CC94BC640
                      Function 000001BF6943DF50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharErrorLastMultiUserWidemalloc$ImpersonateLoggedLogonRevertSelf
                      • String ID: %s\%s
                      • API String ID: 3621627092-4073750446
                      • Opcode ID: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
                      • Instruction ID: 8813e0892027766c97df23243caa3e23dc4a59239c662a115a9fd046ff5154b5
                      • Opcode Fuzzy Hash: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
                      • Instruction Fuzzy Hash: 35411770314B4181FB00AB62ED957DA33A1EB8DB80F50C03EAE6947796DF39C5479740
                      Function 000001BF6942FA1C Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CountSleepTick$closesocket
                      • String ID:
                      • API String ID: 2363407838-0
                      • Opcode ID: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                      • Instruction ID: ee99eb6fe0a8e471c8b436ad35c783b830514080149127dcbe8a668c4c033b4c
                      • Opcode Fuzzy Hash: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                      • Instruction Fuzzy Hash: 1321803170464041EA10A762AC452DE7390F78DBA0F84C739ADBA47BD6DF38C5079B41
                      Function 000001BF6943EE8C Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: bindclosesockethtonslistensocket
                      • String ID:
                      • API String ID: 564772725-0
                      • Opcode ID: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                      • Instruction ID: 6eff6478bbe547bf1883c3ce1be5969ca8e369fb13855bca36e58675feac17f8
                      • Opcode Fuzzy Hash: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                      • Instruction Fuzzy Hash: 7E11B43561465482E624AF62AC552EBB360F788BA0F44C23EEE99077D4CF7CC5078704
                      Function 000001BF69430B70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                      • String ID: %s
                      • API String ID: 4244140340-620797490
                      • Opcode ID: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                      • Instruction ID: dc3bca69638fbdf61ee659202f314295253630f76321df94032cdc07ae976511
                      • Opcode Fuzzy Hash: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                      • Instruction Fuzzy Hash: 61214872B00B009AEB149BB6D8557ED33A5F758B88F44C52E8E4C93A89EF74C616C380
                      Function 000001BF69435854 Relevance: 6.1, APIs: 4, Instructions: 73sleepnetworkCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CountTick$ErrorLastSleepioctlsocket
                      • String ID:
                      • API String ID: 1121440892-0
                      • Opcode ID: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
                      • Instruction ID: 26098a2adbd3269872b790f0bd96de7fcece087efe2de7c6a7faf314c2e02a4c
                      • Opcode Fuzzy Hash: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
                      • Instruction Fuzzy Hash: 0B311536B00B4086EB10DBA2E8842EC77B5F78DB94F51862E9E5D93B95DF30C556C340
                      Function 000001BF693DB7B0 Relevance: 5.9, Strings: 4, Instructions: 884COMMONLIBRARYCODE
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: $<$ailure #%d - %s$e '
                      • API String ID: 0-963976815
                      • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                      • Instruction ID: 40ce63bc74d356575d98f3fa18355e47f9c0d418562324c44ac8c928b46151d1
                      • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                      • Instruction Fuzzy Hash: C092DEB2325A8087DB58CB1DE4A177AB7A5F3C8B84F44513AEB9B87794CA3CC551CB04
                      Function 000001BF6942DA3C Relevance: 4.9, APIs: 3, Instructions: 374memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: Heap$AllocCreateCurrentErrorLastProcesshtonl
                      • String ID:
                      • API String ID: 3419463915-0
                      • Opcode ID: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
                      • Instruction ID: b59e527f7704ba68ab0a2d8056a1c5c5a43bba7c680c038d03b3a5d6180aa1be
                      • Opcode Fuzzy Hash: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
                      • Instruction Fuzzy Hash: BDE15B72610B4187FB64CB26ED513EA73A1FB48754F44C13A9F8A97A96EB79E046C300
                      Function 000001BF6943DEC8 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocateCheckFreeInitializeMembershipToken
                      • String ID:
                      • API String ID: 3429775523-0
                      • Opcode ID: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
                      • Instruction ID: 0ed515ccb61a5c90c1c3abbad0c379285ad1187ad27d4f731fec8fc44fb7f4d1
                      • Opcode Fuzzy Hash: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
                      • Instruction Fuzzy Hash: 6E011E73624A418FE7208F60E8453EE37B0F35876EF115919F64946A99CB7CC15ACB80
                      Function 000001BF6944C3B0 Relevance: 3.4, Strings: 2, Instructions: 884COMMONLIBRARYCODE
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: $<
                      • API String ID: 0-428540627
                      • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                      • Instruction ID: c28c30ab41ea8dfc647a02342c6430fc11765260d941f8c6deaa8dd0eb718138
                      • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                      • Instruction Fuzzy Hash: 9092D1B2325A4087DB58CB1DE4A177AB7A1F3C8B84F44513AEB9B87798CA3CD551CB04
                      Function 000001BF69431268 Relevance: 3.0, APIs: 2, Instructions: 32processCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateErrorLastLogonProcessWith
                      • String ID:
                      • API String ID: 2609480667-0
                      • Opcode ID: 8fcebf3f7d0e2333a3ca458f2652207579a2a29baf972c8fdebcbca856c98942
                      • Instruction ID: a576372ab7b40e23db907a4052ed9076308fb841c7c6d23d8832af640bd05a69
                      • Opcode Fuzzy Hash: 8fcebf3f7d0e2333a3ca458f2652207579a2a29baf972c8fdebcbca856c98942
                      • Instruction Fuzzy Hash: 5F0196B6714B0482EB509B66EC897D933A0F30DB94F14813ADE6C8B351DB2AC8979754
                      Function 000001BF693DC397 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: ailure #%d - %s$e '
                      • API String ID: 0-4163927988
                      • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                      • Instruction ID: 33606cb62ef5b59f48c8f37bb939b396ed1edff5580cc9cb7ebfb4a4b37ac895
                      • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                      • Instruction Fuzzy Hash: 7D613DB6214A508BDB14CB0DE4916AAB7E1F3CC784F84421EE78B8B768CB3CD555CB40
                      Function 000001BF69435BB8 Relevance: 1.5, APIs: 1, Instructions: 40networkCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: recv
                      • String ID:
                      • API String ID: 1507349165-0
                      • Opcode ID: 27e96e658a273ef1840c1d974b0ce0e87452b73cc9428401dd906c37ac757cfd
                      • Instruction ID: ac9599111d24a34146e5ca82cd4d7a39a6d0ba85da29d067561d865fe404b20c
                      • Opcode Fuzzy Hash: 27e96e658a273ef1840c1d974b0ce0e87452b73cc9428401dd906c37ac757cfd
                      • Instruction Fuzzy Hash: 1E016D32320A9085E7609F3BA990699B7A1F788BC4F599139DE5997B95CB38C8828700
                      Function 000001BF69430920 Relevance: 1.5, APIs: 1, Instructions: 33pipeCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateNamedPipe
                      • String ID:
                      • API String ID: 2489174969-0
                      • Opcode ID: ffc033c595a008210ccbf7715394fddec234f51f7fbc04560c83c088a3818f65
                      • Instruction ID: e96304f747d35ae4977bc3ee35cd995bfa714c214a2d566a66e6aad85397d13a
                      • Opcode Fuzzy Hash: ffc033c595a008210ccbf7715394fddec234f51f7fbc04560c83c088a3818f65
                      • Instruction Fuzzy Hash: 28016971525B419AEB118B21F8443D977A1F79C379F54C32CDAA8426D5EB3CC01BCB00
                      Function 000001BF6944DBF0 Relevance: .6, Instructions: 617COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                      • Instruction ID: 676bea097551cea591d87a65f741ef857b1dc893d52068f6f3559f158150f970
                      • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                      • Instruction Fuzzy Hash: 83524FB22189458BDB08CB1CE4A177AB7E1F3C9B80F44852AE7878B799CB3DD555CB40
                      Function 000001BF693DCFF0 Relevance: .6, Instructions: 617COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                      • Instruction ID: c4a1f22ddf1ce29eae1b5273f3335d8a53b2e99f5ade66bf48809f5b51de76d1
                      • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                      • Instruction Fuzzy Hash: 48526FB22149458BD708CB1DE4A177AB7A1F3C9B80F44852AE79B8B799CF3CD955CB00
                      Function 000001BF6944D280 Relevance: .6, Instructions: 592COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                      • Instruction ID: f94d3ec3ee59dbb6624d699e2714bf413188f1861a6534a9e76a5a8046e78adb
                      • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                      • Instruction Fuzzy Hash: D2522DB22149808BD708CB1DE4A177AB7A1F3C9B84F44852AE79B8B799CA3DD545CB40
                      Function 000001BF693DC680 Relevance: .6, Instructions: 592COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                      • Instruction ID: b359b5d1f00f4f0cf3929d823ac37305ec4674aaf6fd02eb5db6b2b5cfbc55ed
                      • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                      • Instruction Fuzzy Hash: 81522EB22149818BD708CF1DE4A177AB7E1F3CDB80F44852AE7868B799CA3DD955CB40
                      Function 000001BF6942A280 Relevance: .4, Instructions: 404COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free
                      • String ID:
                      • API String ID: 1294909896-0
                      • Opcode ID: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
                      • Instruction ID: 9f9be21f8655acf85765f0af09650bbde49ee4d1bda5b7676fcd16283946362a
                      • Opcode Fuzzy Hash: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
                      • Instruction Fuzzy Hash: 61F15472304A4296EB20CB259A507EE73A1FB9C794F50C139EE49876C9EF36C947CB40
                      Function 000001BF693B9680 Relevance: .4, Instructions: 404COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free
                      • String ID:
                      • API String ID: 1294909896-0
                      • Opcode ID: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
                      • Instruction ID: 7bdd3b7a6a8b800258b935be6acf5ffe93f90990118c230c9743154021842591
                      • Opcode Fuzzy Hash: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
                      • Instruction Fuzzy Hash: 74F1557270464286EB60CE1598923DE73E9F7FE798F508139DE898768DEB34C916CB40
                      Function 000001BF693BCE3C Relevance: .4, Instructions: 374COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
                      • Instruction ID: 60a3e7fae13a72b08df279ab86423875edbcc53e36f58c150e2e7becceba4223
                      • Opcode Fuzzy Hash: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
                      • Instruction Fuzzy Hash: 26E171B2610B4187FB648B25EC423EA73A5F799754F04C139DF9A97A96DB3CE462C300
                      Function 000001BF69429D6C Relevance: .4, Instructions: 367COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free
                      • String ID:
                      • API String ID: 1294909896-0
                      • Opcode ID: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
                      • Instruction ID: 74b294a2f3ffdce33f78c061c7cc18c84d533b63a2a28279d3573a61f51a8408
                      • Opcode Fuzzy Hash: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
                      • Instruction Fuzzy Hash: A7E1C332304A4291EB209B64DE903EE77A1FB9C798F90C129DE4D976C9EB36C947C740
                      Function 000001BF693B916C Relevance: .4, Instructions: 367COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free
                      • String ID:
                      • API String ID: 1294909896-0
                      • Opcode ID: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
                      • Instruction ID: 2c84472819a3c1e90fab284a5b9c31fb3890e1fd61220c4e1ba9cd490aa24f74
                      • Opcode Fuzzy Hash: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
                      • Instruction Fuzzy Hash: 0AE1B532704A4291EB109E14DC923DE77A9F7FA79CF81902ADE898769DEB34C917C740
                      Function 000001BF693C0334 Relevance: .2, Instructions: 163COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
                      • Instruction ID: dfd88039940f752e6c0f32efe22cf150d9e8c86fd424b58df9d8e88a9218ffb3
                      • Opcode Fuzzy Hash: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
                      • Instruction Fuzzy Hash: 49713B72614B80C6EB609F61E8463DE73B9F78CB94F00953ADE4943795DF78C8A68B40
                      Function 000001BF6944CF97 Relevance: .1, Instructions: 134COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                      • Instruction ID: f8443c02837d9e76cda83cff927be29698b940c82c8b2f7fc911308e93714c1a
                      • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                      • Instruction Fuzzy Hash: 50610CB6214A508BDB14CB09E4906AAB7E1F3CCB95F84821EE78B87768DB3CD545CB40
                      Function 000001BF694522F0 Relevance: .1, Instructions: 132COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c1e5c6463728f0051346f4b79253f85ed871b9d9907b27a939ce1cb7741386f0
                      • Instruction ID: f9167b7f3527e2b8a5e2c7ee4b410c21bea35735bf558d14bef164ba97080300
                      • Opcode Fuzzy Hash: c1e5c6463728f0051346f4b79253f85ed871b9d9907b27a939ce1cb7741386f0
                      • Instruction Fuzzy Hash: 32519BAB50D9D50AF2B14AA40DAA2C83FC5F76A724F4AD06F8F40872C7EF4658079712
                      Function 000001BF694524C8 Relevance: .0, Instructions: 49COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bec5aa9e0f310a05a7d4e348bf464b8e7399085d368e634c26742dea36e6bc2f
                      • Instruction ID: 85311d30642e726dda3854104193f07997bd17d4e5ab071a9d667683af383cca
                      • Opcode Fuzzy Hash: bec5aa9e0f310a05a7d4e348bf464b8e7399085d368e634c26742dea36e6bc2f
                      • Instruction Fuzzy Hash: 7F119BA750E6C41AE2A30A640C761DD3F95E7ABB14B8ED09BDB80872C7DB090C1B8312
                      Function 000001BF694524D0 Relevance: .0, Instructions: 46COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cd184dd02204bbe27ad0a0aa26dad8171a75185b1ecfb51ba8d19fb54c587de9
                      • Instruction ID: 01fb045006b715d8a00896f98a9acdd0bada8ae3b899e2f8702c1c74fb564428
                      • Opcode Fuzzy Hash: cd184dd02204bbe27ad0a0aa26dad8171a75185b1ecfb51ba8d19fb54c587de9
                      • Instruction Fuzzy Hash: 02119AA750EAC41AE2A34A640C761DD3F91E7ABB14B8ED09FDB80862C7DB490C178312
                      Function 000001BF69436BE0 Relevance: 22.7, APIs: 15, Instructions: 195networkCOMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2791 1bf69436be0-1bf69436c20 2792 1bf69436c26-1bf69436c2c 2791->2792 2793 1bf69436f13-1bf69436f29 2791->2793 2794 1bf69436c31-1bf69436c35 2792->2794 2795 1bf69436efc-1bf69436f03 2794->2795 2796 1bf69436c3b-1bf69436cb9 call 1bf69452600 select 2794->2796 2795->2793 2798 1bf69436f05 2795->2798 2800 1bf69436cbf-1bf69436cca __WSAFDIsSet 2796->2800 2801 1bf69436d8d-1bf69436d91 2796->2801 2798->2794 2800->2795 2802 1bf69436cd0-1bf69436d01 accept call 1bf694525c8 2800->2802 2803 1bf69436e26-1bf69436e31 2801->2803 2804 1bf69436d97-1bf69436da2 __WSAFDIsSet 2801->2804 2819 1bf69436f0a-1bf69436f0d call 1bf694525e8 2802->2819 2820 1bf69436d07-1bf69436d88 call 1bf69436b7c call 1bf694363e0 call 1bf6942d044 call 1bf6942d074 * 2 call 1bf694361e4 call 1bf6942d1b8 call 1bf6942d020 2802->2820 2805 1bf69436e33-1bf69436e3a __WSAFDIsSet 2803->2805 2806 1bf69436e67-1bf69436e6e call 1bf6944c3a4 2803->2806 2804->2795 2808 1bf69436da8-1bf69436e21 accept call 1bf69435a20 call 1bf694351b4 2804->2808 2809 1bf69436e40-1bf69436e52 __WSAFDIsSet 2805->2809 2810 1bf69436ee9-1bf69436eed 2805->2810 2806->2810 2823 1bf69436e70-1bf69436e82 __WSAFDIsSet 2806->2823 2808->2795 2815 1bf69436e58-1bf69436e62 2809->2815 2816 1bf69436edb-1bf69436ee7 call 1bf694522e8 2809->2816 2817 1bf69436ef0-1bf69436ef7 2810->2817 2815->2817 2816->2795 2816->2810 2817->2795 2819->2793 2820->2795 2823->2815 2828 1bf69436e84-1bf69436e93 __WSAFDIsSet 2823->2828 2828->2816 2830 1bf69436e95-1bf69436eb9 accept 2828->2830 2832 1bf69436ec4-1bf69436ec8 2830->2832 2833 1bf69436ebb-1bf69436ec2 2830->2833 2835 1bf69436ece-1bf69436ed9 call 1bf694525e8 2832->2835 2833->2835 2835->2795
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: acceptioctlsocket$closesockethtonlselect
                      • String ID:
                      • API String ID: 2003300010-0
                      • Opcode ID: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                      • Instruction ID: a7dfe62d65053e50046c79fe56deae54ccec58a1e2ef520dcdebbc2ddd2914b5
                      • Opcode Fuzzy Hash: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                      • Instruction Fuzzy Hash: B3915872610A919AEB20DF76ED417DD33A1F788B98F00C12ADE4D47A99DF35C56ACB00
                      Function 000001BF6942EC04 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165networksleepCOMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2852 1bf6942ec04-1bf6942ec7b call 1bf6943f530 * 3 2859 1bf6942ec81-1bf6942ec99 call 1bf694383d0 2852->2859 2860 1bf6942eeba-1bf6942eed2 2852->2860 2863 1bf6942ece8-1bf6942ecfe call 1bf6943f63c 2859->2863 2864 1bf6942ec9b-1bf6942eca2 2859->2864 2868 1bf6942ed03-1bf6942ed23 call 1bf6943f63c 2863->2868 2865 1bf6942eca5-1bf6942ecac 2864->2865 2865->2865 2867 1bf6942ecae-1bf6942ecb1 2865->2867 2867->2863 2869 1bf6942ecb3-1bf6942ece6 call 1bf694331f4 call 1bf6943f63c call 1bf6943f530 2867->2869 2874 1bf6942ed26-1bf6942ed2d 2868->2874 2869->2868 2874->2874 2876 1bf6942ed2f-1bf6942ed6d call 1bf6943b454 call 1bf69437b38 2874->2876 2884 1bf6942ed6f-1bf6942eda1 call 1bf69432d70 call 1bf69432c0c 2876->2884 2885 1bf6942eda6-1bf6942edab 2876->2885 2884->2885 2887 1bf6942edae-1bf6942edb5 2885->2887 2887->2887 2889 1bf6942edb7-1bf6942edc2 2887->2889 2891 1bf6942edd6-1bf6942ede6 call 1bf6943f63c 2889->2891 2892 1bf6942edc4-1bf6942edd4 call 1bf6943f63c 2889->2892 2895 1bf6942edeb-1bf6942edf0 call 1bf6943e0fc 2891->2895 2892->2895 2899 1bf6942edf2-1bf6942ee48 call 1bf6943b454 call 1bf69452570 call 1bf6942e918 2895->2899 2906 1bf6942ee4b-1bf6942ee53 2899->2906 2906->2906 2907 1bf6942ee55-1bf6942ee78 call 1bf69452580 call 1bf6942efbc 2906->2907 2912 1bf6942ee7a-1bf6942ee90 call 1bf69452540 call 1bf69452310 2907->2912 2913 1bf6942ee98 call 1bf69452540 2907->2913 2912->2899 2922 1bf6942ee96 2912->2922 2917 1bf6942ee9e-1bf6942eeb5 call 1bf694383c4 call 1bf6943e12c 2913->2917 2917->2860 2922->2917
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _snprintf$CloseHandleHttpInternetRequest$OpenSendSleep
                      • String ID: %s%s$*/*
                      • API String ID: 3787158362-856325523
                      • Opcode ID: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                      • Instruction ID: a8e90dc1fe9017517e5daf411af33a22eb57f329c2639879247bec97d35c3ded
                      • Opcode Fuzzy Hash: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                      • Instruction Fuzzy Hash: 0D8126B2214B8586EB109B66ED903EA77A0F788788F44C13AEE5D437A9DF79C507C740
                      Function 000001BF6942E68C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 165networkfileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _snprintf$Internet$CloseHandleHttpRequeststrchr$AvailableDataFileOpenQueryReadSend_errno_invalid_parameter_noinfo
                      • String ID: %s%s$*/*
                      • API String ID: 3536628738-856325523
                      • Opcode ID: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                      • Instruction ID: a91dbb98012643057e3b8685951e52b5f73dd10e283210b06fdf8f7855d4cf12
                      • Opcode Fuzzy Hash: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                      • Instruction Fuzzy Hash: DB718F72704A8486EB10DB62E9807EEB7A5F788B94F40C12AEE8957B95DF38C507C740
                      Function 000001BF694353E4 Relevance: 18.1, APIs: 12, Instructions: 105pipesleepfileCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait
                      • String ID:
                      • API String ID: 34948862-0
                      • Opcode ID: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
                      • Instruction ID: d8f946ee5a815682b1554c70c5dacbc6fe14a23f944ee4b8c0ce1fbc9cd84489
                      • Opcode Fuzzy Hash: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
                      • Instruction Fuzzy Hash: A7410636604A4086EB109BB2EC547ED33A5E78CBA4F54C639EE5E97BA4DF38C446C700
                      Function 000001BF6943FF6C Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
                      • String ID:
                      • API String ID: 4099253644-0
                      • Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                      • Instruction ID: 67042e58240993056df6cedd329687f330ba38d4d2e3c278c7c7aa027c4e9360
                      • Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                      • Instruction Fuzzy Hash: 32310775202A4081FF54EB62EC947E433A0EB5DB94F68C67EDD2A062E1DF78C457A310
                      Function 000001BF6943FE10 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: ApisByteCharErrorFileLastMultiPackagedWide__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 1138158220-0
                      • Opcode ID: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                      • Instruction ID: 0f1e1c7ddbf1ba1b85f15f43dab895307fed8a25b519c179153564ec3641c5e2
                      • Opcode Fuzzy Hash: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                      • Instruction Fuzzy Hash: 16315931201B4082FB20AB76AC153E977E1EB8CBA4F14C67D9E49437D6DF38C4129700
                      Function 000001BF69437308 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73networkCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
                      • String ID: d
                      • API String ID: 1257931466-2564639436
                      • Opcode ID: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                      • Instruction ID: 7c716cf57be1e8417c1a46024547a635faa0ad2f532e166ad2607d2f2a9a505e
                      • Opcode Fuzzy Hash: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                      • Instruction Fuzzy Hash: E7314F32215B81D6EB608F62EC447DE77A4F788B84F04912AEE8D47B58DF78C556CB40
                      Function 000001BF693D1B48 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: write_multi_char$write_string$free
                      • String ID:
                      • API String ID: 2630409672-3916222277
                      • Opcode ID: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                      • Instruction ID: e383d6c8b0d81c473976408ec6a9ad4223f467487a316eec50ecc6a469ab96bb
                      • Opcode Fuzzy Hash: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                      • Instruction Fuzzy Hash: 79A1F63260464086FB25CBE5DD223EE7BB8F7C9794F14A229EE4917698CB34C95BC740
                      Function 000001BF694371FC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57networksleepCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CountTick$ErrorLastSleepselectsend
                      • String ID: d
                      • API String ID: 2152284305-2564639436
                      • Opcode ID: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                      • Instruction ID: e9ddd48d7ed7b844ee7987a450d3e23a7e11c6abadd298283dc9fef7117efc9c
                      • Opcode Fuzzy Hash: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                      • Instruction Fuzzy Hash: C4214F72218A80C6E7608F62E8443C97365F788784F50C139EF9D47A98DF38C45ACB44
                      Function 000001BF6942FB08 Relevance: 15.1, APIs: 10, Instructions: 91sleepfilepipeCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
                      • String ID:
                      • API String ID: 3101085627-0
                      • Opcode ID: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                      • Instruction ID: d222cab1569ae3639bfc1888353c94f7a9306bd466273e12c996da501a6b00fb
                      • Opcode Fuzzy Hash: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                      • Instruction Fuzzy Hash: 8A4129367009419AEB109FB6D8943DC3761F748B98F81C13AAE0A97AA9DF39C50BC750
                      Function 000001BF69446E1C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 388111225-0
                      • Opcode ID: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                      • Instruction ID: c79c8fba16480829661c4ed860ff7ee01d801197a1080217cd4fa0d1b7c9adc3
                      • Opcode Fuzzy Hash: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                      • Instruction Fuzzy Hash: 02318B7221025086E716AF659C913ED3791EB89FA0FA5C13DAE21177DBCB38C8538710
                      Function 000001BF693D621C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 388111225-0
                      • Opcode ID: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
                      • Instruction ID: 085116e9a5da8c2d7b39db724acefa717e2ac1de1b97adfd85f3a8fefe4e66d7
                      • Opcode Fuzzy Hash: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
                      • Instruction Fuzzy Hash: 0A317C3170064486E7166FE59C633ED3758EBC97A4F95E23DAD21173D2C738846E8710
                      Function 000001BF6944FD50 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 1812809483-0
                      • Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                      • Instruction ID: 4722251c686eed7606f05618cec6075c745acc00ab4e3878d6ac77823f4e4f42
                      • Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                      • Instruction Fuzzy Hash: AB41F6B161269185FB609B219D403ED37E0E76CFA6FA0C17DEE5547ACED724C853A700
                      Function 000001BF693DF150 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 1812809483-0
                      • Opcode ID: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                      • Instruction ID: fa52d697b339e3dd19e018d88b6efa6b45f97f4fce0598660fbb8cd4f27072c6
                      • Opcode Fuzzy Hash: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                      • Instruction Fuzzy Hash: 2F41277962025182FB609BD18CA33E97398E7DEB94F90D339DE94436C5D724C96BA600
                      Function 000001BF6944027C Relevance: 13.6, APIs: 9, Instructions: 101COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: Pointer$Decode$EncodeExitProcess$__crt_amsg_exit_mtinitlocknum
                      • String ID:
                      • API String ID: 1550138920-0
                      • Opcode ID: c0449f3fef6a4d8576451ebf1d27e0541d416188840e9d96df55a1b66d98fc2d
                      • Instruction ID: c14af6a25f15f8d0f4cda5f60b447bd0689bf76424a6d023a6ac2f8fdb7a3214
                      • Opcode Fuzzy Hash: c0449f3fef6a4d8576451ebf1d27e0541d416188840e9d96df55a1b66d98fc2d
                      • Instruction Fuzzy Hash: 3B413A30216A4182E7549F12FC443D977A1F79DB94F54C03EAD8A577A9DF38C4AB8B00
                      Function 000001BF69436500 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
                      • String ID:
                      • API String ID: 3339321253-0
                      • Opcode ID: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                      • Instruction ID: 27e188a8c8a93060479ddb974c25cb1bd28481e0b582ef9c12898305a48dcdb7
                      • Opcode Fuzzy Hash: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                      • Instruction Fuzzy Hash: 0531D17121469592EA299F62EC547EA7361F748B98F44C13DDE0A476D8EF3CC64BC700
                      Function 000001BF69436B98 Relevance: 13.6, APIs: 9, Instructions: 72COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CountTick$freehtonlshutdown$ErrorLastacceptclosesocketioctlsocketmallocrecvfromselect
                      • String ID:
                      • API String ID: 3610715900-0
                      • Opcode ID: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                      • Instruction ID: 58a063638109f42bc94b6ed10e34485ca4c6997c7d5c2dfd3ef10499bdf0c6a3
                      • Opcode Fuzzy Hash: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                      • Instruction Fuzzy Hash: B531F432204A42C2EB649F72AD452E973A0EB4CB98F18C13EDE9946695DF35C8968B11
                      Function 000001BF69447A90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
                      • String ID:
                      • API String ID: 310312816-0
                      • Opcode ID: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                      • Instruction ID: 41abed8db8c3b8a4a5e87e8b85d9826d389e0aacb9e447831790e1ec9f079525
                      • Opcode Fuzzy Hash: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                      • Instruction Fuzzy Hash: 8421323260468046F7166F649C823ED7750EB8CFA5F19C23CAE150B3DACB7888438310
                      Function 000001BF69447C08 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
                      • String ID:
                      • API String ID: 4140391395-0
                      • Opcode ID: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                      • Instruction ID: 7a538950137d5fc6e21c2067c4d31872cbf6274bde9e7b38cff54eea3d02dff5
                      • Opcode Fuzzy Hash: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                      • Instruction Fuzzy Hash: FD21BB7269464046F7166F25AC613ED7751EB88FB2F19C63CAE350B3DACB3884438720
                      Function 000001BF693D6E90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
                      • String ID:
                      • API String ID: 310312816-0
                      • Opcode ID: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
                      • Instruction ID: 45b75114c24f1a10a2a2abe129295dc0c75c2e2979a873564983b17edb52f123
                      • Opcode Fuzzy Hash: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
                      • Instruction Fuzzy Hash: E921DE32700A4046F7056FE49C633ED7758E7C87A5F09E33CAE25072D2CB78886A8314
                      Function 000001BF693D7008 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
                      • String ID:
                      • API String ID: 4140391395-0
                      • Opcode ID: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
                      • Instruction ID: 7e6a2160d8c3b3e916e0048eebbaaeaf36e5f2318343a9f603d7c191599b764a
                      • Opcode Fuzzy Hash: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
                      • Instruction Fuzzy Hash: 9B21907270014046FA062FA59C273ED7758E7C8BB5F49E72DAE36073D2C778846A87A1
                      Function 000001BF693CF36C Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$_errno
                      • String ID:
                      • API String ID: 2288870239-0
                      • Opcode ID: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                      • Instruction ID: 33c48756927b5bf76049acfc78d2bd3fd37dca08fb62c6a64a53b486df2603e7
                      • Opcode Fuzzy Hash: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                      • Instruction Fuzzy Hash: 2931C436251E4191FE64DB51EC673E433B8EBDCB90F48823D9D1A07691CF2C88779201
                      Function 000001BF69446434 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
                      • String ID:
                      • API String ID: 2611593033-0
                      • Opcode ID: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                      • Instruction ID: 27b559bff0aa497615e1660ea232c96203f888add06ecf24fed55912a0c3f3b4
                      • Opcode Fuzzy Hash: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                      • Instruction Fuzzy Hash: DB21CD7271024046FB26AF259D813ED3751EB88FA2F59C13DAE250B3DACB78C8438764
                      Function 000001BF693D5834 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
                      • String ID:
                      • API String ID: 2611593033-0
                      • Opcode ID: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
                      • Instruction ID: 3eb820a185eef180a3dc9f813fb39f2a3093baa92d1077c4568a7741b3073c3c
                      • Opcode Fuzzy Hash: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
                      • Instruction Fuzzy Hash: 3C21DE3270424046F7052FE59C633ED7758E7C8BA1F49E32DAE25472DACB78886A8720
                      Function 000001BF6944A73C Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit
                      • String ID:
                      • API String ID: 2289611984-0
                      • Opcode ID: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                      • Instruction ID: f287c328c0ab51ab471d2afb083594f14eb5d3a590e6659176247d0f86854a8c
                      • Opcode Fuzzy Hash: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                      • Instruction Fuzzy Hash: EF21883120064085F725AB659C913ED7760EF88F70F59C13DAE160B2DACB68C8938355
                      Function 000001BF69445C58 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
                      • String ID:
                      • API String ID: 4060740672-0
                      • Opcode ID: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                      • Instruction ID: 73377bb3c88e70ba9a7691dff1d9cfdb209632b777d14d1f147d0c13ca09febb
                      • Opcode Fuzzy Hash: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                      • Instruction Fuzzy Hash: E611D0726A068046FB15AF25AC953EC3750EB98F62F69C63D9D16873DACB7884438710
                      Function 000001BF693D5058 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
                      • String ID:
                      • API String ID: 4060740672-0
                      • Opcode ID: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
                      • Instruction ID: ff0a1382cf7b38b22c15e7f783aae5363e64616d2d79b372079f4a6d04036282
                      • Opcode Fuzzy Hash: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
                      • Instruction Fuzzy Hash: 5E11DF3220028446F7096FE59C633EC7B58E7C9760F59E73C9D15872D6C774846A8390
                      Function 000001BF6942460C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$malloc$_errno$_callnewh$AllocHeap
                      • String ID:
                      • API String ID: 3534990644-0
                      • Opcode ID: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                      • Instruction ID: 58891150dd2e35b1d5644e8baca2fc017e759f19c51b676e88079ebad35de6d2
                      • Opcode Fuzzy Hash: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                      • Instruction Fuzzy Hash: 8571D23A7156C486FB249A669D50BEA7791FB89BC8F40C13DDE4A47B86DB3AC407C700
                      Function 000001BF693B3A0C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$malloc$_errno$_callnewh
                      • String ID:
                      • API String ID: 4160633307-0
                      • Opcode ID: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                      • Instruction ID: e69f2eb7fc2291799d63e91934d7aa016028a51c1e289a6c01912ec0f94383f3
                      • Opcode Fuzzy Hash: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                      • Instruction Fuzzy Hash: B471F77631579447EA20DB5698427EA7799F7E9BC4F40803D9D8647B8ADB38C827C700
                      Function 000001BF693BBE74 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 296COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: malloc$_snprintf$_errno_time64freestrtok$_callnewhrealloc
                      • String ID: /'); %s
                      • API String ID: 1314452303-1283008465
                      • Opcode ID: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                      • Instruction ID: 0deab42447ed62c47fb2ea2910ad5403a56a5659a468905b6cf79d9f602e9d02
                      • Opcode Fuzzy Hash: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                      • Instruction Fuzzy Hash: 8BC17131601A4186FA24E7659C537E973A9EBDE780F40C03DAD96577D6DF38C8278700
                      Function 000001BF6943B47C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: malloc$Name$Computer_errno$AllocHeapSocketUser_callnewh
                      • String ID: VUUU
                      • API String ID: 632458648-2040033107
                      • Opcode ID: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                      • Instruction ID: 7cdfa605d89de4c01614ff360fa3f08714b7b3669e3ade31ba12c67b4d5b3206
                      • Opcode Fuzzy Hash: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                      • Instruction Fuzzy Hash: 8CA14636710A9186EB14AB779C523ED3391EB8DB84F90C13EAD4A5B796DF38C9078740
                      Function 000001BF693BE004 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 165COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _snprintf
                      • String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
                      • API String ID: 3512837008-1250630670
                      • Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                      • Instruction ID: 89c4b3681863bfe55d5b9e4aede4bdea9d6ab3f3eabfeae82f126c7b57e63a2b
                      • Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                      • Instruction Fuzzy Hash: E1815B36204B8585EB209B65DC823E977A9F7DD784F44813AEE8E13799DF38C926C740
                      Function 000001BF69431478 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128processCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharCurrentDirectoryMultiWide$CreateErrorInfoLastLogonProcessStartupWithmalloc
                      • String ID: %s as %s\%s: %d
                      • API String ID: 3435635427-816037529
                      • Opcode ID: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                      • Instruction ID: 7e9a69f62604dd1f51f5c920daf8f36b09a5f7a2f31ff3dd93adad3d168d3ef2
                      • Opcode Fuzzy Hash: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                      • Instruction Fuzzy Hash: E0514C32205B8186EB60DF66B8407DEB7A5F789B84F548029EF8D97B59DF38C056CB40
                      Function 000001BF693C0A94 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$_callnewh_fseek_nolock_ftelli64fclose
                      • String ID: mode
                      • API String ID: 1756087678-2976727214
                      • Opcode ID: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                      • Instruction ID: 2846ec7e2e1cd0daa263f3d3fc1dabccd2149ba4d326fd0411a0f11f73af2b63
                      • Opcode Fuzzy Hash: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                      • Instruction Fuzzy Hash: 9D416036315A8082EA14EB129C563EA7369F7DDBD0F40C13AAE5A47BD6DF38C5278700
                      Function 000001BF693C8620 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 87COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
                      • String ID: /'); %s
                      • API String ID: 761449704-1283008465
                      • Opcode ID: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                      • Instruction ID: 0f0457e146f2ed28cff7a293c5d6f830f18faf0685fee29e3f7cc257a3ed1755
                      • Opcode Fuzzy Hash: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                      • Instruction Fuzzy Hash: 31316F35200A8185E6259B626D173F5BB69F7CDFD0F88C13A9EA507796DB38D9738300
                      Function 000001BF6943E98C Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$OpenProcessToken
                      • String ID:
                      • API String ID: 2009710997-0
                      • Opcode ID: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
                      • Instruction ID: 7257261923475e77ba6fe3595f578fe567b528c8b6974cff19b8172f85282651
                      • Opcode Fuzzy Hash: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
                      • Instruction Fuzzy Hash: B1314A3131571083FB14ABB2AC947EB7790EB8CB94F14C13DAE4A42696DF39C8478B40
                      Function 000001BF693CF210 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 2917016420-0
                      • Opcode ID: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                      • Instruction ID: 6bc4e764769eafda3b940b0d95317ceb65f5692b6650d682bc98ee78f00b5e69
                      • Opcode Fuzzy Hash: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                      • Instruction Fuzzy Hash: 6B319E39200F4082FB24ABA69C163E977E9EBCDB94F548639DE45437D5DF38C4668300
                      Function 000001BF6944FBD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 3191669884-0
                      • Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                      • Instruction ID: 81bed9cda10d10f12c2f306cce2dedbe0b887d21f775da67993e139b9c38f941
                      • Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                      • Instruction Fuzzy Hash: 963189726457848AE7209B5298907DDB7A4F79CFE0F68C179AE5807B9ACB34C843DB00
                      Function 000001BF693DEFD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 3191669884-0
                      • Opcode ID: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                      • Instruction ID: 55eaab7d2435f02e3305c02aa3944a872e15ae6a0d62f2b847c93abe7d1ab9a7
                      • Opcode Fuzzy Hash: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                      • Instruction Fuzzy Hash: F231AE7221478486E7209B9198927EDB7A8F3CCBE4F14D339AE5807B85CB34C86AD740
                      Function 000001BF6943596C Relevance: 10.6, APIs: 7, Instructions: 52COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CountTickioctlsocket
                      • String ID:
                      • API String ID: 3686034022-0
                      • Opcode ID: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                      • Instruction ID: 7f2a3579a90c558f1aa5c2590a2fa8d409057791ea598feaec829f1857b7f6ae
                      • Opcode Fuzzy Hash: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                      • Instruction Fuzzy Hash: 6511943120468086F7105BB6EC443D97360EB8CBA5F50C13DDE5986AE4EF78C88BC710
                      Function 000001BF69430AA0 Relevance: 10.5, APIs: 7, Instructions: 45pipethreadfileCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken
                      • String ID:
                      • API String ID: 4232080776-0
                      • Opcode ID: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                      • Instruction ID: 5df02cb4949ed92609777be80835039237bc52cb464f104356f2f8f64b5d37cc
                      • Opcode Fuzzy Hash: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                      • Instruction Fuzzy Hash: F3218F3562564096FB509B72EC547EA33A1FB9CB48F84C23E9D4A829A1CF7CC44BD711
                      Function 000001BF69440B10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                      • String ID:
                      • API String ID: 2328795619-0
                      • Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                      • Instruction ID: bf19f5dd642b9443ead47971f52c830fa05c632a67482603d0e653c9ce3f37cb
                      • Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                      • Instruction Fuzzy Hash: 2251B07175429086EB288A665D107E9B790E768FF8F14C638AE3947BDDCB34D4A38340
                      Function 000001BF693CFF10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                      • String ID:
                      • API String ID: 2328795619-0
                      • Opcode ID: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                      • Instruction ID: 4e3456f7c98b88c434857123fff76630f944121ff7b1660bfe19048a79b91509
                      • Opcode Fuzzy Hash: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                      • Instruction Fuzzy Hash: 2551043170464092FA288AA65C127E977A8E3C9FF4F14D739AE3943BD5CB34C4BB9240
                      Function 000001BF693C1030 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 150COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$freemalloc$_callnewh
                      • String ID: 1:%u/'); %s$n from %d (%u)$open process: %d (%u)
                      • API String ID: 2029259483-317027030
                      • Opcode ID: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
                      • Instruction ID: ecbacffd4ed1995996d37429d691a296995ccc9a3ee4b6d1d7fd24ec7eeff3cd
                      • Opcode Fuzzy Hash: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
                      • Instruction Fuzzy Hash: 88619672304B5186EB10DBA5E8422EE77B5F7C9B94F40802AEE8947B99DF7CC516CB40
                      Function 000001BF6944A348 Relevance: 9.1, APIs: 6, Instructions: 132COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
                      • String ID:
                      • API String ID: 445582508-0
                      • Opcode ID: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                      • Instruction ID: dd90160957987d567a2155eeb1e4921edcb8f23255811829fabe0b4ff1dbb828
                      • Opcode Fuzzy Hash: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                      • Instruction Fuzzy Hash: 2A519B3260068082EB248F10DC443EDB3A5FB98F68F19C139DE49477E9DB78C856C740
                      Function 000001BF69431694 Relevance: 9.1, APIs: 6, Instructions: 126COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$AllocFullHeapNamePath_callnewh_fseek_nolock_ftelli64fclosehtonl
                      • String ID:
                      • API String ID: 3587854850-0
                      • Opcode ID: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                      • Instruction ID: 9d755ee578503b20e48e5162ca77ae7672f429c50040eeb091678515e9582775
                      • Opcode Fuzzy Hash: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                      • Instruction Fuzzy Hash: BE41693230064082EA14EB22A9557EA7351FB8CBD0F80C23EAE5A47BD6DF39C5078B40
                      Function 000001BF69435C60 Relevance: 9.1, APIs: 6, Instructions: 113COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CurrentProcess$AddressCountHandleModuleProcTick_getptd
                      • String ID:
                      • API String ID: 3426420785-0
                      • Opcode ID: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                      • Instruction ID: 4e8697e9e1c1af0822f9d6d7056bf4dfc7ec15cebb8406e6f6ce40f3de32d1be
                      • Opcode Fuzzy Hash: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                      • Instruction Fuzzy Hash: AD41193172061495FB00ABB29D957EA33A0FB8C754F40C43AEE0987AA6DF39C5078750
                      Function 000001BF69436F2C Relevance: 9.1, APIs: 6, Instructions: 99networkCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$AllocErrorHeapLast_callnewhhtonlmallocrecvfrom
                      • String ID:
                      • API String ID: 2310505145-0
                      • Opcode ID: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                      • Instruction ID: ed77fb3cb7c70c1e5442acd41d9ee4ebc75a4be0086d2c4e7d3647098f0a5fb1
                      • Opcode Fuzzy Hash: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                      • Instruction Fuzzy Hash: 1D410B72204A90D6EB608F36EC447DA77A1F78CBA8F14C13DDE99476A4DB39C4829B40
                      Function 000001BF694379C4 Relevance: 9.1, APIs: 6, Instructions: 96threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CurrentProcess$ErrorLast$AttributeProcThreadUpdate
                      • String ID:
                      • API String ID: 1014270282-0
                      • Opcode ID: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
                      • Instruction ID: 51fd55a972ba23f4af6cd3270060fe1cf94f224c92e87dacd7ab753b4d410cea
                      • Opcode Fuzzy Hash: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
                      • Instruction Fuzzy Hash: 5841613261878086EB109F6298443D977A1F78CBD4F08C63DAE8947B95DF7CC646C700
                      Function 000001BF69440620 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                      • String ID:
                      • API String ID: 1547050394-0
                      • Opcode ID: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                      • Instruction ID: 7214499a9b44790c5514ff2c0e96a53678c0b48313feff58af38a53c034a51df
                      • Opcode Fuzzy Hash: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                      • Instruction Fuzzy Hash: D02190B121468185FB659F22AC013DEB794EB5DFC0F44C439AE8997B9EDB3CC4228700
                      Function 000001BF693CFA20 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                      • String ID:
                      • API String ID: 1547050394-0
                      • Opcode ID: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
                      • Instruction ID: 4d4922a6ec5d52631d9b9b97375f19e6eac4e275de3e578eb9bb840de469ac99
                      • Opcode Fuzzy Hash: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
                      • Instruction Fuzzy Hash: 4421A431304A8292FB515BA19C033DEB7A9E7CD7C0F44D5399D4987B95DB3CC4629700
                      Function 000001BF693D9B3C Relevance: 9.1, APIs: 6, Instructions: 63COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$__doserrno__lock_fhandle_getptd_noexit
                      • String ID:
                      • API String ID: 2102446242-0
                      • Opcode ID: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
                      • Instruction ID: 5e7ae96330aa92eb46e9627872ec527c2708339fe485ef81527df2ed52d2af37
                      • Opcode Fuzzy Hash: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
                      • Instruction Fuzzy Hash: E6217C3120264046E7156FE59CB33ED7798E7C8760F0AE23D9E16072D2CB6888AB8314
                      Function 000001BF6942FC64 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$ErrorHeapLastfree$AllocFree_callnewhfclosefwritemalloc
                      • String ID:
                      • API String ID: 1616846154-0
                      • Opcode ID: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
                      • Instruction ID: 4c76af3d5591308580163f330432add7a973e9511c8e71a5856f3724fd7273af
                      • Opcode Fuzzy Hash: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
                      • Instruction Fuzzy Hash: D6115E3131564041FA10A663A9512EE7351EB8DBE4F84C23DAE6A47BCADF29C5028780
                      Function 000001BF69434488 Relevance: 9.1, APIs: 6, Instructions: 51pipefileCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: NamedPipe$ErrorLast$CreateDisconnectFileHandleStateWait
                      • String ID:
                      • API String ID: 3798860377-0
                      • Opcode ID: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                      • Instruction ID: 1219012532517b5d617933257d81207da3ad3a6a3fc120009eb858345abba226
                      • Opcode Fuzzy Hash: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                      • Instruction Fuzzy Hash: 69117C3260465082FB109B76F9147DE73A1E788BE5F84C23DAE5A87ED4CF69C4478701
                      Function 000001BF6943EFEC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      • HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 000001BF6943F044
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errnomalloc$_callnewh$AllocHeap_invalid_parameter_noinfo_snprintf
                      • String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
                      • API String ID: 3518644649-2739389480
                      • Opcode ID: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                      • Instruction ID: ea9cb19860f86b74ce9227e6689f4d625bfe075ec6ec3f4871c8aa46ea223156
                      • Opcode Fuzzy Hash: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                      • Instruction Fuzzy Hash: D8018E7160279082EA44DB63B8047D97799E78CBE0F85C26DEEA9477D6DB38C0428780
                      Function 000001BF693CE3EC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
                      • String ID: dpoolWait
                      • API String ID: 2026495703-1875951006
                      • Opcode ID: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                      • Instruction ID: bba1a2392775353e15b9e4269a171db94f6c828e775e6e3e9ee6529a13176874
                      • Opcode Fuzzy Hash: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                      • Instruction Fuzzy Hash: 6F018272610B9085EA24DB12B8067E977ADE7DCBD0F058229EE69477C6CB38C8628740
                      Function 000001BF694331F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: freemallocstrchr$rand
                      • String ID:
                      • API String ID: 1305919620-0
                      • Opcode ID: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                      • Instruction ID: 3d113b7502cc6f3d1a6f8f2390c93b1c7a5e78cadc3ad205a3fedfeff90c8ad5
                      • Opcode Fuzzy Hash: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                      • Instruction Fuzzy Hash: B371DA72605BC441FA269B3AA8113EA7790EF9DB84F48D13DDF85177A6EF29C1478700
                      Function 000001BF693C25F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: freemallocstrchr$rand
                      • String ID:
                      • API String ID: 1305919620-0
                      • Opcode ID: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                      • Instruction ID: c397bbe88ca32a45650e69e3857c2ccf3499c45dd2ebf0261875ea5da76473de
                      • Opcode Fuzzy Hash: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                      • Instruction Fuzzy Hash: CE71E772604FC4C1FA259B29A9123EA73A4EFD9B84F089138DF8517796DF2DD5638700
                      Function 000001BF69424170 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$_errno$_callnewhmalloc$AllocHeap
                      • String ID:
                      • API String ID: 996410232-0
                      • Opcode ID: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                      • Instruction ID: da41047b2934ab7c10dbd8f1d2e56012e70f86fb313d39868066e8fa1fe6182a
                      • Opcode Fuzzy Hash: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                      • Instruction Fuzzy Hash: 444198363007958BEA559A679E546EA3790F74DBC0F90C138DE464BB85DF3AD823C710
                      Function 000001BF693B3570 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$_errno$_callnewhmalloc
                      • String ID:
                      • API String ID: 2761444284-0
                      • Opcode ID: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                      • Instruction ID: 014b90f7e60799f4cd4802886fb516c116030641b4b49fe28511a70d4b4c40f1
                      • Opcode Fuzzy Hash: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                      • Instruction Fuzzy Hash: 33419D323017A197EA68DA269D923E977A8F79EB80F4480389E9647745DF34D837C700
                      Function 000001BF6942F274 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: htonl$freemalloc
                      • String ID: zyxwvutsrqponmlk
                      • API String ID: 1249573706-3884694604
                      • Opcode ID: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                      • Instruction ID: 11982aac86489f99576478f20b92462ad3282cbd0670fcc1640b2b4204a96266
                      • Opcode Fuzzy Hash: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                      • Instruction Fuzzy Hash: 2131C23630268042EB14EA77AD513E97791EB9DBD0F84C43DAD598779BEB29C8078700
                      Function 000001BF69433FA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CurrentProcess$AddressErrorHandleLastModuleProc
                      • String ID: NtMapViewOfSection$ntdll.dll
                      • API String ID: 1006775078-3170647572
                      • Opcode ID: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
                      • Instruction ID: f00664000f2fe23e9803f2bdf4f413dd6db0ac10730ebed9804b25e9b8fef2e4
                      • Opcode Fuzzy Hash: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
                      • Instruction Fuzzy Hash: D6316D32710B5482EB109B62A8557EA77A0F78CBA4F04C23DAE6907BD6DF7DC4468700
                      Function 000001BF693CB630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: strtok$_getptd_time64malloc
                      • String ID: eThreadpoolTimer
                      • API String ID: 1522986614-2707337283
                      • Opcode ID: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                      • Instruction ID: 2760a413c9cdc33e1425fe36c6321babcb7f39d18f017b61a037d6ee7134897a
                      • Opcode Fuzzy Hash: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                      • Instruction Fuzzy Hash: B621B672610B9481EB10DF51E89A6ED77BCF7D8B94F168229EE5A47781CB34C462C740
                      Function 000001BF69431FB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$remove$AllocHeap_callnewh_invalid_parameter_noinfo_snprintfmalloc
                      • String ID: %s\%s
                      • API String ID: 1896346573-4073750446
                      • Opcode ID: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                      • Instruction ID: 74f75958f8a3794336c2229be34249a2a044ac25c27747abfb026aabdcd21657
                      • Opcode Fuzzy Hash: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                      • Instruction Fuzzy Hash: D2F01D35605B5086F2109B62BC112DAB360E78CFD4F98C13DAF8957B9ACF78C4538784
                      Function 000001BF693C13B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$remove$_callnewh_invalid_parameter_noinfo_snprintfmalloc
                      • String ID: uld not open process: %d (%u)
                      • API String ID: 2566950902-823969559
                      • Opcode ID: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                      • Instruction ID: d31ff93578eff3b563b69a4434a4f573d6dd62d89dadc32a9ce74fc8f18b91b0
                      • Opcode Fuzzy Hash: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                      • Instruction Fuzzy Hash: 90F01236604B90C9E2509B52BC132EAB378E7C9FD0F588139BF4917B56DF38C4624744
                      Function 000001BF6942CA74 Relevance: 7.8, APIs: 6, Instructions: 296COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: malloc$_snprintf$_errno_time64freehtonlstrtok$AllocExitHeapLocalSleepThreadTime_callnewhrealloc
                      • String ID:
                      • API String ID: 548016584-0
                      • Opcode ID: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                      • Instruction ID: 27a0603fb5eca957a4748227785bdcdf2e0a20c9aef4b39f8a14016224ea6cd3
                      • Opcode Fuzzy Hash: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                      • Instruction Fuzzy Hash: 41C1577121168142FA24EB72AE527EA3391FB8D784F84C13DAE5A4B6D7DF39C8079704
                      Function 000001BF693BDA8C Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _snprintf$strchr$_errno_invalid_parameter_noinfo
                      • String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
                      • API String ID: 199363273-1250630670
                      • Opcode ID: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                      • Instruction ID: 7da57333a207487cdb2e3df4b083226942974bb663a34aefc937697a42aa7042
                      • Opcode Fuzzy Hash: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                      • Instruction Fuzzy Hash: 9671B272300B8486EB10DB51EC427EE77A9F7C9794F40803AEE9A17A98DB78C916C740
                      Function 000001BF694300F8 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                      • Instruction ID: 2d909597adda9d13adb80d052485fc861e364924f18e95f205fc7914e1202d66
                      • Opcode Fuzzy Hash: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                      • Instruction Fuzzy Hash: 79519D72B01A4196EF10EB76D8423ED7360EB59B88F85D23DEE091769AEF38C546C740
                      Function 000001BF6944062C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 1640621425-0
                      • Opcode ID: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                      • Instruction ID: abe218549f1cad1477b9d632975c770351bfd6a12f23f3446a1b3500159981c8
                      • Opcode Fuzzy Hash: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                      • Instruction Fuzzy Hash: 0941C13130064046FB689A625D443DAB791FBACFE0F18C6389E564BBD9DB78C4B38B41
                      Function 000001BF693CFA2C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 1640621425-0
                      • Opcode ID: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                      • Instruction ID: f3a124369b1d13f9f79eccc9b7a0550a7e644db2f8222d58a21a15b19d3654f0
                      • Opcode Fuzzy Hash: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                      • Instruction Fuzzy Hash: E841F331300A40CAEA689A625D523E9BBE9F7CCFE0F18C2389E55477D1DB38C8679600
                      Function 000001BF694254F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$_errno$_callnewhmalloc$AllocHeap
                      • String ID:
                      • API String ID: 996410232-0
                      • Opcode ID: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                      • Instruction ID: 7cd2367cd68ef3814f7ef99f381f138bffc0ed26ddf9ca1bb4ca4c218984721a
                      • Opcode Fuzzy Hash: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                      • Instruction Fuzzy Hash: CB418A3220578986EB159B266D006EA7B95F799B88F59C038DD49CB74AEF3AC807C300
                      Function 000001BF693B48F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$_errno$_callnewhmalloc
                      • String ID:
                      • API String ID: 2761444284-0
                      • Opcode ID: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                      • Instruction ID: 8f690eaf5666f0de03fdd8ee8cc723f9b4684e4d4abd4c50ec47e9cda7294736
                      • Opcode Fuzzy Hash: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                      • Instruction Fuzzy Hash: AF41C33231478582EA15DB265C463E977ACF7EAB88F098038DD9587745EF38C827C309
                      Function 000001BF69432D70 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 94stringCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                      • String ID: %s&%s$?%s
                      • API String ID: 1095232423-1750478248
                      • Opcode ID: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                      • Instruction ID: 5fe70dd3eefa5e4076d23563f10a084fa7417b4026bb35e2a0c2b17b3668d999
                      • Opcode Fuzzy Hash: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                      • Instruction Fuzzy Hash: AA417072204E8091FA159F2AD5462ECB3A0FF9CB95F08D52ADF4957B61EF34D1A39340
                      Function 000001BF6944AC98 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
                      • String ID:
                      • API String ID: 2998201375-0
                      • Opcode ID: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                      • Instruction ID: 64089eb2b3eb6c26514c561327f785273ff90d8a9053afb21810ec76bf98a052
                      • Opcode Fuzzy Hash: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                      • Instruction Fuzzy Hash: 2741747221478086E7608F159D507E97BA6FB4DFA5F14C139EF8957B99DB34C8428700
                      Function 000001BF693BF064 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$free$_callnewhfclosefwritemalloc
                      • String ID:
                      • API String ID: 1696598829-0
                      • Opcode ID: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                      • Instruction ID: 870a7ad041d90ccbe5d8171cb5e3eeaecd606098c67eba48928f684e72cad234
                      • Opcode Fuzzy Hash: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                      • Instruction Fuzzy Hash: 89116375708A4081EA10F652A8133EA73A9E7D9BD4F448139AE9A4B7CADF2CC5268740
                      Function 000001BF6944A5EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno_errno
                      • String ID:
                      • API String ID: 2964073243-0
                      • Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                      • Instruction ID: 9a0c1cb48561804dcdc3a71b37edde122b71e7492686a998c2a0ef77d8e4a322
                      • Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                      • Instruction Fuzzy Hash: 7F0169B261060485EB096B24CC913EC33A1DF68F72FA1C33DDD290A3DADB2844638711
                      Function 000001BF693D99EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno_errno
                      • String ID:
                      • API String ID: 2964073243-0
                      • Opcode ID: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                      • Instruction ID: 0ee5a95e24aab83ab643ab4309eacaa7b2c9d04981fdeeb89816eccac9e26b6e
                      • Opcode Fuzzy Hash: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                      • Instruction Fuzzy Hash: E7014B7671264445FA092FE48C733EC7355DBD9B22F91E329DD29072D2C728446A8212
                      Function 000001BF6942D83C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: %s!%s
                      • API String ID: 0-2935588013
                      • Opcode ID: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
                      • Instruction ID: 16f0fa3403a65476252514811fc76e26704b3032edeed77b44eff8cafe654e6e
                      • Opcode Fuzzy Hash: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
                      • Instruction Fuzzy Hash: A2515A7620464086EB649F62D9407E973A1FB8CB94F44C13BEF8A47789EB3AC943C704
                      Function 000001BF693C5228 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116stringCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _snprintfmallocstrrchr
                      • String ID: Failed to impersonate token: %d$t permissions in process: %d
                      • API String ID: 3587327836-1492073275
                      • Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                      • Instruction ID: 1ace1dfe25f87093643a2f3eb440a6e8cf8d127a70b5f0136e5a61e17785f9c2
                      • Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                      • Instruction Fuzzy Hash: 41418E3470464086EB04EB62AC163EA77A9F7CEBD4F448139AD5A8779ACF7CC4638704
                      Function 000001BF69432818 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93sleeppipeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CountTick$CreateInfoPipeSleepStartup
                      • String ID: h
                      • API String ID: 1809008225-2439710439
                      • Opcode ID: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                      • Instruction ID: 72124fc65da2d79a9b4e3811869d7a8409533b5fee3e042ea88ac2bb6a84e4a5
                      • Opcode Fuzzy Hash: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                      • Instruction Fuzzy Hash: 15414A32604B849AE710CF65E8406DEB7B5F788798F508129EF9C53BA8EF78D546CB40
                      Function 000001BF6943E1D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: AccountInformationLookupToken_snprintf
                      • String ID: %s\%s
                      • API String ID: 2107350476-4073750446
                      • Opcode ID: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                      • Instruction ID: 20ecf87742582e9a7d92021cd913fee4a5bf90822c2ed1c568dea2e8b0907583
                      • Opcode Fuzzy Hash: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                      • Instruction Fuzzy Hash: C4311E32205FC196EB24CF62E8446DA73A4F788B88F44C12AEE8957B59DF38C606C740
                      Function 000001BF69434224 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: RtlCreateUserThread$ntdll.dll
                      • API String ID: 1646373207-2935400652
                      • Opcode ID: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                      • Instruction ID: ddbc24021e8075a4adc6769210fb203163cc43f9e1f1c1594959474edd9f50ee
                      • Opcode Fuzzy Hash: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                      • Instruction Fuzzy Hash: 98110C32214B5082D720CF52F884589B7A4F799BD0F99813AEE9D43B14DF38C556C700
                      Function 000001BF69433C0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: NtQueueApcThread$ntdll
                      • API String ID: 1646373207-1374908105
                      • Opcode ID: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                      • Instruction ID: 63e85393be8b0d15d1710067e13e0b31bf0475fdd9d11287e9f67a078d5004b6
                      • Opcode Fuzzy Hash: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                      • Instruction Fuzzy Hash: 67018F36200B4182EB108BA2FC502DAB3A0E799BD0F94C63ADE5843B58DF38C4538700
                      Function 000001BF69430C64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: IsWow64Process$kernel32
                      • API String ID: 1646373207-3789238822
                      • Opcode ID: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                      • Instruction ID: 90d7dcec80a89b3912de205915695c4bc2e8866e77313b52c60556e290ace00c
                      • Opcode Fuzzy Hash: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                      • Instruction Fuzzy Hash: 88E01A7172160182EE58CBA6EC947E57760EB9C7A1F48D03A9D4B46264EF28C59BC700
                      Function 000001BF694320E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: Wow64RevertWow64FsRedirection$kernel32
                      • API String ID: 1646373207-3900151262
                      • Opcode ID: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                      • Instruction ID: 3c910bf9d48998b3b5705f1c61c33e88d3edf1e1cc61f98f1ac1366f21c43f3c
                      • Opcode Fuzzy Hash: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                      • Instruction Fuzzy Hash: 90D09E7075160681FE199BE2BC556E47350EB5EB51F48D03E8D1A06360EF2CC59BC350
                      Function 000001BF694320AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleModuleProc
                      • String ID: Wow64DisableWow64FsRedirection$kernel32
                      • API String ID: 1646373207-736604160
                      • Opcode ID: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                      • Instruction ID: 4e63e7b5e8ee9a8e1e11a04db7b8d8cbd4391d36e10d4d802e569752577d155d
                      • Opcode Fuzzy Hash: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                      • Instruction Fuzzy Hash: F2D0676075160692EE159BE2AC546E47360EB5DB51F48D03A8D1A06364EF28859B8354
                      Function 000001BF6943BFC0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                      • Instruction ID: 91d6c3fac68563ff8f73c61203944b8a736837bc6306888f84fef7e807e33619
                      • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                      • Instruction Fuzzy Hash: B1614CB6641640C6EB648F26AC593E833E0E75CB5AF24C53EDE254B3A5CB39C4539B80
                      Function 000001BF693CB3C0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                      • Instruction ID: 35abcfc101198a894b9d3e386042d3a95f8a6cf435c45337811c7ec177a256c7
                      • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                      • Instruction Fuzzy Hash: 7C613976641A40CAEB148F19AD577E933B8E79CB95F25813EDE054B3A1CB38D463CB40
                      Function 000001BF693C2170 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                      • String ID: not create token: %d
                      • API String ID: 1095232423-2272930512
                      • Opcode ID: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
                      • Instruction ID: 815c098a6a0ff4c066dfde4fa8a4f55fea5ce935a26120abb40f1b6b0e48a5cd
                      • Opcode Fuzzy Hash: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
                      • Instruction Fuzzy Hash: 46418F76210E80D1EA619B6AD5462E8B3B4FFCCB84F04A525DF4817B61DF34D5B38340
                      Function 000001BF69434A04 Relevance: 6.1, APIs: 4, Instructions: 80synchronizationCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$AllocHeapNamedObjectPeekPipeSingleWait_callnewhfreehtonlmalloc
                      • String ID:
                      • API String ID: 2495333179-0
                      • Opcode ID: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                      • Instruction ID: f5242fb1a882ef146741a3b12d372d46c4c0aca72d7926d8acc2e830eab65895
                      • Opcode Fuzzy Hash: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                      • Instruction Fuzzy Hash: 8531BC3621064081EB64EF73A9802E973A4FB8CBD8F49C62DDE444B699DB39C883C744
                      Function 000001BF6943C230 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: Timestrtok$FileSystem_getptd_time64malloc
                      • String ID:
                      • API String ID: 460628555-0
                      • Opcode ID: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                      • Instruction ID: 92649f733e476944e70f83a54e87e5cf756e1c3382f1bd25a5e5f285f0fad908
                      • Opcode Fuzzy Hash: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                      • Instruction Fuzzy Hash: 3E21B4B6A107A481EB00CFA3A4846ED37A8F75CF95F16C26DEF5A43786DB34C4528780
                      Function 000001BF6944F5D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                      • String ID:
                      • API String ID: 4151157258-0
                      • Opcode ID: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                      • Instruction ID: 2d08bd0d5f5a414775e82f86dca8e351323de9964297c87020bb3a91c53e22ee
                      • Opcode Fuzzy Hash: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                      • Instruction Fuzzy Hash: 5021D27220A6A041FB60472598503FEB7D0E38CFD4F18C179AE964FAEDCB28C443AB10
                      Function 000001BF694210D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: clock
                      • String ID:
                      • API String ID: 3195780754-0
                      • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                      • Instruction ID: 2b9d343f0bccaa3edf89366e814724f8c5ae1b87dca1061189c837c0b69d8520
                      • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                      • Instruction Fuzzy Hash: F011E33250474445E7B0DE666D81AFBF790F78C790F19C139EE844368AEB76C8838700
                      Function 000001BF693B04D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: clock
                      • String ID:
                      • API String ID: 3195780754-0
                      • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                      • Instruction ID: cf0ebe07dd681bbb595eb7a43ce71d86f720f7c0e9444dba4214969054b83f47
                      • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                      • Instruction Fuzzy Hash: E711B63260874485E7709EA66D822EAF798F7DD390F15913AEE8503A4DEB74C8578640
                      Function 000001BF693DE9D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                      • String ID:
                      • API String ID: 4151157258-0
                      • Opcode ID: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                      • Instruction ID: a627872f98d429f061247e2f699f4a682ab881f06cdbaa816e8212a9f31b087a
                      • Opcode Fuzzy Hash: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                      • Instruction Fuzzy Hash: 5621F5321043A141FA70569198623FDFB94F3C8BD4F18E239AE9706A95CB28C46B9612
                      Function 000001BF6943EF5C Relevance: 6.0, APIs: 4, Instructions: 39networkCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$closesocketsend$accept
                      • String ID:
                      • API String ID: 47150829-0
                      • Opcode ID: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                      • Instruction ID: f34f13a36ec2a8de79e8504ca10c3a80ded83b83aa28f7f966800e1cb0925b4a
                      • Opcode Fuzzy Hash: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                      • Instruction Fuzzy Hash: 16014C7530494082EB549B77AEA57FA3361E78DFE4F14D22ADE2607B95CF28C4838B40
                      Function 000001BF694353EC Relevance: 6.0, APIs: 4, Instructions: 34sleeppipeCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CountTick$NamedPeekPipeSleep
                      • String ID:
                      • API String ID: 1593283408-0
                      • Opcode ID: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                      • Instruction ID: bc527caa0ad2d839775c90161a04f12830bff0273e646e5c07a7fcb3811f0ecc
                      • Opcode Fuzzy Hash: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                      • Instruction Fuzzy Hash: F5016231618A5082F7248776FC443DAB3A1E79C785F64C539EE4D82A64DF38C483C705
                      Function 000001BF694376F0 Relevance: 6.0, APIs: 4, Instructions: 32memorythreadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: AttributeHeapInitializeListProcThread$AllocProcess
                      • String ID:
                      • API String ID: 1212816094-0
                      • Opcode ID: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                      • Instruction ID: 7c7ce5394f061e3cafeda7d4220ee67b6b0a56729a1660aa7174672364f9c038
                      • Opcode Fuzzy Hash: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                      • Instruction Fuzzy Hash: 1AF0623672464482EB548B76AC507DA73E0EB8CB90F68D43EAE4B82754DF39C4478A00
                      Function 000001BF694348D8 Relevance: 6.0, APIs: 4, Instructions: 32sleeppipeCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: CountTick$NamedPeekPipeSleep
                      • String ID:
                      • API String ID: 1593283408-0
                      • Opcode ID: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                      • Instruction ID: 83137080631b04d3284e0a6bf5d1e5fc2a3175756fc71f03d40ee4b577e4260f
                      • Opcode Fuzzy Hash: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                      • Instruction Fuzzy Hash: 3D016D32614A5182F7208B66FC443DAB7A1EB89BD4F64C139EF8543A74DF39C8838B04
                      Function 000001BF6943F098 Relevance: 6.0, APIs: 4, Instructions: 15COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$ErrorFreeHeapLast_errnoclosesocket
                      • String ID:
                      • API String ID: 1525665891-0
                      • Opcode ID: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                      • Instruction ID: 4fade978b0367cff8f75fde23f7f273711308b6375e6be7024547ea1d022c730
                      • Opcode Fuzzy Hash: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                      • Instruction Fuzzy Hash: 95E04276611444C1FA18EBB3DCA65E82320E79CF94F64C07A9E1E4A2A68F65C896A344
                      Function 000001BF6943F860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                      • String ID: B
                      • API String ID: 1812809483-1255198513
                      • Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                      • Instruction ID: 9a92dac961a3e729450b03379c72cf7fcc35b73791625eb8a7498869cac4b782
                      • Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                      • Instruction Fuzzy Hash: 11117072610A4085EB149B12E9403D9B760F79CFE4F64C329AF5807B99CF38C146CB00
                      Function 000001BF693CEC60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                      • String ID: B
                      • API String ID: 1812809483-1255198513
                      • Opcode ID: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                      • Instruction ID: 8151ea45a0655398b0e54239d4b00de05470eee1022c83aab404659e19997e9a
                      • Opcode Fuzzy Hash: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                      • Instruction Fuzzy Hash: A7118EB2610B5086EB209B52D8423EDB765F798FE4F948328AF5807B95CF38C656CB00
                      Function 000001BF69421CC4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$_errno$_calloc_implcalloc
                      • String ID:
                      • API String ID: 4000150058-0
                      • Opcode ID: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                      • Instruction ID: 6af84b5124cc468b476931eb1b4569d0e9458a247c4011e3010f537b48346f9f
                      • Opcode Fuzzy Hash: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                      • Instruction Fuzzy Hash: 32C1D836614B848AE764CF65E8807DE77A4F78CB88F50812AEF8D47B58DB79C456CB00
                      Function 000001BF693B10C4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$_errno$_calloc_implcalloc
                      • String ID:
                      • API String ID: 4000150058-0
                      • Opcode ID: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                      • Instruction ID: 3de38c44820008db13560419f3c43141cfbcf0264ba84ab808053c36c535ee44
                      • Opcode Fuzzy Hash: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                      • Instruction Fuzzy Hash: A7C1FA32604B848AE764CF55E8853DE77B8F799784F10812AEE8D47B58DF38C465CB00
                      Function 000001BF6943AD44 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$_errno$AllocHeap_callnewhmalloc
                      • String ID:
                      • API String ID: 3531731211-0
                      • Opcode ID: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                      • Instruction ID: 3b171fc2bf3be292dbfbee49b5d5cba4b95b4868fbe2978b3bb822aee9d00f6c
                      • Opcode Fuzzy Hash: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                      • Instruction Fuzzy Hash: DD51AF7524064542FE28AB329C553ED7391FB8CBA0F54C43DAE1A17B9AEF7AC5138700
                      Function 000001BF693CA144 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$_errno$_callnewhmalloc
                      • String ID:
                      • API String ID: 2761444284-0
                      • Opcode ID: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                      • Instruction ID: 58f9aca5c2ceee33002e826e3b0b4b5fbf1fc54a201cd60b339e5401f7376b4a
                      • Opcode Fuzzy Hash: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                      • Instruction Fuzzy Hash: 2B51AE31200B45C1EA28AF21AD533E973A9F7C9790F54C53DEE4A97A96DB79C8238700
                      Function 000001BF69424300 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: malloc
                      • String ID:
                      • API String ID: 2803490479-0
                      • Opcode ID: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                      • Instruction ID: 19698b300d9010928739c7d8c570c00b3a9fee6e1149ce5d947276ce36da234d
                      • Opcode Fuzzy Hash: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                      • Instruction Fuzzy Hash: 1041713230468087EB68DB26A950AEE73A1F788BC8F54C539DE6A47785DF36D807C700
                      Function 000001BF693B3700 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230909095.000001BF693B0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001BF693B0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf693b0000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: malloc
                      • String ID:
                      • API String ID: 2803490479-0
                      • Opcode ID: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                      • Instruction ID: 82361fbf6041d4e46daeffab38fae53c25d34d8ab92886a5c84ee418a478b9dc
                      • Opcode Fuzzy Hash: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                      • Instruction Fuzzy Hash: CA41813260179087EB54DB2698026ED73A9F799B84F448439EE9A87749EF34DC2AC701
                      Function 000001BF69431038 Relevance: 5.1, APIs: 4, Instructions: 109COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.2230970210.000001BF69420000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001BF69420000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1bf69420000_loaddll64.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$CurrentProcessfreemalloc
                      • String ID:
                      • API String ID: 1397824077-0
                      • Opcode ID: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
                      • Instruction ID: 3c7997a1f00b893cc21acb90f9fb0e09aae92d6ab082b22a861be5bae93b2147
                      • Opcode Fuzzy Hash: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
                      • Instruction Fuzzy Hash: B741437231469186EB649B33E9407EF73A1EB8C788F40D43DAE8947A86EF39C5428704

                      Execution Graph

                      Execution Coverage:0.3%
                      Dynamic/Decrypted Code Coverage:0%
                      Signature Coverage:0%
                      Total number of Nodes:8
                      Total number of Limit Nodes:1
                      execution_graph 18804 16e0d6e88d4 18808 16e0d6e8911 18804->18808 18805 16e0d6e8d40 VirtualAlloc 18806 16e0d6e8d98 18805->18806 18807 16e0d6e8ea5 LoadLibraryA 18806->18807 18809 16e0d6e8ff6 18806->18809 18807->18806 18808->18805 18810 16e0d6dedc4 _wputenv 18811 16e0d6fddf8 _putenv_helper 18810->18811

                      Executed Functions

                      Function 0000016E0D6E88D4 Relevance: 3.7, APIs: 2, Instructions: 671memorylibraryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 0 16e0d6e88d4-16e0d6e8911 call 16e0d6e9241 3 16e0d6e8915-16e0d6e8920 0->3 4 16e0d6e8955-16e0d6e895a 3->4 5 16e0d6e8922-16e0d6e8934 3->5 4->3 5->4 6 16e0d6e8936-16e0d6e893e 5->6 6->4 7 16e0d6e8940-16e0d6e8953 6->7 7->4 8 16e0d6e895c-16e0d6e898f 7->8 9 16e0d6e8d32-16e0d6e8d37 8->9 10 16e0d6e8d3d 9->10 11 16e0d6e8994-16e0d6e89ac 9->11 12 16e0d6e8d40-16e0d6e8d96 VirtualAlloc 10->12 13 16e0d6e89b4-16e0d6e89e8 11->13 14 16e0d6e8dbb-16e0d6e8dca 12->14 15 16e0d6e89ea-16e0d6e89fd 13->15 16 16e0d6e89ff-16e0d6e8a09 13->16 18 16e0d6e8dcc-16e0d6e8df8 14->18 19 16e0d6e8d98-16e0d6e8db9 14->19 17 16e0d6e8a0d-16e0d6e8a1c 15->17 16->17 17->13 20 16e0d6e8a1e-16e0d6e8a27 17->20 21 16e0d6e8e6a-16e0d6e8e79 18->21 19->14 22 16e0d6e8a2d-16e0d6e8a9d 20->22 23 16e0d6e8bc0-16e0d6e8bc9 20->23 24 16e0d6e8dfa-16e0d6e8e2f 21->24 25 16e0d6e8e7f-16e0d6e8ea0 21->25 26 16e0d6e8bb0-16e0d6e8bb5 22->26 27 16e0d6e8d0b-16e0d6e8d10 23->27 28 16e0d6e8bcf-16e0d6e8c3f 23->28 29 16e0d6e8e54-16e0d6e8e63 24->29 30 16e0d6e8fe7-16e0d6e8ff0 25->30 31 16e0d6e8bbb 26->31 32 16e0d6e8aa2-16e0d6e8ab5 26->32 38 16e0d6e8d27-16e0d6e8d2e 27->38 39 16e0d6e8d12-16e0d6e8d17 27->39 33 16e0d6e8d00-16e0d6e8d05 28->33 36 16e0d6e8e65 29->36 37 16e0d6e8e31-16e0d6e8e52 29->37 34 16e0d6e8ff6-16e0d6e9020 30->34 35 16e0d6e8ea5-16e0d6e8eec LoadLibraryA 30->35 31->27 40 16e0d6e8aba-16e0d6e8af7 32->40 33->27 43 16e0d6e8c44-16e0d6e8c57 33->43 41 16e0d6e91ea-16e0d6e9240 34->41 42 16e0d6e9026-16e0d6e9039 34->42 45 16e0d6e8fd2-16e0d6e8fdc 35->45 36->21 37->29 38->9 39->38 44 16e0d6e8d19-16e0d6e8d1e 39->44 40->40 46 16e0d6e8af9-16e0d6e8b05 40->46 50 16e0d6e91db-16e0d6e91e4 42->50 47 16e0d6e8c5c-16e0d6e8c99 43->47 44->38 51 16e0d6e8d20-16e0d6e8d25 44->51 48 16e0d6e8fe2 45->48 49 16e0d6e8ef1-16e0d6e8ef6 45->49 55 16e0d6e8b1d-16e0d6e8b4a 46->55 56 16e0d6e8b07-16e0d6e8b0e 46->56 47->47 57 16e0d6e8c9b-16e0d6e8ca7 47->57 48->30 52 16e0d6e8efc-16e0d6e8f06 49->52 53 16e0d6e8f8f-16e0d6e8fbe 49->53 50->41 58 16e0d6e903e-16e0d6e9071 50->58 51->38 54 16e0d6e8d3f 51->54 52->53 60 16e0d6e8f0c-16e0d6e8f8d 52->60 67 16e0d6e8fc1-16e0d6e8fcb 53->67 54->12 64 16e0d6e8b4c-16e0d6e8b5f 55->64 65 16e0d6e8b61-16e0d6e8b68 55->65 56->55 61 16e0d6e8b10-16e0d6e8b17 56->61 62 16e0d6e8ca9-16e0d6e8cd6 57->62 63 16e0d6e8cf6-16e0d6e8cfb 57->63 66 16e0d6e91b9-16e0d6e91c8 58->66 60->67 61->55 71 16e0d6e8ba6-16e0d6e8bab 61->71 72 16e0d6e8ceb-16e0d6e8cf2 62->72 73 16e0d6e8cd8-16e0d6e8ce7 62->73 63->33 74 16e0d6e8b9b-16e0d6e8ba2 64->74 75 16e0d6e8b6a-16e0d6e8b7d 65->75 76 16e0d6e8b7f-16e0d6e8b86 65->76 69 16e0d6e9076-16e0d6e9083 66->69 70 16e0d6e91ce-16e0d6e91d7 66->70 67->45 78 16e0d6e8fcd 67->78 80 16e0d6e90c4-16e0d6e90d1 69->80 81 16e0d6e9085-16e0d6e90bf 69->81 70->50 71->26 72->63 73->72 74->71 75->74 76->74 79 16e0d6e8b88-16e0d6e8b97 76->79 78->45 79->74 82 16e0d6e9114-16e0d6e9121 80->82 83 16e0d6e90d3-16e0d6e910f 80->83 84 16e0d6e91b4 81->84 85 16e0d6e9167-16e0d6e9174 82->85 86 16e0d6e9123-16e0d6e9165 82->86 83->84 84->66 85->84 87 16e0d6e9176-16e0d6e91b1 85->87 86->84 87->84
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocLibraryLoadVirtual
                      • String ID:
                      • API String ID: 3550616410-0
                      • Opcode ID: e5779a8fec03a52a41f730243e1c668b38c4984dd735e796280ec9111f67fa25
                      • Instruction ID: f110608ab294e043bfe6cb1c9c9e27532a93d63795292d3bdc10431a8e07feb9
                      • Opcode Fuzzy Hash: e5779a8fec03a52a41f730243e1c668b38c4984dd735e796280ec9111f67fa25
                      • Instruction Fuzzy Hash: E862C177711B988EDB90CF6AD88039C37E5F748B98F108126FA4D87B68EB79C5918740

                      Non-executed Functions

                      Function 0000016E0D6F5914 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 841 16e0d6f5914-16e0d6f595c call 16e0d6efec0 844 16e0d6f5965-16e0d6f5968 841->844 845 16e0d6f595e-16e0d6f5960 841->845 847 16e0d6f596a-16e0d6f5984 call 16e0d6f10a8 call 16e0d6f1118 call 16e0d6f1740 844->847 848 16e0d6f5989-16e0d6f59bb 844->848 846 16e0d6f6026-16e0d6f604f call 16e0d6f7220 845->846 847->846 849 16e0d6f59bd-16e0d6f59c4 848->849 850 16e0d6f59c6-16e0d6f59cc 848->850 849->847 849->850 853 16e0d6f59db-16e0d6f59e4 call 16e0d6f8dbc 850->853 854 16e0d6f59ce-16e0d6f59d6 call 16e0d6f70ec 850->854 862 16e0d6f59ea-16e0d6f59fb 853->862 863 16e0d6f5ca6-16e0d6f5cb7 853->863 854->853 862->863 868 16e0d6f5a01-16e0d6f5a35 call 16e0d6f4c44 call 16e0d701808 862->868 866 16e0d6f5cbd-16e0d6f5cc9 863->866 867 16e0d6f5f88-16e0d6f5fa4 call 16e0d701700 863->867 869 16e0d6f5d97-16e0d6f5d9b 866->869 870 16e0d6f5ccf-16e0d6f5cd2 866->870 882 16e0d6f5fa6-16e0d6f5fac 867->882 883 16e0d6f5fae-16e0d6f5fb4 call 16e0d701728 867->883 868->863 902 16e0d6f5a3b-16e0d6f5a3d 868->902 873 16e0d6f5e76-16e0d6f5e79 869->873 874 16e0d6f5da1-16e0d6f5da4 869->874 875 16e0d6f5cd8 870->875 876 16e0d6f5fe6-16e0d6f5ffc 870->876 873->876 879 16e0d6f5e7f 873->879 874->876 880 16e0d6f5daa 874->880 881 16e0d6f5cdb-16e0d6f5ce6 875->881 884 16e0d6f6008-16e0d6f6018 call 16e0d6f1118 call 16e0d6f10a8 876->884 885 16e0d6f5ffe-16e0d6f6002 876->885 887 16e0d6f5e85-16e0d6f5e8a 879->887 888 16e0d6f5daf-16e0d6f5dba 880->888 889 16e0d6f5ce8-16e0d6f5cf1 881->889 890 16e0d6f5fb6-16e0d6f5fb8 882->890 883->890 900 16e0d6f6020-16e0d6f6024 884->900 885->845 885->884 894 16e0d6f5e8c-16e0d6f5e95 887->894 895 16e0d6f5dbc-16e0d6f5dc5 888->895 896 16e0d6f5d19-16e0d6f5d5c call 16e0d701700 889->896 897 16e0d6f5cf3-16e0d6f5cfc 889->897 899 16e0d6f5fba-16e0d6f5fbc 890->899 890->900 905 16e0d6f5e97-16e0d6f5ea4 894->905 906 16e0d6f5ec6-16e0d6f5f0f call 16e0d701818 894->906 907 16e0d6f5df8-16e0d6f5e3b call 16e0d701700 895->907 908 16e0d6f5dc7-16e0d6f5dd4 895->908 896->883 930 16e0d6f5d62-16e0d6f5d78 896->930 909 16e0d6f5d08-16e0d6f5d17 897->909 910 16e0d6f5cfe-16e0d6f5d05 897->910 899->876 912 16e0d6f5fbe-16e0d6f5fc1 899->912 900->846 903 16e0d6f5a48-16e0d6f5a5c call 16e0d701810 902->903 904 16e0d6f5a3f-16e0d6f5a42 902->904 932 16e0d6f5c9d-16e0d6f5ca1 903->932 933 16e0d6f5a62-16e0d6f5a65 903->933 904->863 904->903 915 16e0d6f5ea6-16e0d6f5eae 905->915 916 16e0d6f5eb2-16e0d6f5ec4 905->916 906->883 935 16e0d6f5f15 906->935 907->883 936 16e0d6f5e41-16e0d6f5e57 907->936 918 16e0d6f5dd6-16e0d6f5de0 908->918 919 16e0d6f5de4-16e0d6f5df6 908->919 909->889 909->896 910->909 922 16e0d6f5fda-16e0d6f5fe1 call 16e0d6f10c8 912->922 923 16e0d6f5fc3-16e0d6f5fd3 call 16e0d6f1118 call 16e0d6f10a8 912->923 915->916 916->894 916->906 918->919 919->895 919->907 922->876 923->922 930->890 937 16e0d6f5d7e-16e0d6f5d8c 930->937 932->899 940 16e0d6f5a6b-16e0d6f5a8a 933->940 941 16e0d6f5bef-16e0d6f5bf4 933->941 942 16e0d6f5f17-16e0d6f5f51 call 16e0d701700 935->942 936->890 943 16e0d6f5e5d-16e0d6f5e6b 936->943 937->881 938 16e0d6f5d92 937->938 938->890 947 16e0d6f5aac-16e0d6f5ab6 call 16e0d6f7b38 940->947 948 16e0d6f5a8c-16e0d6f5aaa 940->948 944 16e0d6f5bf6-16e0d6f5c12 941->944 945 16e0d6f5c14 941->945 959 16e0d6f5f53-16e0d6f5f5d 942->959 960 16e0d6f5f61-16e0d6f5f69 call 16e0d701728 942->960 943->888 950 16e0d6f5e71 943->950 951 16e0d6f5c19-16e0d6f5c1e 944->951 945->951 964 16e0d6f5aec-16e0d6f5af2 947->964 965 16e0d6f5ab8-16e0d6f5ac5 947->965 952 16e0d6f5af5-16e0d6f5b02 call 16e0d6fa1ec 948->952 950->890 956 16e0d6f5c20-16e0d6f5c2f call 16e0d6fa1f4 951->956 957 16e0d6f5c5f 951->957 969 16e0d6f5b08-16e0d6f5b45 call 16e0d701818 952->969 970 16e0d6f5c94-16e0d6f5c98 952->970 956->883 978 16e0d6f5c35-16e0d6f5c3b 956->978 966 16e0d6f5c64-16e0d6f5c6c 957->966 959->942 967 16e0d6f5f5f 959->967 975 16e0d6f5f6d-16e0d6f5f6f 960->975 964->952 972 16e0d6f5acb-16e0d6f5ae1 call 16e0d6fa1ec 965->972 973 16e0d6f5c73-16e0d6f5c8b 965->973 966->970 974 16e0d6f5c6e 966->974 967->975 969->970 984 16e0d6f5b4b-16e0d6f5b7a call 16e0d701700 969->984 970->890 972->970 986 16e0d6f5ae7-16e0d6f5aea 972->986 973->970 974->933 975->890 976 16e0d6f5f71-16e0d6f5f80 975->976 976->887 980 16e0d6f5f86 976->980 978->957 982 16e0d6f5c3d-16e0d6f5c53 call 16e0d6fa1f4 978->982 980->890 982->883 990 16e0d6f5c59-16e0d6f5c5b 982->990 984->883 991 16e0d6f5b80-16e0d6f5b8e 984->991 986->969 990->957 991->970 992 16e0d6f5b94-16e0d6f5b9e 991->992 992->966 993 16e0d6f5ba4-16e0d6f5bd6 call 16e0d701700 992->993 993->883 996 16e0d6f5bdc-16e0d6f5be1 993->996 996->970 997 16e0d6f5be7-16e0d6f5bed 996->997 997->966
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: __doserrno_errno_invalid_parameter_noinfo
                      • String ID: U
                      • API String ID: 3902385426-4171548499
                      • Opcode ID: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                      • Instruction ID: 41e8c0d0e95d49d570cac34cff5578a296b681018cc8acda8f82931fdf9cfcab
                      • Opcode Fuzzy Hash: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                      • Instruction Fuzzy Hash: 7012E63B324A8586EB208F28E8843DE77E1F785794F540316FA4A53A94DBBBC945CB10
                      Function 0000016E0D6F1B48 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1171 16e0d6f1b48-16e0d6f1b4b 1172 16e0d6f1c59-16e0d6f1c67 1171->1172 1173 16e0d6f1b51-16e0d6f1b54 1171->1173 1176 16e0d6f1c6d-16e0d6f1c73 1172->1176 1177 16e0d6f1e97 1172->1177 1174 16e0d6f1b5a 1173->1174 1175 16e0d6f1c01-16e0d6f1c0c 1173->1175 1180 16e0d6f1f84-16e0d6f1f89 1174->1180 1178 16e0d6f1c35-16e0d6f1c41 1175->1178 1179 16e0d6f1c0e-16e0d6f1c29 call 16e0d6f9014 1175->1179 1183 16e0d6f1edd-16e0d6f1f2b call 16e0d701858 1176->1183 1181 16e0d6f1e99-16e0d6f1e9d 1177->1181 1182 16e0d6f1ea7-16e0d6f1eb5 1177->1182 1189 16e0d6f1c44-16e0d6f1c48 1178->1189 1179->1189 1201 16e0d6f1c2b-16e0d6f1c33 1179->1201 1187 16e0d6f20e5-16e0d6f20ec 1180->1187 1188 16e0d6f1f8f-16e0d6f1f93 1180->1188 1181->1183 1190 16e0d6f1e9f-16e0d6f1ea5 1181->1190 1182->1183 1184 16e0d6f1eb7-16e0d6f1ece call 16e0d6f3ba8 1182->1184 1217 16e0d6f1f2d-16e0d6f1f30 1183->1217 1218 16e0d6f1f48-16e0d6f1f4c 1183->1218 1205 16e0d6f1ed7 1184->1205 1206 16e0d6f1ed0-16e0d6f1ed5 1184->1206 1193 16e0d6f20fd-16e0d6f211c 1187->1193 1194 16e0d6f20ee-16e0d6f20f9 call 16e0d6ee644 1187->1194 1196 16e0d6f1fc6 1188->1196 1197 16e0d6f1f95-16e0d6f1f9a 1188->1197 1189->1180 1190->1183 1219 16e0d6f230b-16e0d6f2311 1193->1219 1220 16e0d6f2122-16e0d6f2126 1193->1220 1194->1193 1199 16e0d6f1fca-16e0d6f1fdd 1196->1199 1202 16e0d6f1f9c-16e0d6f1fa1 1197->1202 1203 16e0d6f1fa3-16e0d6f1fa7 1197->1203 1211 16e0d6f1ff0-16e0d6f2011 call 16e0d6f2e1c 1199->1211 1212 16e0d6f1fdf-16e0d6f1feb call 16e0d6f2348 1199->1212 1201->1189 1209 16e0d6f1fae-16e0d6f1fb7 1202->1209 1213 16e0d6f1fb9-16e0d6f1fbd 1203->1213 1214 16e0d6f1fa9 1203->1214 1205->1183 1206->1183 1209->1199 1227 16e0d6f202a-16e0d6f2033 1211->1227 1228 16e0d6f2013-16e0d6f2017 1211->1228 1212->1211 1213->1196 1216 16e0d6f1fbf-16e0d6f1fc4 1213->1216 1214->1209 1216->1209 1217->1218 1224 16e0d6f1f32-16e0d6f1f43 call 16e0d701858 1217->1224 1225 16e0d6f1f68-16e0d6f1f6b 1218->1225 1226 16e0d6f1f4e-16e0d6f1f50 1218->1226 1231 16e0d6f2313-16e0d6f2317 1219->1231 1232 16e0d6f231e-16e0d6f2347 call 16e0d6f7220 1219->1232 1224->1218 1229 16e0d6f1f6d-16e0d6f1f72 1225->1229 1230 16e0d6f1f75-16e0d6f1f80 call 16e0d6f8880 1225->1230 1226->1225 1234 16e0d6f1f52-16e0d6f1f63 call 16e0d701858 1226->1234 1237 16e0d6f20a5-16e0d6f20c0 call 16e0d6f2e1c 1227->1237 1238 16e0d6f2035-16e0d6f2037 1227->1238 1228->1227 1235 16e0d6f2019-16e0d6f2025 call 16e0d6f2348 1228->1235 1229->1230 1230->1180 1231->1232 1234->1225 1235->1227 1252 16e0d6f20c3 1237->1252 1238->1237 1244 16e0d6f2039 1238->1244 1249 16e0d6f203c-16e0d6f2061 call 16e0d6f9014 1244->1249 1256 16e0d6f2097-16e0d6f20a3 1249->1256 1257 16e0d6f2063-16e0d6f2068 1249->1257 1253 16e0d6f20c7-16e0d6f20c9 1252->1253 1253->1187 1255 16e0d6f20cb-16e0d6f20cf 1253->1255 1255->1187 1258 16e0d6f20d1-16e0d6f20e2 call 16e0d6f2348 1255->1258 1256->1253 1257->1256 1259 16e0d6f206a-16e0d6f208e call 16e0d6f2e1c 1257->1259 1258->1187 1259->1249 1264 16e0d6f2090-16e0d6f2095 1259->1264 1264->1252
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: write_multi_char$write_string$free
                      • String ID:
                      • API String ID: 2630409672-3916222277
                      • Opcode ID: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                      • Instruction ID: d11a1da60013ea27ff9360df1f8ab37d48d9c3265fd42a5774d3f9eeb4850b0d
                      • Opcode Fuzzy Hash: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                      • Instruction Fuzzy Hash: 9DA1803B728B5486FB218B55A8103EE7BE1F786794F141206FE49676D8DBBBC941CB00
                      Function 0000016E0D6F621C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 388111225-0
                      • Opcode ID: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
                      • Instruction ID: 46f50e9557bb5b66229ae57b2198ae846d51afb55a8ee1ccd53afb34b2c77de8
                      • Opcode Fuzzy Hash: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
                      • Instruction Fuzzy Hash: E0318E3B720B9486E716AFA6EC417ED35D0A7827A0F955329FA11377D2CABBC8418710
                      Function 0000016E0D6FF150 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1303 16e0d6ff150-16e0d6ff164 1304 16e0d6ff166-16e0d6ff169 1303->1304 1305 16e0d6ff1d9-16e0d6ff20b 1303->1305 1306 16e0d6ff185-16e0d6ff188 1304->1306 1307 16e0d6ff16b-16e0d6ff184 call 16e0d6f1118 call 16e0d6f1740 1304->1307 1310 16e0d6ff214-16e0d6ff217 1305->1310 1311 16e0d6ff20d-16e0d6ff20f 1305->1311 1306->1307 1312 16e0d6ff18a-16e0d6ff191 1306->1312 1315 16e0d6ff233-16e0d6ff236 1310->1315 1316 16e0d6ff219-16e0d6ff22e call 16e0d6f1118 call 16e0d6f1740 1310->1316 1314 16e0d6ff2f9-16e0d6ff313 1311->1314 1312->1307 1317 16e0d6ff193 1312->1317 1315->1316 1321 16e0d6ff238-16e0d6ff240 1315->1321 1316->1314 1320 16e0d6ff196-16e0d6ff1a2 1317->1320 1324 16e0d6ff1a4 1320->1324 1325 16e0d6ff1a8-16e0d6ff1b3 1320->1325 1326 16e0d6ff242-16e0d6ff252 call 16e0d6f1118 call 16e0d6f1740 1321->1326 1327 16e0d6ff257-16e0d6ff273 call 16e0d6f0a00 1321->1327 1324->1325 1331 16e0d6ff1b5 1325->1331 1332 16e0d6ff1b9-16e0d6ff1c0 1325->1332 1346 16e0d6ff2f7 1326->1346 1340 16e0d6ff275 1327->1340 1341 16e0d6ff2b7-16e0d6ff2d2 call 16e0d700010 1327->1341 1331->1332 1334 16e0d6ff1c2-16e0d6ff1c5 1332->1334 1335 16e0d6ff1cc-16e0d6ff1d8 1332->1335 1334->1335 1339 16e0d6ff1c7-16e0d6ff1ca 1334->1339 1339->1320 1339->1335 1344 16e0d6ff278-16e0d6ff284 1340->1344 1349 16e0d6ff2e1 1341->1349 1350 16e0d6ff2d4-16e0d6ff2df call 16e0d6f1118 1341->1350 1347 16e0d6ff286 1344->1347 1348 16e0d6ff28a-16e0d6ff294 1344->1348 1346->1314 1347->1348 1351 16e0d6ff296 1348->1351 1352 16e0d6ff29a-16e0d6ff2a1 1348->1352 1354 16e0d6ff2e4-16e0d6ff2e9 1349->1354 1350->1354 1351->1352 1355 16e0d6ff2a3-16e0d6ff2a6 1352->1355 1356 16e0d6ff2ad-16e0d6ff2b5 1352->1356 1354->1346 1358 16e0d6ff2eb-16e0d6ff2f0 1354->1358 1355->1356 1359 16e0d6ff2a8-16e0d6ff2ab 1355->1359 1356->1354 1358->1346 1359->1344 1359->1356
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 1812809483-0
                      • Opcode ID: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                      • Instruction ID: 53b7ea9ab4a8fb0dfaedd370c76f00fb873f911972e6197b98ef1d0e82e8751f
                      • Opcode Fuzzy Hash: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                      • Instruction Fuzzy Hash: E341F27F730B5181FB60EB62AC403ED76E0EB65BA4F944321FA94636C5D7AB88458700
                      Function 0000016E0D6F7008 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
                      • String ID:
                      • API String ID: 4140391395-0
                      • Opcode ID: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
                      • Instruction ID: 4846e394df2ee0e2a869d6033a2388cf4b3580b987991f8a63b07a998d6c5436
                      • Opcode Fuzzy Hash: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
                      • Instruction Fuzzy Hash: 7221AC7B720A8085F6056F2AAC017EDB591AB81BF1F494719FA35273D2CBBF84418721
                      Function 0000016E0D6F6E90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
                      • String ID:
                      • API String ID: 310312816-0
                      • Opcode ID: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
                      • Instruction ID: f416263b0579e61d358fea076bbe6fa8967161867ef416c1e4e4507030836477
                      • Opcode Fuzzy Hash: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
                      • Instruction Fuzzy Hash: E021D13B721A8085F7116FA5FD413ED75D1A7817E1F494315BA15273D2CBFB88418714
                      Function 0000016E0D6EF36C Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1422 16e0d6ef36c-16e0d6ef390 call 16e0d701858 1425 16e0d6ef3ac-16e0d6ef3c6 call 16e0d6ee644 1422->1425 1426 16e0d6ef392-16e0d6ef398 1422->1426 1433 16e0d6ef3c8-16e0d6ef3ce 1425->1433 1434 16e0d6ef3e2-16e0d6ef421 call 16e0d6ee644 * 3 1425->1434 1427 16e0d6ef39a-16e0d6ef3a3 call 16e0d6ee644 1426->1427 1428 16e0d6ef3a5 1426->1428 1427->1426 1427->1428 1428->1425 1435 16e0d6ef3db 1433->1435 1436 16e0d6ef3d0-16e0d6ef3d9 call 16e0d6ee644 1433->1436 1445 16e0d6ef435-16e0d6ef44f call 16e0d701850 1434->1445 1446 16e0d6ef423-16e0d6ef42b 1434->1446 1435->1434 1436->1433 1436->1435 1451 16e0d6ef451-16e0d6ef456 call 16e0d6ee644 1445->1451 1452 16e0d6ef45e-16e0d6ef468 1445->1452 1446->1445 1447 16e0d6ef42d-16e0d6ef430 call 16e0d6ee644 1446->1447 1447->1445 1451->1452 1454 16e0d6ef46a-16e0d6ef46f call 16e0d6ee644 1452->1454 1455 16e0d6ef477-16e0d6ef486 1452->1455 1454->1455 1456 16e0d6ef488-16e0d6ef499 1455->1456 1457 16e0d6ef4a7-16e0d6ef4b1 1455->1457 1456->1457 1460 16e0d6ef49b-16e0d6ef4a0 call 16e0d6ee644 1456->1460 1460->1457
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$_errno
                      • String ID:
                      • API String ID: 2288870239-0
                      • Opcode ID: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                      • Instruction ID: 277ce37c5229d33bf203f3a963e10e62eecb0ad82cea42dc6bb7fa28c42f78c0
                      • Opcode Fuzzy Hash: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                      • Instruction Fuzzy Hash: 1931C23F3A1A4082FE559B59FC653EC63E4AB947A0F4C0326B919066DADEABC8458341
                      Function 0000016E0D6F5834 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
                      • String ID:
                      • API String ID: 2611593033-0
                      • Opcode ID: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
                      • Instruction ID: 9586e77b389ec7b081118dbf7d44199b530ee8f78ec494d6035978b3e54cb4b9
                      • Opcode Fuzzy Hash: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
                      • Instruction Fuzzy Hash: 8621923B720A9086F7156F66FC413ED75E0A7817E1F994715BA26272D2CBFB88418710
                      Function 0000016E0D6F5058 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
                      • String ID:
                      • API String ID: 4060740672-0
                      • Opcode ID: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
                      • Instruction ID: e2246731cdec9acd0de36273f14a797d9582b3d4b56d72d9a1d1a36da662e6e7
                      • Opcode Fuzzy Hash: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
                      • Instruction Fuzzy Hash: EB11D03B720B8485F315AF26FC813EC76D0E7827A1F694725F91A272D6CAFB88408754
                      Function 0000016E0D6D3A0C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1524 16e0d6d3a0c-16e0d6d3a3f call 16e0d6d351c 1527 16e0d6d3cc5-16e0d6d3cd5 1524->1527 1528 16e0d6d3a45-16e0d6d3a53 call 16e0d6d388c 1524->1528 1528->1527 1531 16e0d6d3a59-16e0d6d3a8f 1528->1531 1532 16e0d6d3a95-16e0d6d3aa1 1531->1532 1533 16e0d6d3cc0 1531->1533 1532->1533 1534 16e0d6d3aa7-16e0d6d3ac9 call 16e0d6ee684 * 3 1532->1534 1533->1527 1541 16e0d6d3c9f-16e0d6d3ca2 1534->1541 1542 16e0d6d3acf-16e0d6d3ad2 1534->1542 1543 16e0d6d3cac-16e0d6d3caf 1541->1543 1544 16e0d6d3ca4-16e0d6d3ca7 call 16e0d6ee644 1541->1544 1545 16e0d6d3c97-16e0d6d3c9a call 16e0d6ee644 1542->1545 1546 16e0d6d3ad8-16e0d6d3adb 1542->1546 1549 16e0d6d3cb9-16e0d6d3cbe 1543->1549 1550 16e0d6d3cb1-16e0d6d3cb4 call 16e0d6ee644 1543->1550 1544->1543 1545->1541 1546->1545 1551 16e0d6d3ae1-16e0d6d3af3 1546->1551 1549->1527 1550->1549 1552 16e0d6d3b0c-16e0d6d3b17 1551->1552 1553 16e0d6d3af5-16e0d6d3b0a 1551->1553 1555 16e0d6d3b1c-16e0d6d3b27 call 16e0d6d0cbc 1552->1555 1553->1555 1558 16e0d6d3c7b-16e0d6d3c95 call 16e0d6ee644 * 3 1555->1558 1559 16e0d6d3b2d-16e0d6d3b95 call 16e0d6ee930 call 16e0d6eed20 1555->1559 1558->1527 1571 16e0d6d3b97-16e0d6d3b9c 1559->1571 1572 16e0d6d3ba1-16e0d6d3bc3 call 16e0d6d48f0 1559->1572 1571->1558 1572->1558 1575 16e0d6d3bc9-16e0d6d3bcc 1572->1575 1576 16e0d6d3be7-16e0d6d3c00 call 16e0d6d48f0 1575->1576 1577 16e0d6d3bce-16e0d6d3bd7 1575->1577 1576->1558 1581 16e0d6d3c02-16e0d6d3c08 1576->1581 1578 16e0d6d3bda-16e0d6d3be5 1577->1578 1578->1576 1578->1578 1582 16e0d6d3c0a-16e0d6d3c13 1581->1582 1583 16e0d6d3c23-16e0d6d3c2d 1581->1583 1584 16e0d6d3c16-16e0d6d3c21 1582->1584 1585 16e0d6d3c38-16e0d6d3c79 call 16e0d6eed20 * 2 1583->1585 1586 16e0d6d3c2f-16e0d6d3c36 1583->1586 1584->1583 1584->1584 1585->1558 1586->1558
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$malloc$_errno$_callnewh
                      • String ID:
                      • API String ID: 4160633307-0
                      • Opcode ID: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                      • Instruction ID: 8bf0d02320a76f454ac3519f2b5191739088f34800de4730d2c3894bf6351667
                      • Opcode Fuzzy Hash: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                      • Instruction Fuzzy Hash: 8B71E17BB2478446EA209B26BC407EE77D5B795BC8F044215BD8647B8ADBBBC806C701
                      Function 0000016E0D6DBE74 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 296COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1591 16e0d6dbe74-16e0d6dbfd6 call 16e0d6e53ec call 16e0d6e55e8 * 3 call 16e0d6ea854 call 16e0d6ea864 * 2 call 16e0d6ea834 * 2 call 16e0d6ea854 * 2 call 16e0d6ee684 call 16e0d6ea834 * 3 call 16e0d6ea864 call 16e0d6eb630 call 16e0d6e28a0 call 16e0d6edea8 * 2 call 16e0d6de7c0 1634 16e0d6dbfdd-16e0d6dbff2 call 16e0d6ea834 call 16e0d6de5e4 1591->1634 1635 16e0d6dbfd8 call 16e0d6ece74 1591->1635 1641 16e0d6dbff9-16e0d6dc007 call 16e0d6de5f8 1634->1641 1642 16e0d6dbff4 call 16e0d6ece74 1634->1642 1635->1634 1646 16e0d6dc009 call 16e0d6ece74 1641->1646 1647 16e0d6dc00e-16e0d6dc015 call 16e0d6de674 1641->1647 1642->1641 1646->1647 1651 16e0d6dc01c-16e0d6dc055 call 16e0d6ea864 call 16e0d6ea834 call 16e0d6ee684 1647->1651 1652 16e0d6dc017 call 16e0d6ece74 1647->1652 1660 16e0d6dc05c-16e0d6dc090 call 16e0d6ea834 call 16e0d6edea8 call 16e0d6ea834 call 16e0d6e5060 1651->1660 1661 16e0d6dc057 call 16e0d6ece74 1651->1661 1652->1651 1671 16e0d6dc2bb-16e0d6dc2e7 call 16e0d6eb618 call 16e0d6ee644 call 16e0d6ece74 1660->1671 1672 16e0d6dc096-16e0d6dc09d 1660->1672 1661->1660 1673 16e0d6dc0a2-16e0d6dc124 call 16e0d6eb3c0 call 16e0d6eea3c call 16e0d6eb3c0 call 16e0d6eea3c * 2 call 16e0d6e22e0 1672->1673 1692 16e0d6dc126-16e0d6dc12a 1673->1692 1693 16e0d6dc144-16e0d6dc177 call 16e0d6dde48 call 16e0d6ea834 call 16e0d6dddf4 1673->1693 1695 16e0d6dc12e-16e0d6dc135 1692->1695 1704 16e0d6dc19c-16e0d6dc19f 1693->1704 1705 16e0d6dc179-16e0d6dc187 call 16e0d6ea144 1693->1705 1695->1695 1697 16e0d6dc137-16e0d6dc13a 1695->1697 1697->1693 1698 16e0d6dc13c-16e0d6dc13f call 16e0d6e25f4 1697->1698 1698->1693 1706 16e0d6dc226 1704->1706 1707 16e0d6dc1a5-16e0d6dc1c8 call 16e0d6e5f98 call 16e0d6ea834 1704->1707 1714 16e0d6dc189-16e0d6dc193 call 16e0d6e820c 1705->1714 1715 16e0d6dc195-16e0d6dc198 1705->1715 1710 16e0d6dc22c-16e0d6dc238 call 16e0d6dddc8 call 16e0d6de7c0 1706->1710 1722 16e0d6dc1ca 1707->1722 1723 16e0d6dc1cf-16e0d6dc1f0 call 16e0d6e0cc4 call 16e0d6e4544 call 16e0d6e3e04 call 16e0d6de7c0 1707->1723 1725 16e0d6dc23a call 16e0d6ece74 1710->1725 1726 16e0d6dc23f-16e0d6dc25d call 16e0d6eb304 1710->1726 1714->1704 1715->1704 1722->1723 1750 16e0d6dc1fa-16e0d6dc201 1723->1750 1751 16e0d6dc1f2-16e0d6dc1f5 call 16e0d6de884 1723->1751 1725->1726 1733 16e0d6dc264-16e0d6dc26c 1726->1733 1734 16e0d6dc25f call 16e0d6ece74 1726->1734 1733->1671 1737 16e0d6dc26e-16e0d6dc276 1733->1737 1734->1733 1739 16e0d6dc278-16e0d6dc289 1737->1739 1740 16e0d6dc2a4-16e0d6dc2b5 call 16e0d6e151c 1737->1740 1743 16e0d6dc28b-16e0d6dc29a call 16e0d6de7a0 1739->1743 1744 16e0d6dc29c 1739->1744 1740->1671 1740->1673 1748 16e0d6dc29e-16e0d6dc2a0 1743->1748 1744->1748 1748->1740 1753 16e0d6dc2a2 1748->1753 1750->1710 1755 16e0d6dc203-16e0d6dc224 call 16e0d6dddc8 call 16e0d6dde48 call 16e0d6de004 1750->1755 1751->1750 1753->1740 1755->1710
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: malloc$_snprintf$_errno_time64freestrtok$_callnewhrealloc
                      • String ID: /'); %s
                      • API String ID: 1314452303-1283008465
                      • Opcode ID: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                      • Instruction ID: eb8512b2d5005c89b523c1c2bac275cd85e6c869784bed2cdd71cb6088f1415a
                      • Opcode Fuzzy Hash: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                      • Instruction Fuzzy Hash: 22C1903B72028146FA14EBA6BC557EE32D9AB89780F455324BD96473CBDEBBC406C700
                      Function 0000016E0D6DE004 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 165COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1762 16e0d6de004-16e0d6de07b call 16e0d6ee930 * 3 1769 16e0d6de2ba-16e0d6de2d2 1762->1769 1770 16e0d6de081-16e0d6de099 call 16e0d6e77d0 1762->1770 1773 16e0d6de09b-16e0d6de0a2 1770->1773 1774 16e0d6de0e8-16e0d6de0fe call 16e0d6eea3c 1770->1774 1776 16e0d6de0a5-16e0d6de0ac 1773->1776 1777 16e0d6de103-16e0d6de123 call 16e0d6eea3c 1774->1777 1776->1776 1778 16e0d6de0ae-16e0d6de0b1 1776->1778 1783 16e0d6de126-16e0d6de12d 1777->1783 1778->1774 1780 16e0d6de0b3-16e0d6de0e6 call 16e0d6e25f4 call 16e0d6eea3c call 16e0d6ee930 1778->1780 1780->1777 1783->1783 1785 16e0d6de12f-16e0d6de16d call 16e0d6ea854 call 16e0d6e6f38 1783->1785 1794 16e0d6de1a6-16e0d6de1ab 1785->1794 1795 16e0d6de16f-16e0d6de1a1 call 16e0d6e2170 call 16e0d6e200c 1785->1795 1796 16e0d6de1ae-16e0d6de1b5 1794->1796 1795->1794 1796->1796 1799 16e0d6de1b7-16e0d6de1c2 1796->1799 1801 16e0d6de1d6-16e0d6de1e6 call 16e0d6eea3c 1799->1801 1802 16e0d6de1c4-16e0d6de1d4 call 16e0d6eea3c 1799->1802 1806 16e0d6de1eb-16e0d6de1f0 call 16e0d6ed4fc 1801->1806 1802->1806 1809 16e0d6de1f2-16e0d6de248 call 16e0d6ea854 call 16e0d701970 call 16e0d6ddd18 1806->1809 1816 16e0d6de24b-16e0d6de253 1809->1816 1816->1816 1817 16e0d6de255-16e0d6de278 call 16e0d701980 call 16e0d6de3bc 1816->1817 1822 16e0d6de27a-16e0d6de290 call 16e0d701940 call 16e0d701710 1817->1822 1823 16e0d6de298 call 16e0d701940 1817->1823 1822->1809 1833 16e0d6de296 1822->1833 1826 16e0d6de29e-16e0d6de2b5 call 16e0d6e77c4 call 16e0d6ed52c 1823->1826 1826->1769 1833->1826
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _snprintf
                      • String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
                      • API String ID: 3512837008-1250630670
                      • Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                      • Instruction ID: f6cc1d96c46e73612d75ce7de2259e82e5019e142ca1526650fcb790bb4a7fd6
                      • Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                      • Instruction Fuzzy Hash: BE81367B720B8496EB109B65EC407DD37E1F788784F880626FA894779ADBBBC505C700
                      Function 0000016E0D6E0A94 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$_callnewh_fseek_nolock_ftelli64fclose
                      • String ID: mode
                      • API String ID: 1756087678-2976727214
                      • Opcode ID: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                      • Instruction ID: c7ed00175e4ed0d392d3daa4fd4e326e618dc6a7971037729dcab612383d2a58
                      • Opcode Fuzzy Hash: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                      • Instruction Fuzzy Hash: 49419F3B32464082EA10EB12BC553EE76D5B789BD4F848321BE5A47BDADEBBC505C740
                      Function 0000016E0D6E8620 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 87COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
                      • String ID: /'); %s
                      • API String ID: 761449704-1283008465
                      • Opcode ID: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                      • Instruction ID: cda3c861862010b9d7d1c89a2d59bb652b147195a4bc5675ef3e599bb7b1ec78
                      • Opcode Fuzzy Hash: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                      • Instruction Fuzzy Hash: DB31CF3B31028485EA159BA27C143ED7BE67386FD0F884251FEA50B7DACABBC4429300
                      Function 0000016E0D6EF210 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 2917016420-0
                      • Opcode ID: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                      • Instruction ID: c5cf55d245f12e3b25cffe9676dd5e6624b41195d0ea56b816c82a0bdc5e1b78
                      • Opcode Fuzzy Hash: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                      • Instruction Fuzzy Hash: E2315C3B320F4486FB109BA6EC053AD76E9AB95B94F184724BE49937D9DFBBC4418700
                      Function 0000016E0D6FEFD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 3191669884-0
                      • Opcode ID: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                      • Instruction ID: b2f9b495c2f00978c78625a965eefa44fa53544a8ad0ea8944b182e434b04c79
                      • Opcode Fuzzy Hash: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                      • Instruction Fuzzy Hash: A1317C7B324B8485E7209F12E8947DDB6E4FB95BE0F548221FA5827B86CBB7C845C700
                      Function 0000016E0D6EFF10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                      • String ID:
                      • API String ID: 2328795619-0
                      • Opcode ID: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                      • Instruction ID: c2bea929b04b4aaec7e2e082e0c9548572f6a0f6a5954cc74915f21e9920a94a
                      • Opcode Fuzzy Hash: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                      • Instruction Fuzzy Hash: 6E51D23B724A5082EB248A66BD007EDB6D4A755BF4F148714BA3953BDACBB7C8918340
                      Function 0000016E0D6E1030 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 150COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$freemalloc$_callnewh
                      • String ID: 1:%u/'); %s$n from %d (%u)$open process: %d (%u)
                      • API String ID: 2029259483-317027030
                      • Opcode ID: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
                      • Instruction ID: 197aa26062c1746d9feea99ddf891927ec41265edb601cffb7570f152b103b8b
                      • Opcode Fuzzy Hash: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
                      • Instruction Fuzzy Hash: 2E617D7A71475486EB10DB61F8402EDB7E1F389B94F404216FE8A87B99EBBBC505CB40
                      Function 0000016E0D6EFA20 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                      • String ID:
                      • API String ID: 1547050394-0
                      • Opcode ID: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
                      • Instruction ID: 75393b25b6ca4df106c2076bf71c34ccedd8ae46ad671357288a1061832604b4
                      • Opcode Fuzzy Hash: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
                      • Instruction Fuzzy Hash: 6721A83B32478292FB115B22BC013DEB6D97B557C0F444621B989A7BD9EBBFC5414700
                      Function 0000016E0D6F9B3C Relevance: 9.1, APIs: 6, Instructions: 63COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$__doserrno__lock_fhandle_getptd_noexit
                      • String ID:
                      • API String ID: 2102446242-0
                      • Opcode ID: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
                      • Instruction ID: b0e965c94b5f987b47bc094a3ded2ee6ea39f9caaf10da20a12423239fab3235
                      • Opcode Fuzzy Hash: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
                      • Instruction Fuzzy Hash: E621D13B320F8081F7116FA5FC813EE7AD4A7817A0F49431ABA15672D2CAFB88408B14
                      Function 0000016E0D6EE3EC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
                      • String ID: dpoolWait
                      • API String ID: 2026495703-1875951006
                      • Opcode ID: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                      • Instruction ID: 75ffdd0bdd59d2f4311efc090e5becafe4358302d31913fe2b157c86901c3e52
                      • Opcode Fuzzy Hash: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                      • Instruction Fuzzy Hash: 00018B76721B9081EA44DB12B80479D77D9E799BE0F054329FEA9477CACABAC4418780
                      Function 0000016E0D6E25F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: freemallocstrchr$rand
                      • String ID:
                      • API String ID: 1305919620-0
                      • Opcode ID: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                      • Instruction ID: ef5627823f1d9850b3b59ae2eaa37386b375050251ee452ebfa6e2fcdf0a307f
                      • Opcode Fuzzy Hash: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                      • Instruction Fuzzy Hash: 0E712977724AC441FA259B29B8103EE73D5EF99B84F084310FB891779AEE6BC1468704
                      Function 0000016E0D6D3570 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$_errno$_callnewhmalloc
                      • String ID:
                      • API String ID: 2761444284-0
                      • Opcode ID: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                      • Instruction ID: 6ce6982f11cc5dbb40cfb9e7f14872e024e9d0c1c19d730e6cdcab6bccaf01cc
                      • Opcode Fuzzy Hash: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                      • Instruction Fuzzy Hash: 2E41CC3B76079197EA149B26BD507AD77E4BB49B80F444220EE8647786EFB7D422C301
                      Function 0000016E0D6EB630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: strtok$_getptd_time64malloc
                      • String ID: eThreadpoolTimer
                      • API String ID: 1522986614-2707337283
                      • Opcode ID: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                      • Instruction ID: 7577cb71726695bdac4bc33049a4bc7cb349f210a99516eded9ad092f475fcd7
                      • Opcode Fuzzy Hash: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                      • Instruction Fuzzy Hash: 1E21A2BB760B9481EB00DF16B8886AD37E8F754B94F164315FE5A4378ACA76C4418780
                      Function 0000016E0D6E13B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$remove$_callnewh_invalid_parameter_noinfo_snprintfmalloc
                      • String ID: uld not open process: %d (%u)
                      • API String ID: 2566950902-823969559
                      • Opcode ID: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                      • Instruction ID: 7f65e571fe65691985c8632b461793787480186acd064ca42d09d39eb9a02169
                      • Opcode Fuzzy Hash: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                      • Instruction Fuzzy Hash: A4F06D3A314B40C9E2109B12BC113DEB3A4A785BC0F584321BF8917B9BDEBBC4018744
                      Function 0000016E0D6DDA8C Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _snprintf$strchr$_errno_invalid_parameter_noinfo
                      • String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
                      • API String ID: 199363273-1250630670
                      • Opcode ID: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                      • Instruction ID: 268bf6c35ef708ca655a872321c9920101a46871a770bdf976d3b8bc2f7464ad
                      • Opcode Fuzzy Hash: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                      • Instruction Fuzzy Hash: A2718B7B72078486EB109B61FC407EE77E9F784B98F440216FE8957A99DBBAC505CB00
                      Function 0000016E0D6EFA2C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
                      • String ID:
                      • API String ID: 1640621425-0
                      • Opcode ID: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                      • Instruction ID: 884d0040f73c3c5a5410ba1676ce9fa2d1c6a8c2100960b2316f96fc7e7b742b
                      • Opcode Fuzzy Hash: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                      • Instruction Fuzzy Hash: 0741D33B32064087EA689A277D5439EB6D9BB84FE0F188724BF554B7D9D6BBC4458300
                      Function 0000016E0D6D48F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$_errno$_callnewhmalloc
                      • String ID:
                      • API String ID: 2761444284-0
                      • Opcode ID: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                      • Instruction ID: b9fd181703b14e6941ea9ce93bec54b547cc914debe92f34d0ceac7c71937624
                      • Opcode Fuzzy Hash: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                      • Instruction Fuzzy Hash: 3141D03B72438542EA15DB2A7C003AD77D9B755B88F0D4220FD958B78AEEBBD806C304
                      Function 0000016E0D6DF064 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno$free$_callnewhfclosefwritemalloc
                      • String ID:
                      • API String ID: 1696598829-0
                      • Opcode ID: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                      • Instruction ID: 91f63abb2f26482910bbc721d34fda3789288a543fc9696c2b070677b6d5ab52
                      • Opcode Fuzzy Hash: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                      • Instruction Fuzzy Hash: 8211727B72468081EA10E612B8513EE73D5AB95BD4F484321BE9A4BBCEDEABC5018740
                      Function 0000016E0D6F99EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _getptd_noexit$__doserrno_errno
                      • String ID:
                      • API String ID: 2964073243-0
                      • Opcode ID: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                      • Instruction ID: 379c5c02aa7963813ed3eb6ef3cd1e723754785db7e4f8dc4489fdd3d45bbc94
                      • Opcode Fuzzy Hash: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                      • Instruction Fuzzy Hash: 9B016D7B731F8484FA056B35EC423EC71D19BA2BA2F958302F529263D2CAAF44004B10
                      Function 0000016E0D6E5228 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116stringCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _snprintfmallocstrrchr
                      • String ID: Failed to impersonate token: %d$t permissions in process: %d
                      • API String ID: 3587327836-1492073275
                      • Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                      • Instruction ID: a4b6aa2aee498e1eae4dbe891b129957601640d77801946d6e2155ccdc378b1a
                      • Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                      • Instruction Fuzzy Hash: 6E415F3A71438046EA04EB62BC153EE77D5B785BD4F884224BD564B7DADEBBC4028740
                      Function 0000016E0D6EB3C0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                      • Instruction ID: 4cc0da1afb6cf478bf0ed5ad1cc0bc4899634e471b998e37234ead8a36e60bb8
                      • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                      • Instruction Fuzzy Hash: A5616D3F761640C6E7148F1DAD453EC72E5E758B55F28432AE9164B3E9CBBBC8418B80
                      Function 0000016E0D6E2170 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                      • String ID: not create token: %d
                      • API String ID: 1095232423-2272930512
                      • Opcode ID: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
                      • Instruction ID: fc7ed505da5e128cab4b48117a823234e5c450389f6c458ab8d24c888d11fa3b
                      • Opcode Fuzzy Hash: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
                      • Instruction Fuzzy Hash: 4241B07B320E8091EA119B2AE5453ECB3E5FF98B84F085611EF4817B56DF76D1B28340
                      Function 0000016E0D6FE9D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                      • String ID:
                      • API String ID: 4151157258-0
                      • Opcode ID: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                      • Instruction ID: dcbb1e313c239413e85cabc70649eff694998e4c06180f9a6ed3ebd00e4735d7
                      • Opcode Fuzzy Hash: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                      • Instruction Fuzzy Hash: E72127BB328AA440FB609615B8503FDBED0F341BD4F184321FA9627AEBD9AFC5418710
                      Function 0000016E0D6D04D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: clock
                      • String ID:
                      • API String ID: 3195780754-0
                      • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                      • Instruction ID: 0c0c0e9b34e4600378c6d2b524df617c60a4323671a9de73b5919e09c4b5a51a
                      • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                      • Instruction Fuzzy Hash: 5311063BB1474595F770AE667D803AFBAD0FB88394F190225FE8513242E9B7C8828701
                      Function 0000016E0D6EEC60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                      • String ID: B
                      • API String ID: 1812809483-1255198513
                      • Opcode ID: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                      • Instruction ID: fe1e04ce740bf353a08c6270577ae3f0cab9eeffaa417413f26240eab5f21197
                      • Opcode Fuzzy Hash: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                      • Instruction Fuzzy Hash: E9118E77720B4086EB109B12E84039DB6A4F7A9FE4F544320BB6817B9ACF7EC140CB00
                      Function 0000016E0D6D10C4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$_errno$_calloc_implcalloc
                      • String ID:
                      • API String ID: 4000150058-0
                      • Opcode ID: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                      • Instruction ID: 5440ae9fa2b91804684bbf99c636ea237ba0e380f3d1b0c8940e2936b9b61e89
                      • Opcode Fuzzy Hash: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                      • Instruction Fuzzy Hash: 38C1E837714B848AE764CF65F88079E77E4F389B84F10422AEA8D47B59DBBAC455CB00
                      Function 0000016E0D6EA144 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: free$_errno$_callnewhmalloc
                      • String ID:
                      • API String ID: 2761444284-0
                      • Opcode ID: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                      • Instruction ID: 275c3bc56d8250d9682d9032096f6d8ad77e971f1c891453eaa656dfb67487e1
                      • Opcode Fuzzy Hash: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                      • Instruction Fuzzy Hash: 7A51C33F32024586EA18AB65BC503ED73D9BB80B80F584725BA5A577DADFFBC5068700
                      Function 0000016E0D6D3700 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.2199747938.0000016E0D6D0000.00000020.10000000.00040000.00000000.sdmp, Offset: 0000016E0D6D0000, based on PE: true
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_16e0d6d0000_rundll32.jbxd
                      Yara matches
                      Similarity
                      • API ID: malloc
                      • String ID:
                      • API String ID: 2803490479-0
                      • Opcode ID: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                      • Instruction ID: a10f94c7853e565950403b1c3b024fb24f721a04acf555901b28c03317bafae1
                      • Opcode Fuzzy Hash: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                      • Instruction Fuzzy Hash: 2B41AB3BB2068086EB58CA66B8007AD73E0F344B84F144625FEAA47785EFB7D8058701