Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gJtW7azO4o.exe

Overview

General Information

Sample name:gJtW7azO4o.exe
renamed because original name is a hash value
Original sample name:8dbd0ea7fed26a8963c847daa3ede4574822c036342e3bc787160fadb065f20d.exe
Analysis ID:1542743
MD5:f0d90fa9d8b8dfdb5861d9506ec6b41c
SHA1:f81a4b95d1f9546b4ed231f5affab9304a894bf1
SHA256:8dbd0ea7fed26a8963c847daa3ede4574822c036342e3bc787160fadb065f20d
Tags:20-25-126-96exeuser-JAMESWT_MHT
Infos:

Detection

CobaltStrike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • gJtW7azO4o.exe (PID: 7116 cmdline: "C:\Users\user\Desktop\gJtW7azO4o.exe" MD5: F0D90FA9D8B8DFDB5861D9506EC6B41C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "20.25.126.96,/j.ad", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
    00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
      00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
      • 0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
      • 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
      • 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
      • 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
      • 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes!
      • 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
      • 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
      • 0x32d6a:$a11: Could not open service control manager on %s: %d
      • 0x3329c:$a12: %d is an x64 process (can't inject x86 content)
      • 0x332cc:$a13: %d is an x86 process (can't inject x64 content)
      • 0x335ed:$a14: Failed to impersonate logged on user %d (%u)
      • 0x33255:$a15: could not create remote thread in %d: %d
      • 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
      • 0x33203:$a17: could not write to process memory: %d
      • 0x32d9b:$a18: Could not create service %s on %s: %d
      • 0x32e24:$a19: Could not delete service %s on %s: %d
      • 0x32c89:$a20: Could not open process token: %d (%u)
      00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
      • 0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
      00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
      • 0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
      • 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.gJtW7azO4o.exe.200390f0000.0.unpackJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
        0.2.gJtW7azO4o.exe.200390f0000.0.unpackJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
          0.2.gJtW7azO4o.exe.200390f0000.0.unpackJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
            0.2.gJtW7azO4o.exe.200390f0000.0.unpackWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
            • 0x303a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
            • 0x3041b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
            • 0x3047e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
            • 0x304c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
            • 0x30502:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
            • 0x30538:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
            • 0x30160:$a39: %s as %s\%s: %d
            • 0x30394:$a40: %s.1%x.%x%x.%s
            • 0x3e7e2:$a41: beacon.x64.dll
            • 0x30387:$a43: www6.%x%x.%s
            • 0x3037b:$a44: cdn.%x%x.%s
            • 0x30360:$a47: beacon.dll
            • 0x302d8:$a48: %s%s: %s
            • 0x3018c:$a50: %02d/%02d/%02d %02d:%02d:%02d
            • 0x301b8:$a50: %02d/%02d/%02d %02d:%02d:%02d
            0.2.gJtW7azO4o.exe.200390f0000.0.unpackWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
            • 0x1c13c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
            Click to see the 40 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-26T09:11:28.410431+020020287653Unknown Traffic192.168.2.104970320.25.126.96443TCP
            2024-10-26T09:12:31.374720+020020287653Unknown Traffic192.168.2.105540120.25.126.96443TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: gJtW7azO4o.exeAvira: detected
            Found malware configuration
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmpMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "20.25.126.96,/j.ad", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
            Multi AV Scanner detection for submitted file
            Source: gJtW7azO4o.exeReversingLabs: Detection: 63%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: gJtW7azO4o.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393B1184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_00000200393B1184
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393E2020 CryptGenRandom,0_2_00000200393E2020
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393E2010 CryptReleaseContext,0_2_00000200393E2010
            Source: gJtW7azO4o.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,0_2_00000200393C9220
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_00000200393C1C30
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 4x nop then sub rsp, 58h0_2_00007FF7B3AD2E70

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 20.25.126.96
            Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:49703 -> 20.25.126.96:443
            Source: Network trafficSuricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.10:55401 -> 20.25.126.96:443
            Source: unknownDNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3)
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownTCP traffic detected without corresponding DNS query: 20.25.126.96
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393BE68C _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle,0_2_00000200393BE68C
            Source: global trafficDNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
            Source: gJtW7azO4o.exe, 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:%u/
            Source: gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.25.126.96/
            Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.25.126.96/.adc
            Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.25.126.96/.ads
            Source: gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.25.126.96/ecurity=Impersonation
            Source: gJtW7azO4o.exe, 00000000.00000003.2088536219.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100710857.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696800130.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.25.126.96/j.ad
            Source: gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.25.126.96/j.ad2;C:
            Source: gJtW7azO4o.exe, 00000000.00000003.2088536219.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100710857.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696800130.000002003924C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.25.126.96/j.ad4
            Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.25.126.96/j.adG
            Source: gJtW7azO4o.exe, 00000000.00000003.2088536219.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100710857.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696800130.000002003924C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.25.126.96/j.adSPb
            Source: gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.25.126.96/j.adSystem3
            Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.1469738037.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2069707591.0000020039226000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://20.25.126.96/j.adw
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55403
            Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55401
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55402
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 55403 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
            Source: unknownNetwork traffic detected: HTTP traffic on port 55402 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 55401 -> 443

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
            Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
            Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
            Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00007FF7B3AD1C97 GetCurrentProcess,NtSetTimer,0_2_00007FF7B3AD1C97
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00007FF7B3AD14D8 GetCurrentProcess,GetCurrentProcess,NtAlpcCreatePortSection,GetCurrentProcess,GetCurrentProcess,NtCreatePagingFile,0_2_00007FF7B3AD14D8
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00007FF7B3AD1C4B NtAccessCheckAndAuditAlarm,0_2_00007FF7B3AD1C4B
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00007FF7B3AD16CA GetCurrentProcess,GetCurrentProcess,NtCreateJobSet,GetCurrentProcess,NtCompareSigningLevels,0_2_00007FF7B3AD16CA
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C1268 CreateProcessWithLogonW,GetLastError,0_2_00000200393C1268
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200391003340_2_0000020039100334
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200391103740_2_0000020039110374
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_000002003911C3970_2_000002003911C397
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_000002003911239C0_2_000002003911239C
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200391112640_2_0000020039111264
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_000002003911AAB00_2_000002003911AAB0
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_000002003910F5A80_2_000002003910F5A8
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_0000020039106F380_2_0000020039106F38
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_000002003911B7B00_2_000002003911B7B0
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_000002003911CFF00_2_000002003911CFF0
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_000002003911E6000_2_000002003911E600
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200390FCE3C0_2_00000200390FCE3C
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200390F96800_2_00000200390F9680
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_000002003911C6800_2_000002003911C680
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200391159140_2_0000020039115914
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200391119280_2_0000020039111928
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200390F916C0_2_00000200390F916C
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C7B380_2_00000200393C7B38
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393DC3B00_2_00000200393DC3B0
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393DDBF00_2_00000200393DDBF0
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393BDA3C0_2_00000200393BDA3C
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393DF2000_2_00000200393DF200
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393BA2800_2_00000200393BA280
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393DD2800_2_00000200393DD280
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393D25280_2_00000200393D2528
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393D65140_2_00000200393D6514
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393B9D6C0_2_00000200393B9D6C
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C0F340_2_00000200393C0F34
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393D0F740_2_00000200393D0F74
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393D2F9C0_2_00000200393D2F9C
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393DCF970_2_00000200393DCF97
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C867C0_2_00000200393C867C
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393D1E640_2_00000200393D1E64
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393DB6B00_2_00000200393DB6B0
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393D01A80_2_00000200393D01A8
            Source: gJtW7azO4o.exeStatic PE information: Number of sections : 11 > 10
            Source: gJtW7azO4o.exe, 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs gJtW7azO4o.exe
            Source: gJtW7azO4o.exeBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs gJtW7azO4o.exe
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
            Source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
            Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
            Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
            Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
            Source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/1
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C0B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00000200393C0B70
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C3A64 CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32Next,Sleep,0_2_00000200393C3A64
            Source: gJtW7azO4o.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: gJtW7azO4o.exeReversingLabs: Detection: 63%
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeFile read: C:\Users\user\Desktop\gJtW7azO4o.exeJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
            Source: gJtW7azO4o.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: gJtW7azO4o.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393D9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00000200393D9744
            Source: gJtW7azO4o.exeStatic PE information: section name: .xdata
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_000002003912776C push 0000006Ah; retf 0_2_0000020039127784
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393E916C push 0000006Ah; retf 0_2_00000200393E9184
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393D01A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00000200393D01A8

            Malware Analysis System Evasion

            barindex
            Contains functionality to detect sleep reduction / modifications
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393BFA1C0_2_00000200393BFA1C
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C58540_2_00000200393C5854
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-37328
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeAPI coverage: 7.1 %
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C58540_2_00000200393C5854
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C9220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,0_2_00000200393C9220
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C1C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,0_2_00000200393C1C30
            Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.1469738037.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2069707591.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391BC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: gJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWi
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeAPI call chain: ExitProcess graph end nodegraph_0-37400
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393D8B30 IsDebuggerPresent,__crtUnhandledException,0_2_00000200393D8B30
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393D9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00000200393D9744
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393D9744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00000200393D9744
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393E03C8 VirtualQuery,GetModuleFileNameW,GetPdbDllFromInstallPath,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,0_2_00000200393E03C8
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393E24F0 SetUnhandledExceptionFilter,0_2_00000200393E24F0
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393D44D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00000200393D44D0
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00007FF7B3AD1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,0_2_00007FF7B3AD1180
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Yara detected Powershell download and execute
            Source: Yara matchFile source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeNtMapViewOfSection: Indirect: 0x7FF7B3AD1D04Jump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeNtCreateThreadEx: Indirect: 0x7FF7B3AD17B1Jump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeNtProtectVirtualMemory: Indirect: 0x7FF7B3AD15F6Jump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeNtProtectVirtualMemory: Indirect: 0x7FF7B3AD1593Jump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeNtProtectVirtualMemory: Indirect: 0x7FF7B3AD1768Jump to behavior
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393CDF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,0_2_00000200393CDF50
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393CDEC8 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00000200393CDEC8
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C0920 CreateNamedPipeA,0_2_00000200393C0920
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393BF3C0 GetLocalTime,0_2_00000200393BF3C0
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,0_2_00000200393C5E28
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C5E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,0_2_00000200393C5E28
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Remote Access Functionality

            barindex
            Yara detected CobaltStrike
            Source: Yara matchFile source: Process Memory Space: gJtW7azO4o.exe PID: 7116, type: MEMORYSTR
            Source: Yara matchFile source: 0.2.gJtW7azO4o.exe.200390f0000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.2.gJtW7azO4o.exe.200390f0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.gJtW7azO4o.exe.200393b0000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.gJtW7azO4o.exe.200393b0000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C6A78 socket,htons,ioctlsocket,closesocket,bind,listen,0_2_00000200393C6A78
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393C6670 htonl,htons,socket,closesocket,bind,ioctlsocket,0_2_00000200393C6670
            Source: C:\Users\user\Desktop\gJtW7azO4o.exeCode function: 0_2_00000200393CEE8C socket,closesocket,htons,bind,listen,0_2_00000200393CEE8C

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		2
            Valid Accounts            		2
            Valid Accounts            		2
            Valid Accounts            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		22
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		21
            Access Token Manipulation            		1
            Disable or Modify Tools            		LSASS Memory141
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Process Injection            		21
            Access Token Manipulation            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Abuse Elevation Control Mechanism            		1
            Process Injection            		NTDS1
            Account Discovery            		Distributed Component Object ModelInput Capture12
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		LSA Secrets1
            System Owner/User Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSync4
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            gJtW7azO4o.exe63%ReversingLabsWin64.Trojan.CobaltStrike
            gJtW7azO4o.exe100%AviraTR/Crypt.EPACK.Gen2
            gJtW7azO4o.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            206.23.85.13.in-addr.arpa
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              20.25.126.96true
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://20.25.126.96/j.adGgJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  https://20.25.126.96/ecurity=ImpersonationgJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://20.25.126.96/gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391BC000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      https://20.25.126.96/.adcgJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        https://20.25.126.96/j.ad4gJtW7azO4o.exe, 00000000.00000003.2088536219.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100710857.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696800130.000002003924C000.00000004.00000020.00020000.00000000.sdmpfalse
                          		unknown
                          https://20.25.126.96/j.ad2;C:gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://20.25.126.96/j.adgJtW7azO4o.exe, 00000000.00000003.2088536219.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100710857.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696800130.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391BC000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://20.25.126.96/j.adSPbgJtW7azO4o.exe, 00000000.00000003.2088536219.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100710857.000002003924C000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000002.2696800130.000002003924C000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                https://20.25.126.96/j.adwgJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.1469738037.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2069707591.0000020039226000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://127.0.0.1:%u/gJtW7azO4o.exe, 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://20.25.126.96/.adsgJtW7azO4o.exe, 00000000.00000002.2696800130.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100627365.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2088536219.0000020039226000.00000004.00000020.00020000.00000000.sdmp, gJtW7azO4o.exe, 00000000.00000003.2100770472.0000020039226000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://20.25.126.96/j.adSystem3gJtW7azO4o.exe, 00000000.00000002.2696620369.00000200391F9000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        20.25.126.96
                                        		unknownUnited States
                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1542743
                                        Start date and time:2024-10-26 09:10:14 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 4m 34s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:7
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:gJtW7azO4o.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:8dbd0ea7fed26a8963c847daa3ede4574822c036342e3bc787160fadb065f20d.exe
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winEXE@1/0@1/1
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 17
                                        • Number of non-executed functions: 158
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • VT rate limit hit for: gJtW7azO4o.exe

                                        Simulations

                                        Behavior and APIs

                                        No simulations

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        20.25.126.96Ljrfk7uRvO.exeGet hashmaliciousCobaltStrike, MetasploitBrowse

                                          Domains

                                          No context

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          MICROSOFT-CORP-MSN-AS-BLOCKUSLjrfk7uRvO.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                          • 20.25.126.96
                                          https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/taxigiarebienhoa.vn/nini/ybmex/captcha/Z3VsYW1yYXN1bC5jaGVwdXdhbGFAY2V2YWxvZ2lzdGljcy5jb20Get hashmaliciousHTMLPhisher, Mamba2FABrowse
                                          • 13.107.246.60
                                          https://load.aberegg-immobilien.ch/Get hashmaliciousHTMLPhisherBrowse
                                          • 40.126.31.73
                                          la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                          • 22.252.12.135
                                          la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                          • 20.57.78.10
                                          la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                          • 21.238.75.88
                                          la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                          • 40.99.246.89
                                          la.bot.mipsel.elfGet hashmaliciousUnknownBrowse
                                          • 22.36.15.81
                                          la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                          • 22.23.166.67
                                          la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                          • 20.189.202.203

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          No created / dropped files found

                                          Static File Info

                                          General

                                          File type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                          Entropy (8bit):6.90266867965695
                                          TrID:
                                          • Win64 Executable (generic) (12005/4) 74.95%
                                          • Generic Win/DOS Executable (2004/3) 12.51%
                                          • DOS Executable Generic (2002/1) 12.50%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
                                          File name:gJtW7azO4o.exe
                                          File size:384'000 bytes
                                          MD5:f0d90fa9d8b8dfdb5861d9506ec6b41c
                                          SHA1:f81a4b95d1f9546b4ed231f5affab9304a894bf1
                                          SHA256:8dbd0ea7fed26a8963c847daa3ede4574822c036342e3bc787160fadb065f20d
                                          SHA512:d46393c010fde10439bdbb726b8dbd53cd32229f1481d2172b907c523c7df7c8c3fd204d7bd929bd7213e0db8048d940cae89a30a550729ffe91bb1c4040a0e1
                                          SSDEEP:6144:wdCAVUqc9FJbfQE6XQrA7U2PZcVEsJaU013k4vtJN2V4Gu3s1Z:33pboEHrA7U2xcVEKq21Z
                                          TLSH:B484BE6CC8B2D8FCC1B9427564E3F45B6B6E7454011D8C9029E892ED0BE3C56D3A4AEF
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g...............+.........".............@..........................................`... ............................

                                          File Icon

                                          Icon Hash:90cececece8e8eb0

                                          Static PE Info

                                          General

                                          Entrypoint:0x1400013d0
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x140000000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x6718BD13 [Wed Oct 23 09:08:35 2024 UTC]
                                          TLS Callbacks:0x40002ae0, 0x1, 0x40002ab0, 0x1
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:9f6362cf62b1180cc621ed9ff8c2e95a

                                          Entrypoint Preview

                                          Instruction
                                          dec eax
                                          sub esp, 28h
                                          dec eax
                                          mov eax, dword ptr [0005C015h]
                                          mov dword ptr [eax], 00000001h
                                          call 00007FF3308EF44Fh
                                          nop
                                          nop
                                          dec eax
                                          add esp, 28h
                                          ret
                                          nop dword ptr [eax]
                                          dec eax
                                          sub esp, 28h
                                          dec eax
                                          mov eax, dword ptr [0005BFF5h]
                                          mov dword ptr [eax], 00000000h
                                          call 00007FF3308EF42Fh
                                          nop
                                          nop
                                          dec eax
                                          add esp, 28h
                                          ret
                                          nop dword ptr [eax]
                                          dec eax
                                          sub esp, 28h
                                          call 00007FF3308F1DFCh
                                          dec eax
                                          cmp eax, 01h
                                          sbb eax, eax
                                          dec eax
                                          add esp, 28h
                                          ret
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          dec eax
                                          lea ecx, dword ptr [00000009h]
                                          jmp 00007FF3308EF689h
                                          nop dword ptr [eax+00h]
                                          ret
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          nop
                                          push ebx
                                          dec eax
                                          sub esp, 20h
                                          dec eax
                                          mov eax, dword ptr [00000020h]
                                          dec eax
                                          mov eax, dword ptr [eax]
                                          mov ebx, dword ptr [eax]
                                          call dword ptr [00061DBFh]
                                          dec eax
                                          mov ecx, eax
                                          mov edx, ebx
                                          call dword ptr [00061E2Ch]
                                          dec eax
                                          mov ecx, dword ptr [0005EBCDh]
                                          dec eax
                                          add esp, 20h
                                          pop ebx
                                          dec eax
                                          jmp dword ptr [00061DF9h]
                                          push ebx
                                          dec eax
                                          sub esp, 20h
                                          dec eax
                                          mov ebx, ecx
                                          call dword ptr [00061D9Bh]
                                          mov dword ptr [000000A5h], eax

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x630000x7c0.idata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x660000x3e8.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x5e0000x42c.pdata
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x670000x7c.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x5d0400x28.rdata
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x632000x1c0.idata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x2d280x2e00c6f78c1f6f8a2b004ebfc4624a0f2222False0.5230978260869565data6.1559002164004175IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .data0x40000x582d00x58400b1fa018a6842131ec06473062e6d6f11False0.5820672140580736data6.935747644393658IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rdata0x5d0000x9500xa00e3eb31941209fef7a8197669af3e8c88False0.23359375data4.04449932695149IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .pdata0x5e0000x42c0x600cc7f39d5599ab9dece0ce5bdc4320633False0.3580729166666667data3.401984181084123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .xdata0x5f0000x2f80x4008b696c25032bb12be4efebdb1153aaf9False0.30078125data3.1199595534588123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .bss0x600000x21800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .idata0x630000x7c00x80042c40f95eebdca66bee2332dfc34e88cFalse0.3583984375data4.206586897193121IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .CRT0x640000x600x20088597a0024ad171691784e44f2d44b20False0.068359375data0.28655982431271465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .tls0x650000x100x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0x660000x3e80x400896d2cb22ee8b69e7921e7b1163f627cFalse0.4482421875data3.3356298725544145IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x670000x7c0x200bbf8d3181ec4b8697567993b81ee4ba4False0.25390625data1.5178825269260272IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0x660580x38cPGP symmetric key encrypted data - Plaintext or unencrypted dataEnglishUnited States0.46365638766519823

                                          Imports

                                          DLLImport
                                          KERNEL32.dllConvertThreadToFiber, CreateFiber, DeleteCriticalSection, DeleteFiber, EnterCriticalSection, GetCurrentProcess, GetCurrentThreadId, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, SleepEx, SwitchToFiber, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject
                                          msvcrt.dll__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, abort, calloc, exit, fclose, fopen, fprintf, fread, free, fsetpos, fwrite, malloc, mbstowcs, memcmp, memcpy, rand, signal, strlen, strncmp, vfprintf, wcsncat, wcsncpy

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-10-26T09:11:28.410431+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.104970320.25.126.96443TCP
                                          2024-10-26T09:12:31.374720+02002028765ET JA3 Hash - [Abuse.ch] Possible Dridex3192.168.2.105540120.25.126.96443TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 26, 2024 09:11:27.337574959 CEST49703443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:11:27.337662935 CEST4434970320.25.126.96192.168.2.10
                                          Oct 26, 2024 09:11:27.337785006 CEST49703443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:11:27.348325014 CEST49703443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:11:27.348349094 CEST4434970320.25.126.96192.168.2.10
                                          Oct 26, 2024 09:11:28.410281897 CEST4434970320.25.126.96192.168.2.10
                                          Oct 26, 2024 09:11:28.410430908 CEST49703443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:11:28.412254095 CEST49703443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:11:28.412276983 CEST4434970320.25.126.96192.168.2.10
                                          Oct 26, 2024 09:11:28.423441887 CEST49704443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:11:28.423482895 CEST4434970420.25.126.96192.168.2.10
                                          Oct 26, 2024 09:11:28.423577070 CEST49704443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:11:28.427615881 CEST49704443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:11:28.427630901 CEST4434970420.25.126.96192.168.2.10
                                          Oct 26, 2024 09:11:29.488940954 CEST4434970420.25.126.96192.168.2.10
                                          Oct 26, 2024 09:11:29.489166021 CEST49704443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:11:29.489355087 CEST49704443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:11:29.489373922 CEST4434970420.25.126.96192.168.2.10
                                          Oct 26, 2024 09:11:29.490103006 CEST49705443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:11:29.490164995 CEST4434970520.25.126.96192.168.2.10
                                          Oct 26, 2024 09:11:29.490233898 CEST49705443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:11:29.490331888 CEST49705443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:11:29.490355015 CEST4434970520.25.126.96192.168.2.10
                                          Oct 26, 2024 09:11:29.490391970 CEST49705443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:12:29.497029066 CEST55401443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:12:29.497067928 CEST4435540120.25.126.96192.168.2.10
                                          Oct 26, 2024 09:12:29.497332096 CEST55401443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:12:29.497508049 CEST55401443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:12:29.497529030 CEST4435540120.25.126.96192.168.2.10
                                          Oct 26, 2024 09:12:31.374560118 CEST4435540120.25.126.96192.168.2.10
                                          Oct 26, 2024 09:12:31.374720097 CEST55401443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:12:31.374859095 CEST55401443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:12:31.374876976 CEST4435540120.25.126.96192.168.2.10
                                          Oct 26, 2024 09:12:31.390686035 CEST55402443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:12:31.390738010 CEST4435540220.25.126.96192.168.2.10
                                          Oct 26, 2024 09:12:31.390813112 CEST55402443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:12:31.391130924 CEST55402443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:12:31.391149044 CEST4435540220.25.126.96192.168.2.10
                                          Oct 26, 2024 09:12:32.583728075 CEST4435540220.25.126.96192.168.2.10
                                          Oct 26, 2024 09:12:32.583847046 CEST55402443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:12:32.584009886 CEST55402443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:12:32.584024906 CEST4435540220.25.126.96192.168.2.10
                                          Oct 26, 2024 09:12:32.598267078 CEST55403443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:12:32.598304987 CEST4435540320.25.126.96192.168.2.10
                                          Oct 26, 2024 09:12:32.598381996 CEST55403443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:12:32.598470926 CEST55403443192.168.2.1020.25.126.96
                                          Oct 26, 2024 09:12:32.598521948 CEST4435540320.25.126.96192.168.2.10
                                          Oct 26, 2024 09:12:32.598567009 CEST55403443192.168.2.1020.25.126.96

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 26, 2024 09:12:00.770764112 CEST5354417162.159.36.2192.168.2.10
                                          Oct 26, 2024 09:12:01.387027979 CEST5640353192.168.2.101.1.1.1
                                          Oct 26, 2024 09:12:01.395385027 CEST53564031.1.1.1192.168.2.10

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Oct 26, 2024 09:12:01.387027979 CEST192.168.2.101.1.1.10xc25eStandard query (0)206.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Oct 26, 2024 09:12:01.395385027 CEST1.1.1.1192.168.2.100xc25eName error (3)206.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:03:11:26
                                          Start date:26/10/2024
                                          Path:C:\Users\user\Desktop\gJtW7azO4o.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\gJtW7azO4o.exe"
                                          Imagebase:0x7ff7b3ad0000
                                          File size:384'000 bytes
                                          MD5 hash:F0D90FA9D8B8DFDB5861D9506EC6B41C
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                                          • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                                          • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                          • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                                          • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Author: yara@s3c.za.net
                                          • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                                          • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Author: @VK_Intel
                                          • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth
                                          • Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Author: ditekSHen
                                          • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:1.9%
                                            Dynamic/Decrypted Code Coverage:71.3%
                                            Signature Coverage:14.4%
                                            Total number of Nodes:334
                                            Total number of Limit Nodes:17
                                            execution_graph 37016 200393d9cec 37017 200393d9d01 37016->37017 37020 200393d9d1e malloc 37016->37020 37018 200393d9d0f 37017->37018 37017->37020 37023 200393d1d18 46 API calls _getptd_noexit 37018->37023 37021 200393d9d14 37020->37021 37024 200393d1db4 DecodePointer 37020->37024 37023->37021 37024->37020 37025 7ff7b3ad161f 37032 7ff7b3ad14d8 37025->37032 37028 7ff7b3ad1658 CreateFiber SwitchToFiber DeleteFiber 37030 7ff7b3ad14d8 7 API calls 37028->37030 37029 7ff7b3ad1649 ConvertThreadToFiber 37029->37028 37031 7ff7b3ad1696 37030->37031 37033 7ff7b3ad14f4 37032->37033 37034 7ff7b3ad1546 GetCurrentProcess 37032->37034 37033->37034 37042 7ff7b3ad23bc 37034->37042 37036 7ff7b3ad1593 37037 7ff7b3ad15f6 37036->37037 37038 7ff7b3ad159b GetCurrentProcess 37036->37038 37037->37028 37037->37029 37039 7ff7b3ad2854 memcmp memcmp memcmp rand 37038->37039 37040 7ff7b3ad15c5 GetCurrentProcess 37039->37040 37041 7ff7b3ad23bc memcmp memcmp memcmp rand 37040->37041 37041->37037 37047 7ff7b3ad22ba memcmp memcmp memcmp rand 37042->37047 37044 7ff7b3ad23df 37048 7ff7b3ad2226 memcmp memcmp memcmp 37044->37048 37046 7ff7b3ad23ee 37047->37044 37048->37046 37049 200391088d4 37050 20039108961 37049->37050 37055 20039109324 37050->37055 37052 20039108a01 37059 200391096b4 37052->37059 37054 20039108a8f 37058 2003910935e 37055->37058 37056 20039109455 VirtualAlloc 37057 20039109479 37056->37057 37057->37052 37058->37056 37058->37057 37062 20039109723 37059->37062 37060 2003910994f 37060->37054 37061 2003910976e LoadLibraryA 37061->37062 37062->37060 37062->37061 37063 7ff7b3ad13d0 37066 7ff7b3ad1180 37063->37066 37065 7ff7b3ad13e6 37067 7ff7b3ad11b0 37066->37067 37068 7ff7b3ad11b9 Sleep 37067->37068 37072 7ff7b3ad11cd 37067->37072 37068->37067 37069 7ff7b3ad12ee 37069->37065 37070 7ff7b3ad1200 37081 7ff7b3ad2e70 37070->37081 37071 7ff7b3ad134c _initterm 37071->37070 37072->37069 37072->37070 37072->37071 37074 7ff7b3ad1228 SetUnhandledExceptionFilter 37075 7ff7b3ad124b 37074->37075 37076 7ff7b3ad1250 malloc 37075->37076 37076->37069 37077 7ff7b3ad127a 37076->37077 37078 7ff7b3ad1280 strlen malloc memcpy 37077->37078 37078->37078 37079 7ff7b3ad12b2 37078->37079 37098 7ff7b3ad3cc0 37079->37098 37082 7ff7b3ad2ea8 37081->37082 37097 7ff7b3ad2e91 37081->37097 37083 7ff7b3ad3180 37082->37083 37085 7ff7b3ad31c0 37082->37085 37088 7ff7b3ad31ad 37082->37088 37094 7ff7b3ad2f8e 37082->37094 37095 7ff7b3ad3080 37082->37095 37082->37097 37086 7ff7b3ad3189 37083->37086 37083->37097 37106 7ff7b3ad2c90 8 API calls 37085->37106 37086->37088 37104 7ff7b3ad2d00 8 API calls 37086->37104 37105 7ff7b3ad2c90 8 API calls 37088->37105 37089 7ff7b3ad31cc 37089->37074 37090 7ff7b3ad2d00 8 API calls 37090->37094 37092 7ff7b3ad307a 37092->37095 37094->37082 37094->37090 37094->37092 37103 7ff7b3ad2c90 8 API calls 37094->37103 37096 7ff7b3ad30b2 VirtualProtect 37095->37096 37095->37097 37096->37095 37097->37074 37099 7ff7b3ad3ccb 37098->37099 37107 7ff7b3ad2900 malloc GetModuleFileNameA 37099->37107 37103->37094 37104->37086 37105->37085 37106->37089 37108 7ff7b3ad293b 37107->37108 37109 7ff7b3ad295b malloc 37108->37109 37110 7ff7b3ad2984 37109->37110 37113 7ff7b3ad16ca 37110->37113 37112 7ff7b3ad29b1 37125 7ff7b3ad1c4b 37113->37125 37119 7ff7b3ad170e 37120 7ff7b3ad173d GetCurrentProcess 37119->37120 37121 7ff7b3ad23bc memcmp memcmp memcmp rand 37120->37121 37122 7ff7b3ad1768 GetCurrentProcess 37121->37122 37123 7ff7b3ad2314 memcmp memcmp memcmp rand 37122->37123 37124 7ff7b3ad17b1 37123->37124 37124->37112 37136 7ff7b3ad27ac 37125->37136 37127 7ff7b3ad16f6 37128 7ff7b3ad1c97 GetCurrentProcess 37127->37128 37143 7ff7b3ad2800 37128->37143 37130 7ff7b3ad1701 37131 7ff7b3ad250c 37130->37131 37150 7ff7b3ad22ba memcmp memcmp memcmp rand 37131->37150 37133 7ff7b3ad252f 37151 7ff7b3ad2226 memcmp memcmp memcmp 37133->37151 37135 7ff7b3ad253e 37141 7ff7b3ad22ba memcmp memcmp memcmp rand 37136->37141 37138 7ff7b3ad27cf 37142 7ff7b3ad2226 memcmp memcmp memcmp 37138->37142 37140 7ff7b3ad27de 37141->37138 37142->37140 37148 7ff7b3ad22ba memcmp memcmp memcmp rand 37143->37148 37145 7ff7b3ad2823 37149 7ff7b3ad2226 memcmp memcmp memcmp 37145->37149 37147 7ff7b3ad2832 37148->37145 37149->37147 37150->37133 37151->37135 37152 200393d1b48 37153 200393d1b64 37152->37153 37155 200393d1b69 37152->37155 37166 200393d92d0 GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter clock 37153->37166 37156 200393d1bf4 37155->37156 37164 200393d1bbe 37155->37164 37167 200393d19e8 115 API calls 16 library calls 37155->37167 37156->37164 37168 200393c93e0 37156->37168 37158 200393d1c12 37159 200393d1c3b 37158->37159 37161 200393c93e0 _DllMainCRTStartup 242 API calls 37158->37161 37159->37164 37185 200393d19e8 115 API calls 16 library calls 37159->37185 37163 200393d1c2e 37161->37163 37184 200393d19e8 115 API calls 16 library calls 37163->37184 37166->37155 37167->37156 37169 200393c94bb 37168->37169 37172 200393c9402 _DllMainCRTStartup 37168->37172 37255 200393cb47c 37169->37255 37171 200393c9407 _DllMainCRTStartup 37171->37158 37172->37171 37173 200393c9465 _DllMainCRTStartup 37172->37173 37276 200393cd4d8 GetCurrentProcess GetCurrentProcess _RTC_GetSrcLine _DllMainCRTStartup 37172->37276 37186 200393bca74 37173->37186 37176 200393c9448 37176->37173 37177 200393c949f 37176->37177 37178 200393c9457 37176->37178 37177->37173 37179 200393c94a9 37177->37179 37178->37173 37277 200393cd2ec GetCurrentProcess VirtualFree _DllMainCRTStartup 37178->37277 37279 200393cd134 GetCurrentProcess GetCurrentProcess UnmapViewOfFile _DllMainCRTStartup 37179->37279 37182 200393c9487 37182->37173 37278 200393cd2ec GetCurrentProcess VirtualFree _DllMainCRTStartup 37182->37278 37184->37159 37185->37164 37280 200393c5fec 37186->37280 37188 200393bca92 _DllMainCRTStartup 37287 200393cf284 37188->37287 37190 200393bcb40 _DllMainCRTStartup 37303 200393cc230 37190->37303 37196 200393bcbb5 37197 200393ceaa8 _DllMainCRTStartup 49 API calls 37196->37197 37198 200393bcbcf 37197->37198 37326 200393bf3c0 37198->37326 37201 200393bcbd8 37386 200393cda74 61 API calls _DllMainCRTStartup 37201->37386 37203 200393bcbdd _DllMainCRTStartup 37204 200393bcbf9 37203->37204 37205 200393bcbf4 37203->37205 37331 200393bf1f8 37204->37331 37387 200393cda74 61 API calls _DllMainCRTStartup 37205->37387 37209 200393bcc0e 37337 200393bf274 37209->37337 37210 200393bcc09 37388 200393cda74 61 API calls _DllMainCRTStartup 37210->37388 37214 200393bcc17 37389 200393cda74 61 API calls _DllMainCRTStartup 37214->37389 37216 200393bcc1c _DllMainCRTStartup 37217 200393cf284 malloc 46 API calls 37216->37217 37218 200393bcc4f 37217->37218 37219 200393bcc5c _DllMainCRTStartup 37218->37219 37220 200393bcc57 37218->37220 37222 200393ceaa8 _DllMainCRTStartup 49 API calls 37219->37222 37390 200393cda74 61 API calls _DllMainCRTStartup 37220->37390 37223 200393bcc78 _DllMainCRTStartup 37222->37223 37349 200393c5c60 GetACP GetOEMCP 37223->37349 37256 200393c5fec _DllMainCRTStartup 46 API calls 37255->37256 37257 200393cb4a0 _snprintf _DllMainCRTStartup 37256->37257 37258 200393cf284 malloc 46 API calls 37257->37258 37259 200393cb52d _snprintf 37258->37259 37260 200393ceaa8 _DllMainCRTStartup 49 API calls 37259->37260 37261 200393cb55e _DllMainCRTStartup 37260->37261 37265 200393cb575 _DllMainCRTStartup 37261->37265 37512 200393bf014 37261->37512 37263 200393cb5ff _DllMainCRTStartup 37266 200393cb634 _DllMainCRTStartup 37263->37266 37267 200393cb611 GetComputerNameA 37263->37267 37264 200393cb5d7 GetComputerNameExA 37264->37263 37265->37263 37265->37264 37269 200393cb646 GetUserNameA 37266->37269 37273 200393cb676 GetPdbDllFromInstallPath _DllMainCRTStartup 37266->37273 37517 200393cbaa8 _DllMainCRTStartup 37267->37517 37269->37273 37270 200393cb802 37518 200393c60e0 46 API calls 2 library calls 37270->37518 37273->37270 37274 200393cf284 malloc 46 API calls 37273->37274 37275 200393ceaa8 _DllMainCRTStartup 49 API calls 37273->37275 37274->37273 37275->37273 37276->37176 37277->37182 37278->37173 37279->37173 37281 200393cf284 malloc 46 API calls 37280->37281 37282 200393c600d 37281->37282 37283 200393cf284 malloc 46 API calls 37282->37283 37286 200393c6015 _snprintf _DllMainCRTStartup 37282->37286 37284 200393c6021 37283->37284 37284->37286 37391 200393cf244 37284->37391 37286->37188 37288 200393cf318 37287->37288 37301 200393cf29c malloc 37287->37301 37404 200393d1db4 DecodePointer 37288->37404 37290 200393cf31d 37405 200393d1d18 46 API calls _getptd_noexit 37290->37405 37291 200393cf2b4 37291->37301 37398 200393d1df0 46 API calls 2 library calls 37291->37398 37399 200393d1e64 46 API calls 6 library calls 37291->37399 37400 200393cff54 GetModuleHandleExW GetProcAddress ExitProcess __crtCorExitProcess 37291->37400 37294 200393cf30d 37294->37190 37296 200393cf2fd 37402 200393d1d18 46 API calls _getptd_noexit 37296->37402 37300 200393cf302 37403 200393d1d18 46 API calls _getptd_noexit 37300->37403 37301->37291 37301->37294 37301->37296 37301->37300 37401 200393d1db4 DecodePointer 37301->37401 37304 200393cc259 _time64 37303->37304 37406 200393d044c 37304->37406 37307 200393cf284 malloc 46 API calls 37309 200393cc2a1 _snprintf GetPdbDllFromInstallPath 37307->37309 37310 200393cc30a 37309->37310 37409 200393d181c 37309->37409 37311 200393d181c strtok 50 API calls 37310->37311 37312 200393bcb87 37311->37312 37313 200393c34a0 37312->37313 37314 200393c34b3 _time64 37313->37314 37315 200393d044c _DllMainCRTStartup 46 API calls 37314->37315 37316 200393c34bb _DllMainCRTStartup 37315->37316 37454 200393c2f5c 37316->37454 37319 200393ceaa8 37320 200393ceae7 37319->37320 37325 200393ceafd _snprintf 37319->37325 37321 200393ceaff 37320->37321 37322 200393ceaf3 37320->37322 37459 200393d1914 49 API calls 4 library calls 37321->37459 37323 200393cf284 malloc 46 API calls 37322->37323 37323->37325 37325->37196 37327 200393bf3d4 _DllMainCRTStartup 37326->37327 37328 200393bf3da GetLocalTime 37327->37328 37329 200393bcbd4 37327->37329 37330 200393bf408 _DllMainCRTStartup 37328->37330 37329->37201 37329->37203 37330->37329 37332 200393bf20e _DllMainCRTStartup 37331->37332 37333 200393bcc05 37332->37333 37460 200393ca8dc 70 API calls _DllMainCRTStartup 37332->37460 37333->37209 37333->37210 37335 200393bf248 37461 200393ca914 68 API calls 3 library calls 37335->37461 37339 200393bf299 _DllMainCRTStartup 37337->37339 37338 200393bcc13 37338->37214 37338->37216 37339->37338 37340 200393bf2eb htonl htonl 37339->37340 37340->37338 37341 200393bf30b 37340->37341 37342 200393cf284 malloc 46 API calls 37341->37342 37343 200393bf315 GetPdbDllFromInstallPath _DllMainCRTStartup 37342->37343 37344 200393bf36b _snprintf 37343->37344 37462 200393ca8dc 70 API calls _DllMainCRTStartup 37343->37462 37348 200393cf244 free 46 API calls 37344->37348 37346 200393bf34c 37463 200393ca914 68 API calls 3 library calls 37346->37463 37348->37338 37464 200393b1218 37349->37464 37351 200393c5c9f 37467 200393cb0b4 46 API calls _DllMainCRTStartup 37351->37467 37353 200393c5ca8 GetCurrentProcessId GetTickCount 37354 200393d044c _DllMainCRTStartup 46 API calls 37353->37354 37355 200393c5cbf 37354->37355 37468 200393bcfa4 CryptAcquireContextA CryptAcquireContextA _DllMainCRTStartup 37355->37468 37357 200393c5cc4 _DllMainCRTStartup 37358 200393c5cec GetCurrentProcess 37357->37358 37359 200393c5cfe 37357->37359 37505 200393c0c64 GetModuleHandleA GetProcAddress 37358->37505 37469 200393cdec8 CheckTokenMembership FreeSid _DllMainCRTStartup 37359->37469 37362 200393c5cfa 37362->37359 37363 200393c5d06 37470 200393be2a8 htonl htonl 37363->37470 37365 200393c5d1c 37471 200393be200 htonl GetPdbDllFromInstallPath 37365->37471 37367 200393c5d2f 37472 200393be200 htonl GetPdbDllFromInstallPath 37367->37472 37369 200393c5d3f 37473 200393be200 htonl GetPdbDllFromInstallPath 37369->37473 37371 200393c5d4f 37474 200393be248 htonl htonl _DllMainCRTStartup 37371->37474 37373 200393c5d5e GetCurrentProcessId 37475 200393be248 htonl htonl _DllMainCRTStartup 37373->37475 37375 200393c5d6f 37476 200393be278 htonl _DllMainCRTStartup 37375->37476 37377 200393c5d7a 37477 200393be1e0 htonl _DllMainCRTStartup 37377->37477 37379 200393c5d85 37478 200393c5e28 37379->37478 37392 200393cf249 HeapFree 37391->37392 37393 200393cf279 free 37391->37393 37392->37393 37394 200393cf264 37392->37394 37393->37286 37397 200393d1d18 46 API calls _getptd_noexit 37394->37397 37396 200393cf269 GetLastError 37396->37393 37397->37396 37398->37291 37399->37291 37401->37301 37402->37300 37403->37294 37404->37290 37405->37294 37418 200393d5844 37406->37418 37410 200393d5844 _getptd 46 API calls 37409->37410 37411 200393d1840 37410->37411 37412 200393d190e 37411->37412 37415 200393d1861 37411->37415 37451 200393d8c50 6 API calls __report_securityfailure 37412->37451 37414 200393d1913 37442 200393d7e20 37415->37442 37423 200393d5868 GetLastError 37418->37423 37420 200393d584f 37421 200393cc261 37420->37421 37438 200393d00b4 46 API calls 3 library calls 37420->37438 37421->37307 37439 200393d40a8 37423->37439 37425 200393d5885 37426 200393d588d 37425->37426 37427 200393d58d4 SetLastError 37425->37427 37428 200393d4728 _calloc_crt 43 API calls 37426->37428 37427->37420 37429 200393d589a 37428->37429 37429->37427 37430 200393d40c4 _mtinit TlsSetValue 37429->37430 37431 200393d58b0 37430->37431 37432 200393d58cd 37431->37432 37433 200393d58b7 37431->37433 37434 200393cf244 free 43 API calls 37432->37434 37435 200393d58ec _initptd 43 API calls 37433->37435 37436 200393d58d2 37434->37436 37437 200393d58be GetCurrentThreadId 37435->37437 37436->37427 37437->37427 37440 200393d40b8 37439->37440 37441 200393d40bb TlsGetValue 37439->37441 37440->37441 37443 200393d7e29 37442->37443 37444 200393d1903 37443->37444 37445 200393d8b7c IsProcessorFeaturePresent 37443->37445 37444->37309 37446 200393d8b93 37445->37446 37452 200393d3ffc RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 37446->37452 37448 200393d8ba6 37453 200393d8b30 UnhandledExceptionFilter IsDebuggerPresent __raise_securityfailure __crtUnhandledException 37448->37453 37451->37414 37452->37448 37455 200393bcb94 37454->37455 37457 200393c2f87 _DllMainCRTStartup 37454->37457 37455->37319 37456 200393cf284 malloc 46 API calls 37456->37457 37457->37455 37457->37456 37458 200393ceaa8 _DllMainCRTStartup 49 API calls 37457->37458 37458->37457 37459->37325 37460->37335 37461->37333 37462->37346 37463->37344 37508 200393b1184 CryptAcquireContextA 37464->37508 37466 200393b1234 _DllMainCRTStartup 37466->37351 37467->37353 37468->37357 37469->37363 37470->37365 37471->37367 37472->37369 37473->37371 37474->37373 37475->37375 37476->37377 37477->37379 37479 200393c5fec _DllMainCRTStartup 46 API calls 37478->37479 37480 200393c5e51 _DllMainCRTStartup 37479->37480 37481 200393c5e9f GetUserNameA GetComputerNameA 37480->37481 37511 200393bf008 37481->37511 37505->37362 37509 200393b11c2 CryptAcquireContextA 37508->37509 37510 200393b11e6 _DllMainCRTStartup 37508->37510 37509->37510 37510->37466 37519 200393bf118 37512->37519 37514 200393bf02f WSASocketA 37515 200393bf058 WSAIoctl 37514->37515 37516 200393bf051 _DllMainCRTStartup 37514->37516 37515->37516 37516->37265 37517->37266 37520 200393bf12c WSAStartup 37519->37520 37521 200393bf144 _DllMainCRTStartup 37519->37521 37520->37521 37522 200393bf1d2 WSACleanup 37520->37522 37521->37514 37523 200393bf1e2 _DllMainCRTStartup 37522->37523

                                            Executed Functions

                                            Function 00000200393BE68C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 165networkfileCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf$Internet$CloseHandleHttpRequeststrchr$AvailableDataFileOpenQueryReadSend_errno_invalid_parameter_noinfo
                                            • String ID: %s%s$*/*
                                            • API String ID: 3536628738-856325523
                                            • Opcode ID: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                                            • Instruction ID: 174994a304ba67c149084dda83b7c8cc15e9f28e5d12752cb8fc0ecbe080b300
                                            • Opcode Fuzzy Hash: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                                            • Instruction Fuzzy Hash: 9471E4B2F04B8486FB26DF65E48879EB3A1F784B94F400151EE4957B9ADF78CA05CB40
                                            Function 00000200393C5E28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116stringCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Name$ComputerFileModuleUserVersion_snprintfmallocstrrchr
                                            • String ID: %s%s%s
                                            • API String ID: 1671524875-1891519693
                                            • Opcode ID: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                                            • Instruction ID: eee02dd8cef6937b8e32f29e4dfb2d5ce75995cc9e962e4e835d245733b41743
                                            • Opcode Fuzzy Hash: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                                            • Instruction Fuzzy Hash: C541D4A1F0874146FA1AFB22A89C7AF6791BB85FD4F444160EE561B797CF3CC6028B00
                                            Function 00007FF7B3AD1180 Relevance: 10.6, APIs: 7, Instructions: 138sleepstringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: malloc$ExceptionFilterSleepUnhandledmemcpystrlen
                                            • String ID:
                                            • API String ID: 3806033187-0
                                            • Opcode ID: f101c46afb30c7957e4eff7f0e05608a286d701db5dbf3b1a0632ae887ab647f
                                            • Instruction ID: b11f68956eb610807e1e96c0079cac0618e2aa87ac029ad05564222ea88c7d2a
                                            • Opcode Fuzzy Hash: f101c46afb30c7957e4eff7f0e05608a286d701db5dbf3b1a0632ae887ab647f
                                            • Instruction Fuzzy Hash: D1516C35A0964681FBD0BB1DE850A7AE761AFA6780FA44134EB5D6779DCE3CF4C48320
                                            Function 00000200393B1184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39encryptionCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Crypt$Context$Acquire$RandomRelease
                                            • String ID: ($Microsoft Base Cryptographic Provider v1.0
                                            • API String ID: 685801729-4046902070
                                            • Opcode ID: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                                            • Instruction ID: 2cb12ae0b4b275b5d6beebe09f84ac521a336e6e1cee06bd013385ee2ee619f8
                                            • Opcode Fuzzy Hash: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                                            • Instruction Fuzzy Hash: CB016DB2B0474082F711CBA5E8CC35AA7A2F7D8B84F448465DA49833A6CF78CB49C740
                                            Function 00007FF7B3AD14D8 Relevance: 4.6, APIs: 3, Instructions: 82COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: CurrentProcess
                                            • String ID:
                                            • API String ID: 2050909247-0
                                            • Opcode ID: cca5a1ca99f8f84fe824436626c2083d10e503a6589d2d4ad15d8275bd06f2d4
                                            • Instruction ID: be554e1e38d5abc071321ffe7a840f6fc2239839fbea56f477e63c3e52598dc6
                                            • Opcode Fuzzy Hash: cca5a1ca99f8f84fe824436626c2083d10e503a6589d2d4ad15d8275bd06f2d4
                                            • Instruction Fuzzy Hash: FA314B32A09B5595DB509B19B90096BF7A0FB9AB94F944138EFCD63B18DF7CD481CB00
                                            Function 00007FF7B3AD1C97 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 411 7ff7b3ad1c97-7ff7b3ad1d0a GetCurrentProcess call 7ff7b3ad2800 414 7ff7b3ad1d11-7ff7b3ad1d15 411->414 415 7ff7b3ad1d0c 411->415 415->414
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: CurrentProcess
                                            • String ID: @
                                            • API String ID: 2050909247-2766056989
                                            • Opcode ID: 10b0b8c1d52fa35fa606de6c8dc4ab17d8839643b3196dfd5ca5394de3015a64
                                            • Instruction ID: d68306f284d0eda36804de999f384297c5eaa87748360db4cec75728d761c7ff
                                            • Opcode Fuzzy Hash: 10b0b8c1d52fa35fa606de6c8dc4ab17d8839643b3196dfd5ca5394de3015a64
                                            • Instruction Fuzzy Hash: 6FF0F672A18B9186D7909B54F44068BBBA5F789794FA04129EBCC83B2CEF3DD094CB40
                                            Function 00007FF7B3AD16CA Relevance: 3.1, APIs: 2, Instructions: 68COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 00007FF7B3AD1C97: GetCurrentProcess.KERNEL32 ref: 00007FF7B3AD1CB4
                                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000800,00007FF7B3AD4000), ref: 00007FF7B3AD1744
                                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000800,00007FF7B3AD4000), ref: 00007FF7B3AD176D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: CurrentProcess
                                            • String ID:
                                            • API String ID: 2050909247-0
                                            • Opcode ID: b9ddc85af339ca7b4a72427eec99d6b2652adb9ca33a515feb6f9a9ef3457fea
                                            • Instruction ID: 506a85ea6f193f76719606f6b3b9f7547f78b83ae305ee0a44e10a68aa4e23b7
                                            • Opcode Fuzzy Hash: b9ddc85af339ca7b4a72427eec99d6b2652adb9ca33a515feb6f9a9ef3457fea
                                            • Instruction Fuzzy Hash: 7321B63260DB4145D690AB69B4416AAABD4EB9A780F644135FB8D53B6DEE3CD081CB10
                                            Function 00007FF7B3AD1C4B Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: @
                                            • API String ID: 0-2766056989
                                            • Opcode ID: 18499add16e78753605d273a7ff3c60a1e52f63b3d8e7b04dec0ca4303b45796
                                            • Instruction ID: 1757347b85a878565dfc5c2e3da86c489bce453879b815d9c75de3f050170c96
                                            • Opcode Fuzzy Hash: 18499add16e78753605d273a7ff3c60a1e52f63b3d8e7b04dec0ca4303b45796
                                            • Instruction Fuzzy Hash: E6E03962A28A8083D350EF18E41065BBAB2F7C2304FB08025E78C43A18EA3EC5448F00
                                            Function 00000200393BEA48 Relevance: 9.1, APIs: 6, Instructions: 109networkCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Internet$Option$ConnectOpenRevertSelf
                                            • String ID:
                                            • API String ID: 1513466045-0
                                            • Opcode ID: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                                            • Instruction ID: 9bb876509c5edb5adc844fe76ea177d89a2867882840eb90fb2e8e4106792f80
                                            • Opcode Fuzzy Hash: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                                            • Instruction Fuzzy Hash: 4141CEB6E08B4182FB2ADB15E4DD7AA63A1F794B84F004095DE4A17B97CF7CCA05CB40
                                            Function 00000200393BCA74 Relevance: 7.8, APIs: 6, Instructions: 296COMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 189 200393bca74-200393bcbd6 call 200393c5fec call 200393c61e8 * 3 call 200393cb454 call 200393cb464 * 2 call 200393cb434 * 2 call 200393cb454 * 2 call 200393cf284 call 200393cb434 * 3 call 200393cb464 call 200393cc230 call 200393c34a0 call 200393ceaa8 * 2 call 200393bf3c0 232 200393bcbdd-200393bcbf2 call 200393cb434 call 200393bf1e4 189->232 233 200393bcbd8 call 200393cda74 189->233 239 200393bcbf9-200393bcc07 call 200393bf1f8 232->239 240 200393bcbf4 call 200393cda74 232->240 233->232 244 200393bcc0e-200393bcc15 call 200393bf274 239->244 245 200393bcc09 call 200393cda74 239->245 240->239 249 200393bcc1c-200393bcc55 call 200393cb464 call 200393cb434 call 200393cf284 244->249 250 200393bcc17 call 200393cda74 244->250 245->244 258 200393bcc5c-200393bcc90 call 200393cb434 call 200393ceaa8 call 200393cb434 call 200393c5c60 249->258 259 200393bcc57 call 200393cda74 249->259 250->249 269 200393bcebb-200393bcee7 call 200393cc218 call 200393cf244 call 200393cda74 258->269 270 200393bcc96-200393bcc9d 258->270 259->258 271 200393bcca2-200393bcd24 call 200393cbfc0 call 200393cf63c call 200393cbfc0 call 200393cf63c * 2 call 200393c2ee0 270->271 290 200393bcd44-200393bcd77 call 200393bea48 call 200393cb434 call 200393be9f4 271->290 291 200393bcd26-200393bcd2a 271->291 302 200393bcd9c-200393bcd9f 290->302 303 200393bcd79-200393bcd87 call 200393cad44 290->303 293 200393bcd2e-200393bcd35 291->293 293->293 295 200393bcd37-200393bcd3a 293->295 295->290 296 200393bcd3c-200393bcd3f call 200393c31f4 295->296 296->290 304 200393bcda5-200393bcdc8 call 200393c6b98 call 200393cb434 302->304 305 200393bce26 302->305 312 200393bcd89-200393bcd93 call 200393c8e0c 303->312 313 200393bcd95-200393bcd98 303->313 320 200393bcdcf-200393bcdf0 call 200393c18c4 call 200393c5144 call 200393c4a04 call 200393bf3c0 304->320 321 200393bcdca 304->321 308 200393bce2c-200393bce38 call 200393be9c8 call 200393bf3c0 305->308 323 200393bce3f-200393bce5d call 200393cbf04 308->323 324 200393bce3a call 200393cda74 308->324 312->302 313->302 348 200393bcdfa-200393bce01 320->348 349 200393bcdf2-200393bcdf5 call 200393bf484 320->349 321->320 331 200393bce5f call 200393cda74 323->331 332 200393bce64-200393bce6c 323->332 324->323 331->332 332->269 335 200393bce6e-200393bce76 332->335 337 200393bce78-200393bce89 335->337 338 200393bcea4 call 200393c211c 335->338 341 200393bce9c 337->341 342 200393bce8b-200393bce9a call 200393bf3a0 337->342 344 200393bcea9-200393bceb5 338->344 346 200393bce9e-200393bcea0 341->346 342->346 344->269 344->271 346->338 351 200393bcea2 346->351 348->308 353 200393bce03-200393bce24 call 200393be9c8 call 200393bea48 call 200393bec04 348->353 349->348 351->338 353->308
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: malloc$_snprintf$_errno_time64freehtonlstrtok$AllocExitHeapLocalSleepThreadTime_callnewhrealloc
                                            • String ID:
                                            • API String ID: 548016584-0
                                            • Opcode ID: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                                            • Instruction ID: 7a76be50edcf7f326e421c5d5e995d9815ad99ab8770d29c01a2d9420212951b
                                            • Opcode Fuzzy Hash: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                                            • Instruction Fuzzy Hash: D6C1E4E5F04B8146FA2AFB7594DD7EE6291AB84780F4040A8AD56673D7DF38CB05CB00
                                            Function 00007FF7B3AD161F Relevance: 6.0, APIs: 4, Instructions: 32threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: Fiber$CurrentProcess$ConvertCreateDeleteSwitchThread
                                            • String ID:
                                            • API String ID: 1957389288-0
                                            • Opcode ID: 6a037e21e67eaa63333cd04506eca0327f3f3caf750fbc0155445db6ff382fb3
                                            • Instruction ID: 71361d2f517df395da2e8e047e475f1702d61fd9c6869ca7c8c2c8a59e4df076
                                            • Opcode Fuzzy Hash: 6a037e21e67eaa63333cd04506eca0327f3f3caf750fbc0155445db6ff382fb3
                                            • Instruction Fuzzy Hash: 73014F66E0C62242EBD06B29B80426AE610AF26B85F944535DE4E27A5CDE3CA1C58720
                                            Function 00000200393BF014 Relevance: 4.6, APIs: 3, Instructions: 66networkCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 378 200393bf014-200393bf04f call 200393bf118 WSASocketA 381 200393bf058-200393bf097 WSAIoctl 378->381 382 200393bf051-200393bf053 378->382 384 200393bf099-200393bf0b0 381->384 385 200393bf0b4-200393bf0be 381->385 383 200393bf0f6-200393bf10a 382->383 384->385 386 200393bf0eb-200393bf0ee call 200393e25e8 385->386 387 200393bf0c0 385->387 390 200393bf0f4 386->390 389 200393bf0c5-200393bf0cf 387->389 391 200393bf0d6-200393bf0e2 389->391 392 200393bf0d1-200393bf0d4 389->392 390->383 391->386 394 200393bf0e4 391->394 392->391 393 200393bf0e6 392->393 393->386 394->389
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: IoctlSocketStartupclosesocket
                                            • String ID:
                                            • API String ID: 365704328-0
                                            • Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
                                            • Instruction ID: b9a7d1fe2ec979b805d5d69a48b2472f706f2ea637a2f272431dc432a665ae52
                                            • Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
                                            • Instruction Fuzzy Hash: BE21E5B2B0878482F7219F54F58475AB794F3887E4F505665DE9D03B96CB38C6058B00
                                            Function 00007FF7B3AD2900 Relevance: 4.6, APIs: 3, Instructions: 58COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: malloc$FileModuleName
                                            • String ID:
                                            • API String ID: 3634825322-0
                                            • Opcode ID: dc5dda09de865df51fca8e04114dd6f26778cc455da49e1b2ad297201e6a36ee
                                            • Instruction ID: d77794baaacf351119c61d07bf548cf0194b8bd466b18605016385259ae80969
                                            • Opcode Fuzzy Hash: dc5dda09de865df51fca8e04114dd6f26778cc455da49e1b2ad297201e6a36ee
                                            • Instruction Fuzzy Hash: 4A11E911B0968254EB90BB1A54509FD9750AB9BBD4FE44034FF8E2B78EDD2CD5858350
                                            Function 00000200393BF118 Relevance: 3.0, APIs: 2, Instructions: 42networkCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CleanupStartup
                                            • String ID:
                                            • API String ID: 915672949-0
                                            • Opcode ID: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
                                            • Instruction ID: a04ba04f004202b4d477956bdfc3d2f56d385b423cca3daea8bee3a4f8ebf46a
                                            • Opcode Fuzzy Hash: d22241c7f1bd4084ee50ee5593018a46650914ab47a10bd4edb93220355cbedb
                                            • Instruction Fuzzy Hash: 82111EF4E45B4586FB1BFBA0E8DD3A622A5A740304F4004AA9E550F3D7DE7D4B49CB10
                                            Function 00007FF7B3AD3CC0 Relevance: 3.0, APIs: 2, Instructions: 13synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                              • Part of subcall function 00007FF7B3AD2900: malloc.MSVCRT ref: 00007FF7B3AD2912
                                              • Part of subcall function 00007FF7B3AD2900: GetModuleFileNameA.KERNEL32 ref: 00007FF7B3AD2926
                                              • Part of subcall function 00007FF7B3AD2900: malloc.MSVCRT ref: 00007FF7B3AD2967
                                            • GetCurrentProcess.KERNEL32(?,?,-00000008,00000001,00007FF7B3AD12EE,?,?,?,00007FF7B3AD13E6), ref: 00007FF7B3AD3CE0
                                            • WaitForSingleObject.KERNEL32(?,?,-00000008,00000001,00007FF7B3AD12EE,?,?,?,00007FF7B3AD13E6), ref: 00007FF7B3AD3CEA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: malloc$CurrentFileModuleNameObjectProcessSingleWait
                                            • String ID:
                                            • API String ID: 343681413-0
                                            • Opcode ID: 8295383bd2c69be7a8f54b704a9ed9e1b5ff756f56c927397a777c3f1495be5d
                                            • Instruction ID: 2bb4cfc7aa79dd2580c1bc9da9b23650b33fd9506e17a6e03ed16f78a32e5d1e
                                            • Opcode Fuzzy Hash: 8295383bd2c69be7a8f54b704a9ed9e1b5ff756f56c927397a777c3f1495be5d
                                            • Instruction Fuzzy Hash: 68D0C714E1D12A50E6D4737A6C554BB86545F66790FA44436EE4E3379D8C1CE4C18360
                                            Function 00000200391096B4 Relevance: 1.6, APIs: 1, Instructions: 149libraryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LibraryLoad
                                            • String ID:
                                            • API String ID: 1029625771-0
                                            • Opcode ID: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
                                            • Instruction ID: 937f4ef9b2d8d9aa8ee2113a813bf21b6bf5301711461a6e0e7697df3592ac42
                                            • Opcode Fuzzy Hash: 74d038c8b1c51bf1d7765a817c366e135375bbd51fab872694d5e2c19deb3bea
                                            • Instruction Fuzzy Hash: 1171A836619B8486DAA0CB0AE49035EB7A0F7C8B94F508125EFCE83B69DF3DD555CB00
                                            Function 0000020039109324 Relevance: 1.3, APIs: 1, Instructions: 87memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
                                            • Instruction ID: 741b482ae105d6539136dc6026875c4790efb94a89a1058848af040d5e1cf3c0
                                            • Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
                                            • Instruction Fuzzy Hash: 8C41CB72618B8487DB51CB1AE49471EB7A1F3C8B94F101125FADE97BA8DB3CD8518F00

                                            Non-executed Functions

                                            Function 00000200393D6514 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __doserrno_errno_invalid_parameter_noinfo
                                            • String ID: U
                                            • API String ID: 3902385426-4171548499
                                            • Opcode ID: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                                            • Instruction ID: d0771f3794b4beb9feeedbfcb08038bd995d772472ff3205d8e17788fda47207
                                            • Opcode Fuzzy Hash: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                                            • Instruction Fuzzy Hash: D81212B2A04B4186FB22BF29D4EC35E77A1F784748F100156EE9A4369ADB3DCA45CB10
                                            Function 00000200393C867C Relevance: 46.6, APIs: 22, Strings: 4, Instructions: 1078processCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateCurrentFirstProcessProcess32SnapshotToolhelp32
                                            • String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
                                            • API String ID: 718051232-1833344708
                                            • Opcode ID: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
                                            • Instruction ID: b88f5e659c4711f5c1775d73a192f20a6aa7a9a23d674bf75e05fe4597316882
                                            • Opcode Fuzzy Hash: 44ee8957408f2f3c2d0d1c1155748847862033341b6ca19cb8ca6a6e19bffbea
                                            • Instruction Fuzzy Hash: FC8293A2F05F4182FA7ADB2694DC3B912D1E789784F9441A5DD0A637D7EE38CB428F01
                                            Function 00000200393D2F9C Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                                            • String ID: $@
                                            • API String ID: 3318157856-1077428164
                                            • Opcode ID: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                                            • Instruction ID: 3c0f8b9a6af7c804b44ec0d69a5eaf0c2c4fabde797156f1ed60c87648482587
                                            • Opcode Fuzzy Hash: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                                            • Instruction Fuzzy Hash: 7052E3E2E08B8486FB678B15D5EC3BE6BA1B741798F141185DE46076DADB38CF44CB02
                                            Function 00000200393D2528 Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 687COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                                            • String ID:
                                            • API String ID: 3318157856-3916222277
                                            • Opcode ID: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                                            • Instruction ID: 6580f51f098252499a7e30113385961bfba9098d0883f586f090c06cc3773547
                                            • Opcode Fuzzy Hash: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                                            • Instruction Fuzzy Hash: 9E52E0E2E0C78486FB678B1595EC3AE6BA1F745794F241085DE4A07ADBDB78CB40CB00
                                            Function 000002003911239C Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 694COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                                            • String ID: $@
                                            • API String ID: 3318157856-1077428164
                                            • Opcode ID: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
                                            • Instruction ID: 7fbf6fbfc15732b186e36ab75c4caf81f5a16069532b0afd4ad7d75d06776319
                                            • Opcode Fuzzy Hash: 0917c7b026fa98026fd61c82a9db6b94b013ed73c29c4ccbf17a38093d3ada48
                                            • Instruction Fuzzy Hash: 6352F562E08796A6FB6B8B15D5CC36EEBE0B745784F140886DF4627AD7DB38C840CB05
                                            Function 0000020039111928 Relevance: 28.6, APIs: 14, Strings: 2, Instructions: 645COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$Locale_invalid_parameter_noinfo$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexitwrite_multi_charwrite_string
                                            • String ID: -$0
                                            • API String ID: 3246410048-417717675
                                            • Opcode ID: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
                                            • Instruction ID: 3aea1bbc17ad1bd6e6f6c9a8054d3369aa2c65dee13ccf835fae2629b47c590c
                                            • Opcode Fuzzy Hash: 9d83564e1f44511746efc6243833ea10ca1e0c0cc6e5e094e442fc0115aecad6
                                            • Instruction Fuzzy Hash: 5642F562E08796A6FFAB8B15D5CC36EABA0B745784F140585DF46276D6DB39C840CB00
                                            Function 0000020039115914 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __doserrno_errno_invalid_parameter_noinfo
                                            • String ID: U
                                            • API String ID: 3902385426-4171548499
                                            • Opcode ID: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                                            • Instruction ID: fcca6a1acc55b191bd8d7dab464e7852b12685ed8cf5093e9d2307c2591d482a
                                            • Opcode Fuzzy Hash: 1e306023ed328bab19b7a5d60cdebdd92491a2c212ad1309fcb9b443deab4914
                                            • Instruction Fuzzy Hash: 7A120132A14B8396FB228F28D4C83AEB7B1F784794F504156EF896379ADB39C545CB10
                                            Function 00000200393C7B38 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 545COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf$_errno_invalid_parameter_noinfo
                                            • String ID: %s%s$%s%s$%s%s: %s$%s&%s$%s&%s=%s$?%s$?%s=%s
                                            • API String ID: 3442832105-1222817042
                                            • Opcode ID: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                                            • Instruction ID: 6d120205ee27d3bd342af1b8b3857dee1bfdbee077800c971c107204f3e7fb52
                                            • Opcode Fuzzy Hash: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                                            • Instruction Fuzzy Hash: EC42C9E2A14F8592FB168B2DD0853E8A3A0FF54759F045141DF8927B66EF38D3A6C740
                                            Function 00000200393C1C30 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150filetimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Time$FileFind_errno$ErrorHeapLastSystemfreemalloc$AllocCloseCurrentDirectoryFirstFreeLocalNextSpecific_callnewhhtonl
                                            • String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
                                            • API String ID: 723279517-1754256099
                                            • Opcode ID: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                                            • Instruction ID: 6ee1af16b230ad3a9e6bda3a619a39f65cd3fecb3bd323c360d7e7b75df43e96
                                            • Opcode Fuzzy Hash: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                                            • Instruction Fuzzy Hash: 1A61B0B2B08B5182FB15DF62E4883AEA7A1F785B84F404055EE4953B9ADF78C709CB40
                                            Function 0000020039106F38 Relevance: 18.5, APIs: 10, Strings: 2, Instructions: 545COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf$_errno_invalid_parameter_noinfo
                                            • String ID: nop -exec bypass -EncodedCommand "%s"$not create token: %d
                                            • API String ID: 3442832105-3652497171
                                            • Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                                            • Instruction ID: 9bf215faa3378935b0920371f3d9c8afde71e3b67d9d10a7264ea0efcb2e1dd5
                                            • Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
                                            • Instruction Fuzzy Hash: CE42DA62A14F8691FA279B2DD4853E9A3A0FF54799F445101DF8927B62EF39D2E2C300
                                            Function 00000200393C0F34 Relevance: 18.2, APIs: 12, Instructions: 163processCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateErrorLastProcess$ByteCharCurrentDirectoryMultiWide$TokenUserWith
                                            • String ID:
                                            • API String ID: 3044875250-0
                                            • Opcode ID: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
                                            • Instruction ID: d3a246cc5fec3d324d21926e6c9b83fb563c8f90ea94cb4fa931ff75ef6aecc2
                                            • Opcode Fuzzy Hash: 1d990aa2536e0bdd41909587e15d765ca5c4192818fd4d96a304531b1bef1f0e
                                            • Instruction Fuzzy Hash: 66718CB3A08F4482FB629FA5E4C835E73A1F748B94F104165EE4943B96DF78CA94CB40
                                            Function 00000200393C9220 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$Find$FileHeap_snprintffreemalloc$AllocCloseErrorFirstFreeLastNext_callnewh_invalid_parameter_noinfo
                                            • String ID: %s\*
                                            • API String ID: 2620626937-766152087
                                            • Opcode ID: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                                            • Instruction ID: 755b2ad1fbf70fadbaaf63c80a4d8e0fe56e5641e0e22ec0d1ac7dd9aec3e06c
                                            • Opcode Fuzzy Hash: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                                            • Instruction Fuzzy Hash: F431E796A04B8045FA5B9B5328983A97B527349FD0F885191EED5277D7CF38CB52CB00
                                            Function 00000200393C3A64 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113sleepprocesslibraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressCreateHandleModuleNextProcSleepSnapshotThread32Toolhelp32freemalloc
                                            • String ID: NtQueueApcThread$ntdll
                                            • API String ID: 1427994231-1374908105
                                            • Opcode ID: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                                            • Instruction ID: ae9d13bd4704facf01d27fc2b21e81a611b618d03f3a25f8354b1a9da15e25e0
                                            • Opcode Fuzzy Hash: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                                            • Instruction Fuzzy Hash: 48416BB2B01F4199FB16CB61A48839D73E5F748B88F444165EE4D67B8AEF38C645CB40
                                            Function 00000200393C6A78 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: bindclosesockethtonsioctlsocketlistensocket
                                            • String ID:
                                            • API String ID: 1767165869-0
                                            • Opcode ID: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                                            • Instruction ID: 869e30abfd35a0b77c9d16fb72f67fc92bbf0524cf4b816c2e1af962baecdf51
                                            • Opcode Fuzzy Hash: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                                            • Instruction Fuzzy Hash: 4D2136A6F08B5482FB219F06A49831DB7A0F788FA8F444674DE5A137D2CF7CD6458B01
                                            Function 00000200393C6670 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: bindclosesockethtonlhtonsioctlsocketsocket
                                            • String ID:
                                            • API String ID: 3910169428-0
                                            • Opcode ID: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                                            • Instruction ID: cd17ad9b310c61b849bf5ecc72c910556ab26b367c9e8fc07c24507c27af5ee4
                                            • Opcode Fuzzy Hash: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                                            • Instruction Fuzzy Hash: 4021E4A6B14F4082F725AF21E8983997760F788BA4F504265DE19533D2DF7CCA4ACB00
                                            Function 00000200393CDF50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharErrorLastMultiUserWidemalloc$ImpersonateLoggedLogonRevertSelf
                                            • String ID: %s\%s
                                            • API String ID: 3621627092-4073750446
                                            • Opcode ID: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
                                            • Instruction ID: acffdd94633b197c2f94d8afa221568416575e888370f94434d20847fe07e167
                                            • Opcode Fuzzy Hash: 21501fd99f5b763e027db7a7b361eaf12fbcf34ba50608c9b89ed7353f562f62
                                            • Instruction Fuzzy Hash: E1413DA2F14B4581FB02AB62E8DC76A23A1E789B90F4040A5ED5E57797DF3CCB458B40
                                            Function 00000200393BFA1C Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountSleepTick$closesocket
                                            • String ID:
                                            • API String ID: 2363407838-0
                                            • Opcode ID: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                                            • Instruction ID: 667e5b83c8f20c1728e00412d3727905cbbf7db41690bfe5bef9e17b48a31835
                                            • Opcode Fuzzy Hash: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                                            • Instruction Fuzzy Hash: 3E2192A1F04B8442FA12B762A49935D6390BB85BB4F444761EDBA43BD7DE3CC7058B41
                                            Function 00000200393CEE8C Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: bindclosesockethtonslistensocket
                                            • String ID:
                                            • API String ID: 564772725-0
                                            • Opcode ID: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                                            • Instruction ID: 1347524085071e12285a1df2064db5afe0298004bf4924285bc6ecfb122435a2
                                            • Opcode Fuzzy Hash: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                                            • Instruction Fuzzy Hash: D8110666E04B5482FA31AF51E45931AB360F784BE0F040265EE99177D6CF7CC6058B04
                                            Function 00007FF7B3AD2E70 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON
                                            Download Yara Rule
                                            Strings
                                            • %d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF7B3AD2FFD
                                            • Unknown pseudo relocation protocol version %d., xrefs: 00007FF7B3AD31C0
                                            • Unknown pseudo relocation bit size %d., xrefs: 00007FF7B3AD31B4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
                                            • API String ID: 0-1286557213
                                            • Opcode ID: b0cf50d5c08cb4d86ba747f7a961140536a9f465ff7ed6e19a0df4589b4b5e41
                                            • Instruction ID: 3f4f57f1cb14c754729c76b3f3063554ba97c5ee0e1bbb28344a8226dfb0f196
                                            • Opcode Fuzzy Hash: b0cf50d5c08cb4d86ba747f7a961140536a9f465ff7ed6e19a0df4589b4b5e41
                                            • Instruction Fuzzy Hash: 1291C622E0955351EA907B18D910AB9E360BF77760FA48231EF6D277DCDE2CE895C320
                                            Function 00000200393C0B70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                            • String ID: %s
                                            • API String ID: 4244140340-620797490
                                            • Opcode ID: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                                            • Instruction ID: c21ab5eb8c56acb905c23e6cdc13c9f76977ae3905009fdb044fed1552903bf4
                                            • Opcode Fuzzy Hash: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                                            • Instruction Fuzzy Hash: 65215CB2F00B449AFB15DBA1D4887EC33A5F758B88F444456CE4DA7A8AEF74C615C780
                                            Function 00000200393C5854 Relevance: 6.1, APIs: 4, Instructions: 73sleepnetworkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTick$ErrorLastSleepioctlsocket
                                            • String ID:
                                            • API String ID: 1121440892-0
                                            • Opcode ID: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
                                            • Instruction ID: 5d19ad81345fed5926b7e3288ca47a86e22f94a48fcb9c1a815baaa32b873a5a
                                            • Opcode Fuzzy Hash: 7368cb6fa517e1a070c78e6e07bfa46b364e9fef9c30544ba018e77da25e9e41
                                            • Instruction Fuzzy Hash: B23158B6B04F4086FB11EBA2E4883AC33B5F788B94F4006A6DE5DA3796DE30C615C740
                                            Function 000002003911B7B0 Relevance: 5.9, Strings: 4, Instructions: 884COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $<$ailure #%d - %s$e '
                                            • API String ID: 0-963976815
                                            • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                                            • Instruction ID: 7c4e09794cbad1ad509c64c95f0eb56422d28e190c878a5fd08d733f68847f32
                                            • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                                            • Instruction Fuzzy Hash: C89206B2725A8187DB58CB1DE4A573AB7A1F3C8780F44512AEB9B87799CE3CC451CB04
                                            Function 00000200393BDA3C Relevance: 4.9, APIs: 3, Instructions: 374memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Heap$AllocCreateCurrentErrorLastProcesshtonl
                                            • String ID:
                                            • API String ID: 3419463915-0
                                            • Opcode ID: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
                                            • Instruction ID: a82f990aeb0f35fb06c024c05cc672f510451e416e4d8e64b795572574ffd7e2
                                            • Opcode Fuzzy Hash: ec0623d855ca9fea6adc12097b57476b8ed8efbce5d3b57090cc4cf496277255
                                            • Instruction Fuzzy Hash: 60E1B0E3E10B0183FB66CB25E8893AA63A1F754744F088165DF9A97B97DB3CE645C700
                                            Function 00000200393CDEC8 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                            • String ID:
                                            • API String ID: 3429775523-0
                                            • Opcode ID: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
                                            • Instruction ID: 6e2da0491594ecc48a49aadeae99b7328a72feb8fefa2470227ab328f56c5c88
                                            • Opcode Fuzzy Hash: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
                                            • Instruction Fuzzy Hash: 0D011EB3A24B458FE7218F20E4893AD77B0F35476EF011919F64946A99CB7CC659CF40
                                            Function 00000200393DC3B0 Relevance: 3.4, Strings: 2, Instructions: 884COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: $<
                                            • API String ID: 0-428540627
                                            • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                                            • Instruction ID: 0d91f7ec70ac70a6ecedd7490a25b965009c351f4563a0d0ab0b6b8c4b7ba196
                                            • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                                            • Instruction Fuzzy Hash: B79224B2725A8087DB59CB1DE4A573AB7A1F3C8B80F44112AEB9B87795CE3CC551CB04
                                            Function 00000200393C1268 Relevance: 3.0, APIs: 2, Instructions: 32processCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateErrorLastLogonProcessWith
                                            • String ID:
                                            • API String ID: 2609480667-0
                                            • Opcode ID: 8fcebf3f7d0e2333a3ca458f2652207579a2a29baf972c8fdebcbca856c98942
                                            • Instruction ID: fb6545c804e85f9d8c90dd57dc3a8b55bce1b278679f0b381c0fbcbb445c0577
                                            • Opcode Fuzzy Hash: 8fcebf3f7d0e2333a3ca458f2652207579a2a29baf972c8fdebcbca856c98942
                                            • Instruction Fuzzy Hash: 4B01FBB6B14F0882FB519B66E48C35933E0F30CB94F100165DE5D8B352DB3AC9929754
                                            Function 000002003911C397 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: ailure #%d - %s$e '
                                            • API String ID: 0-4163927988
                                            • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                                            • Instruction ID: abdcf4eb94f7ad317111beb9f0c4b51fbf01c71331955bb76442aee8ce7eb90a
                                            • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                                            • Instruction Fuzzy Hash: 74613AB6614A518BD714CB08E4D0B2BB7E1F3CCB94F84061AE78A8B768CA3CD544CB40
                                            Function 00000200393C0920 Relevance: 1.5, APIs: 1, Instructions: 33pipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CreateNamedPipe
                                            • String ID:
                                            • API String ID: 2489174969-0
                                            • Opcode ID: ffc033c595a008210ccbf7715394fddec234f51f7fbc04560c83c088a3818f65
                                            • Instruction ID: c04f07a16460deee1b1591565190d4a7eaca0aeffab496bb281b0ec46c5278da
                                            • Opcode Fuzzy Hash: ffc033c595a008210ccbf7715394fddec234f51f7fbc04560c83c088a3818f65
                                            • Instruction Fuzzy Hash: 21016DB3D14F818AFB128B10F48879976A1F798375F544354DA99126D6DB3CC218CB04
                                            Function 00000200393BF3C0 Relevance: 1.5, APIs: 1, Instructions: 26timeCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: LocalTime
                                            • String ID:
                                            • API String ID: 481472006-0
                                            • Opcode ID: c754f7854dc816777d2e581f8d69a8ad3d764a56d460b7429c41f832064f131e
                                            • Instruction ID: 58aba5125fd797285082f81451992e53e6142d350c26fa16743074d6daa1913d
                                            • Opcode Fuzzy Hash: c754f7854dc816777d2e581f8d69a8ad3d764a56d460b7429c41f832064f131e
                                            • Instruction Fuzzy Hash: 72F0A047B0970182F3645B6AF8C537A92A5E7D4B48F888131FB89052EAEE7CC754CA10
                                            Function 00000200393DDBF0 Relevance: .6, Instructions: 617COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                            • Instruction ID: de2d4b45be605309c9acc57076020714b48de6dfd528941b00eb707449d0d36d
                                            • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                            • Instruction Fuzzy Hash: 905262B2614A4587E708CB1DE4A173AB7E1F3C9B80F44852AE7978B799CE3DD950CB40
                                            Function 000002003911CFF0 Relevance: .6, Instructions: 617COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                            • Instruction ID: e62bf7c94fa6dc3185b71b7defd40b6620869651f3bc07a25e0a83cd7551465d
                                            • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                                            • Instruction Fuzzy Hash: 8A5253B2214A8587E708CB1DE4A573AB7E1F3C9B80F44452AE79B8B799CE3DD554CB00
                                            Function 00000200393DD280 Relevance: .6, Instructions: 592COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                            • Instruction ID: 41fb172df9d4133d8f15d4e3b5978e17eba0477cda9589533e6d71d4441c1b24
                                            • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                            • Instruction Fuzzy Hash: 615268B2614A8187E708CF1DE4A573AB7E1F3C9780F44852AE7868B799CA3CD945CF40
                                            Function 000002003911C680 Relevance: .6, Instructions: 592COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                            • Instruction ID: f499c79c0e3397736cfdaca8e10e02b329b0c693cce7198cc0c37f2b478c4e93
                                            • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                                            • Instruction Fuzzy Hash: 205254B2614A8187E708CF1DE4A573AB7E1F3C9B80F44852AE7868B799CA3DD545CF40
                                            Function 00000200393BA280 Relevance: .4, Instructions: 404COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
                                            • Instruction ID: e0c320d4d3709e214230a05fb7daedc977eea428e75dd92ea1c5478137c5e327
                                            • Opcode Fuzzy Hash: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
                                            • Instruction Fuzzy Hash: 48F195A2B08B4292FB22CB69D4D939E67E1F794784F900155EE4DC7786EA35CB05CB40
                                            Function 00000200390F9680 Relevance: .4, Instructions: 404COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
                                            • Instruction ID: f66d444f1290944fd3665a52fbcd2efb1249d018755a7f8ed82d5d4b4f7fdcc0
                                            • Opcode Fuzzy Hash: 037a88b3a0e0121372c1e8929510804f124a0a98294513f128062ea9428e9fbd
                                            • Instruction Fuzzy Hash: 76F1B832B04B428AFB3ADB15E5D839E63A1F794784F500195DE9B8778AEA34CF45CB40
                                            Function 00000200390FCE3C Relevance: .4, Instructions: 374COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
                                            • Instruction ID: d6e80313f36afd3702e168ff1c364bc5d116640ea3d11f7dd4b6f88e96d8ea0b
                                            • Opcode Fuzzy Hash: 24a34f2510a6bdda36c019d7c9474c92714271ad77d8ea5857b13b9428aab684
                                            • Instruction Fuzzy Hash: C6E18F63A1070187FB7ACB25E8893AA63A1F744354F088165DF9B97B97EB3CE185C300
                                            Function 00000200393B9D6C Relevance: .4, Instructions: 367COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
                                            • Instruction ID: 8014ea402f996a0ca2fd0fc857f9835b508bad6be1af665f6e5af061342fe719
                                            • Opcode Fuzzy Hash: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
                                            • Instruction Fuzzy Hash: 68E1E5B2B04F4291FF229B65D4D83AE67A1F794788F900051EE4ED7A8AEE34CB45C740
                                            Function 00000200390F916C Relevance: .4, Instructions: 367COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free
                                            • String ID:
                                            • API String ID: 1294909896-0
                                            • Opcode ID: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
                                            • Instruction ID: d618f377a67c8604344e3678168ce9b349b1ab1a869029d8ff0dfda3dec3b41c
                                            • Opcode Fuzzy Hash: a24fb40c631e4fb8bf858a82f26ba5d2e30cdac9459d39304e37b5ee64eada3e
                                            • Instruction Fuzzy Hash: 70E1C632B04B4299FF7A9B55D4C43AE67A1F794B88F800052DE9F8769AEE34CE45C740
                                            Function 0000020039100334 Relevance: .2, Instructions: 163COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
                                            • Instruction ID: 7446630487bb9abe4aae109f0cfe59d591216d5f2aab0617e61b15e0fdea9d61
                                            • Opcode Fuzzy Hash: 466de111811528a62f1f30eaf25973b5c551d59befa8947403ad49e7d2f1a529
                                            • Instruction Fuzzy Hash: C2718D32A14B4686FB66DF21E4C835E73E0F788B84F005569DE8993B96CF3AC485CB40
                                            Function 00000200393DCF97 Relevance: .1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                                            • Instruction ID: 0bc413b785072011896c224762cea41d5dcfb6fce1b9d5c677c68df2feba0fa1
                                            • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                                            • Instruction Fuzzy Hash: 02613CB6614A508BD714CB0DE4D472AB7E1F3CCB84F84421AE79B87769CA3CDA45CB40
                                            Function 00000200393E2010 Relevance: .0, Instructions: 17COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 775ff15857822b3d9aa2335441d3a9ab660a36c60359c7808ede694e5d153041
                                            • Instruction ID: 7f8f2fdd2ec1c93270921bc47bd10d3a9b10c7617047236153d6ec1ced070c06
                                            • Opcode Fuzzy Hash: 775ff15857822b3d9aa2335441d3a9ab660a36c60359c7808ede694e5d153041
                                            • Instruction Fuzzy Hash: 4FE042EBE4EBD159F2A797781CEE3582FD0B796E60F0D01CBDA81062E7E4414E05D216
                                            Function 00000200393E2020 Relevance: .0, Instructions: 9COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 78ec2944d26170f4154fe6f556631e5180d26baa1dea02992390c732bfebcaaf
                                            • Instruction ID: 33e66b6239facc367f04aa0b658c5e9897ecb17c715a3262ba0fce2dfe2126e6
                                            • Opcode Fuzzy Hash: 78ec2944d26170f4154fe6f556631e5180d26baa1dea02992390c732bfebcaaf
                                            • Instruction Fuzzy Hash: 1FC002DBE0EFE019F2A347A50CAE7082A807796A60E0C41CFDBC2023D7E4015E01D616
                                            Function 00000200393E24F0 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 73111ac0308ed14a977cc95b1196ea9902faa8b1b2c1511953779eef7db05631
                                            • Instruction ID: 5637a91258ff32da7623171f556a13c66519ea2643dabb2e399fefbb38acb267
                                            • Opcode Fuzzy Hash: 73111ac0308ed14a977cc95b1196ea9902faa8b1b2c1511953779eef7db05631
                                            • Instruction Fuzzy Hash:
                                            Function 00000200393C6BE0 Relevance: 22.7, APIs: 15, Instructions: 195networkCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: acceptioctlsocket$closesockethtonlselect
                                            • String ID:
                                            • API String ID: 2003300010-0
                                            • Opcode ID: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                                            • Instruction ID: b53657b3d461ccfd32634d1c220925b3540f5899d243db35cffcc41ec7f4715b
                                            • Opcode Fuzzy Hash: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                                            • Instruction Fuzzy Hash: 959191B2A10B919AFB22DF31D9987AD33A5F788798F000166DF4D47A96DF34C664CB00
                                            Function 00000200393BEC04 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165networksleepCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf$CloseHandleHttpInternetRequest$OpenSendSleep
                                            • String ID: %s%s$*/*
                                            • API String ID: 3787158362-856325523
                                            • Opcode ID: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                                            • Instruction ID: 93cc98eb0c21b39f5745bd06a720391b717f8fc1fc4b76413d50a1d009eddb2a
                                            • Opcode Fuzzy Hash: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                                            • Instruction Fuzzy Hash: 69816DB6A04B4589FB16DB65E8C83D973A0F794748F4001A6EE4E537ABDF78C609CB40
                                            Function 00000200393C53E4 Relevance: 18.1, APIs: 12, Instructions: 105pipesleepfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait
                                            • String ID:
                                            • API String ID: 34948862-0
                                            • Opcode ID: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
                                            • Instruction ID: 295b5c1c26a1a4fb0d346ad392a0df2613f4d0e108fa1083860697a8503f0140
                                            • Opcode Fuzzy Hash: fe9bced31039d2455b0d079955692a562236962e25bf66d1b7588840a9b4026e
                                            • Instruction Fuzzy Hash: B04181B2E08F04C6FB12DB61E88C76D3361E788BA4F504260EE5A57BD6DF38C6558B00
                                            Function 00000200393CFF6C Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
                                            • String ID:
                                            • API String ID: 4099253644-0
                                            • Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                                            • Instruction ID: 405c77a6569c0b3b85e51a07d80216a47ef0684326db67822d3c0786b557ac58
                                            • Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                                            • Instruction Fuzzy Hash: D531EBAAE01F4485FE57EB51E8EC3A423A0FB44B94F4806A5DE5A162E7DF7CC6448B10
                                            Function 00000200393CFE10 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ApisByteCharErrorFileLastMultiPackagedWide__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1138158220-0
                                            • Opcode ID: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                                            • Instruction ID: 62a302f52c72c7aad45886756a54431449bcca0ba23a07c5c3141045b0810645
                                            • Opcode Fuzzy Hash: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                                            • Instruction Fuzzy Hash: EE31A6A2F04F4482FB669F75989C36D67E1AB88BA4F1446A4DE45537DBDF38C6408B00
                                            Function 00000200393C7308 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
                                            • String ID: d
                                            • API String ID: 1257931466-2564639436
                                            • Opcode ID: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                                            • Instruction ID: cf0a95c4d847f488bdd4fb428c79390c5b923e26882cce8394d5cf0acc50498d
                                            • Opcode Fuzzy Hash: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                                            • Instruction Fuzzy Hash: 2F31C2B3A14B84C6EB228F21E88839E77A0F788B84F001156EE8E43B55DF78C254CB40
                                            Function 0000020039111B48 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: write_multi_char$write_string$free
                                            • String ID:
                                            • API String ID: 2630409672-3916222277
                                            • Opcode ID: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                                            • Instruction ID: 252e0c1de6a33c4bfb3ba1e681514397f606d8dc47f5eef6e4c6b9c537457678
                                            • Opcode Fuzzy Hash: 1c8d6b8a065489df9c71b2e8ea70d157333f6dd13db57c526a3ea5ce9db962ed
                                            • Instruction Fuzzy Hash: 5EA11722E08742A6FB63CB55E4883AFABB0F785794F140585DF4927BDADB39C945CB00
                                            Function 00000200393C71FC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57networksleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTick$ErrorLastSleepselectsend
                                            • String ID: d
                                            • API String ID: 2152284305-2564639436
                                            • Opcode ID: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                                            • Instruction ID: a26d1e47f09be04858b6f7205e3fcd9aecd19224e21928503a0aa14386c5b6e0
                                            • Opcode Fuzzy Hash: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                                            • Instruction Fuzzy Hash: 272181B2A18B8086F7618F21F88838D7361F788784F404165EF9D47A96DF78C654CB44
                                            Function 00000200393BFB08 Relevance: 15.1, APIs: 10, Instructions: 91sleepfilepipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
                                            • String ID:
                                            • API String ID: 3101085627-0
                                            • Opcode ID: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                                            • Instruction ID: d4ad457481d22f599e14b9d1d91e0f20b2eeed78739c9fe96c0b69ce8718d2f4
                                            • Opcode Fuzzy Hash: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                                            • Instruction Fuzzy Hash: 86415EB2F04A458AF712AFF5D4D839C23A1F744B98F411162DE4AA7A6ADF38C649C740
                                            Function 00000200393D6E1C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 388111225-0
                                            • Opcode ID: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                                            • Instruction ID: de125120d46aec02a8e1394bcb20fa30d114a548150720152ac4e94bd042bc59
                                            • Opcode Fuzzy Hash: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                                            • Instruction Fuzzy Hash: 243101B2F0074087F71BBFA5D8E932E2650AB807A4FA54194EE21173D3CB38CA818700
                                            Function 000002003911621C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 388111225-0
                                            • Opcode ID: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
                                            • Instruction ID: c47ab43d4a52f4f5b609c455e64ce7757e45300c5fea1ef27f73332d7bc3ee36
                                            • Opcode Fuzzy Hash: 9a7e94428e85d4ed5cd8e77b1af53c202f15bf406c2c29a1a7d54b8e8c205bff
                                            • Instruction Fuzzy Hash: 3E31E322F20356A6F7576F75A8C936EA760A7817E0F8582A5AF26373D3C639C8418710
                                            Function 00000200393DFD50 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1812809483-0
                                            • Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                                            • Instruction ID: 5af39d34fdab2331f25e3abef9a54ad522e4f76f10e8119c680a5c72cc29f781
                                            • Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                                            • Instruction Fuzzy Hash: B5412CF1E2435186FB66AB2194F83BD32E0EB58B94F6041A5EE54477C7D734CB418700
                                            Function 000002003911F150 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1812809483-0
                                            • Opcode ID: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                                            • Instruction ID: 5563763a37526275070dfebb8dc7dd4751a3708f9e7f8067b0c615c5a990249d
                                            • Opcode Fuzzy Hash: bd2089a42f628a497311986bb7142f0c797ae3413767483a07d765319bf433f4
                                            • Instruction Fuzzy Hash: 98412775E10397A2FB66AB2184C83BE73E1E754BA4FD442A1EF5663BC7D728C8418700
                                            Function 00000200393C6500 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
                                            • String ID:
                                            • API String ID: 3339321253-0
                                            • Opcode ID: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                                            • Instruction ID: 7071a1b34227891c06550bee4cc34d1179dc81fd14c46c1b9039fbb721bcd997
                                            • Opcode Fuzzy Hash: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                                            • Instruction Fuzzy Hash: D6314CA2B14B4192FB269F21E99C3AA6351F744B98F100164DE0A476DADF3CC749CB00
                                            Function 00000200393C6B98 Relevance: 13.6, APIs: 9, Instructions: 72COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTick$freehtonlshutdown$ErrorLastacceptclosesocketioctlsocketmallocrecvfromselect
                                            • String ID:
                                            • API String ID: 3610715900-0
                                            • Opcode ID: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                                            • Instruction ID: 2672d9ce4a21dde070fbd42fcbd16502d1fc72e81ffad315e39fdd8e9b9d1e73
                                            • Opcode Fuzzy Hash: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                                            • Instruction Fuzzy Hash: 89312FF2E10F4182FF669F66D9CC32963A0F748B88F1841A5CE4A56297DF34CA558B11
                                            Function 00000200393D7A90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
                                            • String ID:
                                            • API String ID: 310312816-0
                                            • Opcode ID: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                                            • Instruction ID: eb3f3b1b3674b43f6e3bc96c3adb7d3522345363ce1bfa1539e197b9555590f2
                                            • Opcode Fuzzy Hash: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                                            • Instruction Fuzzy Hash: C32136F2F0034046F71B6FA9D8ED3AE6691BB807A1F594194EE16073D3CB78CA818310
                                            Function 00000200393D7C08 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
                                            • String ID:
                                            • API String ID: 4140391395-0
                                            • Opcode ID: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                                            • Instruction ID: f009644a0d3e52daacf608c92f5cabc3f3b1c05a198faeff3d7fa63ffaff336d
                                            • Opcode Fuzzy Hash: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                                            • Instruction Fuzzy Hash: 3D2105E6F007404AF71B6F6998ED36E6551AB80BB1F194794EE36073D3C73886418720
                                            Function 0000020039116E90 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
                                            • String ID:
                                            • API String ID: 310312816-0
                                            • Opcode ID: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
                                            • Instruction ID: 8f1dd3b8e50066f3017754c6c3159a01e1cbfa2986012edf2fc524b69774d948
                                            • Opcode Fuzzy Hash: 58556fb0ae643294109593e6a1f551c1d1756168c239dbf47c2b40feda9217b5
                                            • Instruction Fuzzy Hash: C021F322F2074365F7477F25E8D936EA760A7807E1F498294AF26273D3CB788841C714
                                            Function 0000020039117008 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
                                            • String ID:
                                            • API String ID: 4140391395-0
                                            • Opcode ID: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
                                            • Instruction ID: 3bd2649e5a64ac87ace64f627d932a693fa33802fc57310cf5f2e521bcd17bf2
                                            • Opcode Fuzzy Hash: 19101616f3e261a9beafbca214444aa2a5cb8e231afb96d714edbab2d78f6c11
                                            • Instruction Fuzzy Hash: CB219223E0074265FB472F29A8C93BEA751A781BB1F594795AF36273E3C77884818721
                                            Function 000002003910F36C Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno
                                            • String ID:
                                            • API String ID: 2288870239-0
                                            • Opcode ID: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                                            • Instruction ID: 57a7c618e6ab64800dca17de7ccc328fa6b17679781c220eecbc17a7a911515d
                                            • Opcode Fuzzy Hash: 819b4a270ea7d8595eaf9ac501f5b396dc923916a4c2f054388fd72371d1b91d
                                            • Instruction Fuzzy Hash: C6311C6AF01B4381FE67EB26F8DE36423B0BB547A0F4C01A5CD69667A3CF29C4848301
                                            Function 00007FF7B3AD2C90 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: QueryVirtual
                                            • String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
                                            • API String ID: 1804819252-1534286854
                                            • Opcode ID: 785072bde8c85f5d4b1c73497ed291e88d8a31ac554300ac2883823fa59db919
                                            • Instruction ID: ab002ad7333fb88aa932ae86f1fe217274a03d98bb5a92b6e0c869ec024904c7
                                            • Opcode Fuzzy Hash: 785072bde8c85f5d4b1c73497ed291e88d8a31ac554300ac2883823fa59db919
                                            • Instruction Fuzzy Hash: A651E972A04A4691EB50AB19E841AAAF760FB66B90FD44230EF8C2779CDF3CD4C5C710
                                            Function 00000200393DA348 Relevance: 12.1, APIs: 8, Instructions: 132COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CriticalSection$_lock$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
                                            • String ID:
                                            • API String ID: 854778215-0
                                            • Opcode ID: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                                            • Instruction ID: 30168d39c3fc46a2959f1cb945871b6760bab763a0935c55e59e8d3eddfee8d1
                                            • Opcode Fuzzy Hash: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                                            • Instruction Fuzzy Hash: 285104B2A0074082FB229F18D5EC36EB3A5FB84B58F194195DE4E877E6DB78CA51C700
                                            Function 00000200393D6434 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
                                            • String ID:
                                            • API String ID: 2611593033-0
                                            • Opcode ID: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                                            • Instruction ID: 68e9e02e9a9dbdddc9285725979b9b42fd0e4029748df5d1d09302328166040e
                                            • Opcode Fuzzy Hash: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                                            • Instruction Fuzzy Hash: EA2102A2F4034046F72B7FA599ED36E6561AB80BA5F594194AE25073D3CB78CA818720
                                            Function 0000020039115834 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
                                            • String ID:
                                            • API String ID: 2611593033-0
                                            • Opcode ID: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
                                            • Instruction ID: a067b98b0cfdb22d6de652ddcd42e985fca1fe7a2743072dd2c5d7d8775abfc2
                                            • Opcode Fuzzy Hash: 268773e762f2e10da4a59bd6545c27f05d9dc8848c407f150f864121acff7d22
                                            • Instruction Fuzzy Hash: D5210822F0435266F7472F36E8C937EA760A780BA1F554196AF25373D7C7788841C721
                                            Function 00000200393DA73C Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit
                                            • String ID:
                                            • API String ID: 2289611984-0
                                            • Opcode ID: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                                            • Instruction ID: ccad57c82d6f3455ae3d7f75ae290f0c0a69fa51c9fa6aea06cb9099674d5d72
                                            • Opcode Fuzzy Hash: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                                            • Instruction Fuzzy Hash: E7210AA1F0074046F7176FED9AFC36D6661AB80760F590198DE15873D3CB78CB818355
                                            Function 00000200393D5C58 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
                                            • String ID:
                                            • API String ID: 4060740672-0
                                            • Opcode ID: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                                            • Instruction ID: e42c3ec4dac3c79bcc31d45e52e2c4b7e3fe1f5fea02ef0f086051dd70905fb1
                                            • Opcode Fuzzy Hash: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                                            • Instruction Fuzzy Hash: 2B1127B2F1038046F31B6F69D9ED36D6A50AF80761F6906A4EE16473DBC778C6818310
                                            Function 0000020039115058 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
                                            • String ID:
                                            • API String ID: 4060740672-0
                                            • Opcode ID: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
                                            • Instruction ID: c6926d0ef0347371ebd832ae94c5dda99a1ef85fd8ea53839311c3b09dcdc23b
                                            • Opcode Fuzzy Hash: 17379182c61e94fbc4142119cfcf5b3e3f43e3e6c30bf76299a690df2e0bdcd6
                                            • Instruction Fuzzy Hash: 9311E222E0438666F30B6F75ECCD36DA750A7817A1F5946A5DF1A273EBC67888408350
                                            Function 00000200393B460C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$malloc$_errno$_callnewh$AllocHeap
                                            • String ID:
                                            • API String ID: 3534990644-0
                                            • Opcode ID: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                                            • Instruction ID: 3c0cc08f7fc0ccc32000796a7f2c6fa9e585ff42826b27fa5640091809e61928
                                            • Opcode Fuzzy Hash: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                                            • Instruction Fuzzy Hash: 527145A6B04BC446FF229B6694CC7AA7B91B784BC8F404154DD4A97B8BDB38CA05CB04
                                            Function 00000200390F3A0C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$malloc$_errno$_callnewh
                                            • String ID:
                                            • API String ID: 4160633307-0
                                            • Opcode ID: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                                            • Instruction ID: 4c2349ffe9ac8522e5892a706499d1f89344f28ad93a3895f30776cf4325808c
                                            • Opcode Fuzzy Hash: 930309f8498ff7a349f5473874db00cb4ae22164d30aab4612de4250541046de
                                            • Instruction Fuzzy Hash: C9712362B047854AFB3A9B3694C87AE7B91B794BD8F404054DE4B47B87DF38C606CB40
                                            Function 00000200390FBE74 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 296COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: malloc$_snprintf$_errno_time64freestrtok$_callnewhrealloc
                                            • String ID: /'); %s
                                            • API String ID: 1314452303-1283008465
                                            • Opcode ID: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                                            • Instruction ID: d4c41311363fb724e99b1a430469400b88583b1ce2b94a119dd29bdd9f48f4e1
                                            • Opcode Fuzzy Hash: a14b20026d747f2b5753e6fc705179295a1c2f23b63bad27e5059ac536f54d83
                                            • Instruction Fuzzy Hash: 7FC10321F0038246FA6AFB72A4DE7AE7391BB85780F4041A5AD16673D7DF39C58AC700
                                            Function 00000200393CB47C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: malloc$Name$Computer_errno$AllocHeapSocketUser_callnewh
                                            • String ID: VUUU
                                            • API String ID: 632458648-2040033107
                                            • Opcode ID: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                                            • Instruction ID: 2456099a1efea8ef94eb40d1289d5395a4d4474d5c628b09f5ccb4e3af0f5ad0
                                            • Opcode Fuzzy Hash: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                                            • Instruction Fuzzy Hash: EEA107A6F00B9246FB16EB66D8D97ED2261BB887C5F804065ED49777D7CE38C605CB00
                                            Function 00000200390FE004 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 165COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf
                                            • String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
                                            • API String ID: 3512837008-1250630670
                                            • Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                                            • Instruction ID: eef41ff252e905a4f8be37eeadea78f511cfdb0693d2084c123a36724f790ad8
                                            • Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
                                            • Instruction Fuzzy Hash: 8C816B36A00B868AFB62DB61D8C83D973B0F788784F4445A2EE4A23796DF79C545C700
                                            Function 00000200393C1478 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128processCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharCurrentDirectoryMultiWide$CreateErrorInfoLastLogonProcessStartupWithmalloc
                                            • String ID: %s as %s\%s: %d
                                            • API String ID: 3435635427-816037529
                                            • Opcode ID: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                                            • Instruction ID: 0da0b9fa6f2442271aada9776de55f508d8fcea00c00da2c6bde9066f7606ba0
                                            • Opcode Fuzzy Hash: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                                            • Instruction Fuzzy Hash: 0A516D72A08B8186E761DF16F88875EB7A5F789B84F044025EF8D93B5ADF38C555CB00
                                            Function 0000020039100A94 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$_callnewh_fseek_nolock_ftelli64fclose
                                            • String ID: mode
                                            • API String ID: 1756087678-2976727214
                                            • Opcode ID: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                                            • Instruction ID: ecc56de55c1ac15b1e4c999f09cfd945ff9d4af98e8ed54c072b2ec58a341de8
                                            • Opcode Fuzzy Hash: f827565397daa4a866320a6784096609c7711a7c42725b9a2a2b01c24697e092
                                            • Instruction Fuzzy Hash: 7A41C422B0475186FA16EB12E4D93AE7351B7C8BD0F8081A1AE5E67BD7DE3DC545C700
                                            Function 0000020039108620 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 87COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
                                            • String ID: /'); %s
                                            • API String ID: 761449704-1283008465
                                            • Opcode ID: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                                            • Instruction ID: e7010c04706fbeb07a7841a34e1becb2f8118a6669ec89f223751a1ee9e1b2fb
                                            • Opcode Fuzzy Hash: 6cfeb8f42d39390d21f7f655b5309285a784ce0f998201f3a4c834a9ff33a05d
                                            • Instruction Fuzzy Hash: E631F111A0438745FA57EB23289C3E6AB62734AFE0F8845D1DEE5277D7CE7AC4828300
                                            Function 00000200393CE98C Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$OpenProcessToken
                                            • String ID:
                                            • API String ID: 2009710997-0
                                            • Opcode ID: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
                                            • Instruction ID: be6d34ed1b5b3b098533066d8d917bb9091f240e95157e9b264054a236cc7217
                                            • Opcode Fuzzy Hash: 12a3f9e128b967964898bf965f43ef985f021f837df021f2e119c6413e458a11
                                            • Instruction Fuzzy Hash: C631D8A6F09B0046F726AF66E4DC75A6790EBC4B90F0444789E4653797DE3CCA45CF40
                                            Function 000002003910F210 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 2917016420-0
                                            • Opcode ID: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                                            • Instruction ID: bc41b8d5d6f8d1073498f38d6b15cc7d251034ff025075463a9b5be5cc2d9b1c
                                            • Opcode Fuzzy Hash: 6bd0c9401fb351ee2ef62b7ec5c1d05d22ccd8d85f9d07845cb75c559d0d09e7
                                            • Instruction Fuzzy Hash: 4231F625A00B4282FB52AF26988932EA7E1FB85B94F4805B4DE49637D7DF39C4408300
                                            Function 00000200393DFBD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3191669884-0
                                            • Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                                            • Instruction ID: 7f664be5fe8d80c1078bb68e8e683d22c82c8c314014a59d9932639a3f70fa4f
                                            • Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                                            • Instruction Fuzzy Hash: 4B31C1B6B1478086F7229F11D4E879DB6A4F784BE4F2842A1EE5807BC7CB34CA51C700
                                            Function 000002003911EFD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 3191669884-0
                                            • Opcode ID: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                                            • Instruction ID: e1230b7e1dc74089fa3d86a2c276ca391d6d25754da0a4923784c99751edd077
                                            • Opcode Fuzzy Hash: 17da934d4d304edacbb08e48815c32878d4d79cd43a7a40298e59a88dbb9cc3b
                                            • Instruction Fuzzy Hash: AC31C172A04786A6F7629F1194C876EB7A5F384BE0F1482A1EF5923BD7CB34C841C700
                                            Function 00000200393C596C Relevance: 10.6, APIs: 7, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTickioctlsocket
                                            • String ID:
                                            • API String ID: 3686034022-0
                                            • Opcode ID: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                                            • Instruction ID: 663a8c3b6f2ccf433b7fecedf364e5d98d4fa0d7bf9b8486abb78a34bc9d8c65
                                            • Opcode Fuzzy Hash: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                                            • Instruction Fuzzy Hash: F3110D72E08B8446F7124B65ECCC3597351EB84774F5002A0DD45866E2DFB8CD89CB10
                                            Function 00000200393C0AA0 Relevance: 10.5, APIs: 7, Instructions: 45pipethreadfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken
                                            • String ID:
                                            • API String ID: 4232080776-0
                                            • Opcode ID: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                                            • Instruction ID: a82a448446f4ef5ff35ab4fe0e071237eadc4f1aac918e2146dc3fe03fb74d5a
                                            • Opcode Fuzzy Hash: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                                            • Instruction Fuzzy Hash: B9215EA3E18B8585FB93DB21E8CC7A923A1F784B44F8441968C0A425A3CF2CCB48CB15
                                            Function 00000200393D0B10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                                            • String ID:
                                            • API String ID: 2328795619-0
                                            • Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                                            • Instruction ID: d58e1ad3b43231834b7552fd43223b6d2f025c44e1a877d38858a994aa59ded2
                                            • Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                                            • Instruction Fuzzy Hash: 40515AF1F0834082FA2A8B6694A87EA76D0B740FF8F144751AE3947BD7CB34D6918240
                                            Function 000002003910FF10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                                            • String ID:
                                            • API String ID: 2328795619-0
                                            • Opcode ID: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                                            • Instruction ID: 169d6bb3c3ceaae48909fc9d6f91c61306161a2e458e5ac98a004f4f7037ab7c
                                            • Opcode Fuzzy Hash: a6b8c894bc097219f3410178b0f3ee4aa495d15850340b6c84f373b071b042dd
                                            • Instruction Fuzzy Hash: 86514722F0435292FA6A8B27598976EB790B345BF4F148754EF3963BD7CB39C4D18240
                                            Function 0000020039101030 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 150COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$freemalloc$_callnewh
                                            • String ID: 1:%u/'); %s$n from %d (%u)$open process: %d (%u)
                                            • API String ID: 2029259483-317027030
                                            • Opcode ID: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
                                            • Instruction ID: ff3d3ce5d1fe7f3b31e67a01e391621769d6fda9e1ef035f83af5d7f0e12c2f8
                                            • Opcode Fuzzy Hash: dc04f393f0e4fed79304e7eb9afd54a7656e6f03fcd842c9ac36e4d1f5269005
                                            • Instruction Fuzzy Hash: A8610671B0475286FB55DF62E4893AEB3A1F385B84F404056EE8A53B9AEF3DC645CB00
                                            Function 00000200393C1694 Relevance: 9.1, APIs: 6, Instructions: 126COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$AllocFullHeapNamePath_callnewh_fseek_nolock_ftelli64fclosehtonl
                                            • String ID:
                                            • API String ID: 3587854850-0
                                            • Opcode ID: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                                            • Instruction ID: f1a67a712a552901a1217c59cd2602fae3afc11adef2e36d064c97eefa055212
                                            • Opcode Fuzzy Hash: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                                            • Instruction Fuzzy Hash: F241C6A2B14B5042FA16EB12E4987AE6251F7C8BD0F408165EE5E57BD7DE3CCB05CB00
                                            Function 00000200393C5C60 Relevance: 9.1, APIs: 6, Instructions: 113COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CurrentProcess$AddressCountHandleModuleProcTick_getptd
                                            • String ID:
                                            • API String ID: 3426420785-0
                                            • Opcode ID: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                                            • Instruction ID: 09234e9249c5685540a33b50dd304baa143e0f8fdc6770adbb0584a689f8d3ed
                                            • Opcode Fuzzy Hash: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                                            • Instruction Fuzzy Hash: 684181A2F20B1195FF16EBB5D8CD7DD63A0BB88784F404451EE095769BEE38C20ACB50
                                            Function 00000200393C6F2C Relevance: 9.1, APIs: 6, Instructions: 99networkCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$AllocErrorHeapLast_callnewhhtonlmallocrecvfrom
                                            • String ID:
                                            • API String ID: 2310505145-0
                                            • Opcode ID: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                                            • Instruction ID: cfc4e195e988f7dc1c906d2cecc3403f4a7800f5da8265e9f2efe1107f766e89
                                            • Opcode Fuzzy Hash: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                                            • Instruction Fuzzy Hash: F04166F2E04B5086FB128F25E4C871A77A1F784B95F144255DE9A977A5DB38C681CF00
                                            Function 00000200393C79C4 Relevance: 9.1, APIs: 6, Instructions: 96threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CurrentProcess$ErrorLast$AttributeProcThreadUpdate
                                            • String ID:
                                            • API String ID: 1014270282-0
                                            • Opcode ID: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
                                            • Instruction ID: 4f2e98a93c38bf3310b066df573772a73a4395f628466a3b2e41e6c849c8163b
                                            • Opcode Fuzzy Hash: b3d57bf1a8e1718da0dab59a644853e162df0a73d9a39d542a15f5b5bcb328ed
                                            • Instruction Fuzzy Hash: 0A41BDB2A14B8086FB228F56948839977A0F788FD4F080568EE4A17B96DF7CC7058B00
                                            Function 00000200393D0620 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                                            • String ID:
                                            • API String ID: 1547050394-0
                                            • Opcode ID: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                                            • Instruction ID: 2076f12ced57a949ed2a7eaf169fe5304f74b91d01f85143718244d27e0ac500
                                            • Opcode Fuzzy Hash: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                                            • Instruction Fuzzy Hash: 9A210DE1F0874681FB535F6198A93AE62D5BB44FC0F4444A1AD4887B97DB7CC6404700
                                            Function 000002003910FA20 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                                            • String ID:
                                            • API String ID: 1547050394-0
                                            • Opcode ID: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
                                            • Instruction ID: 60224eac6dabe11760da246beba6fa41e6cba9d2f86fa2dcf25d09ee865a0933
                                            • Opcode Fuzzy Hash: 0ee48a0889aaee90efd1175476a0cb7edf48224d72ecded3f82ab5c2f8e8549f
                                            • Instruction Fuzzy Hash: C221B421B14787A1FB635B72A88A36EE791B744BC0F4444A1FE49B7B97DB3DC4818700
                                            Function 0000020039119B3C Relevance: 9.1, APIs: 6, Instructions: 63COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$__doserrno__lock_fhandle_getptd_noexit
                                            • String ID:
                                            • API String ID: 2102446242-0
                                            • Opcode ID: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
                                            • Instruction ID: 8b805184b8892327367043c1560e88ec47493e58c8247df5c6d2f8c92e8d40bd
                                            • Opcode Fuzzy Hash: acc1e709539f3a0e8ebe9ec8259c6fe6fa9b3b7ac075e700e957115c0bfbe106
                                            • Instruction Fuzzy Hash: D421AE21F0078365FB576F65A8CD76EA791A781760F5941A8DF27273D3CA788C818318
                                            Function 00000200393BFC64 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$ErrorHeapLastfree$AllocFree_callnewhfclosefwritemalloc
                                            • String ID:
                                            • API String ID: 1616846154-0
                                            • Opcode ID: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
                                            • Instruction ID: 8cd55735283eaecaf887efd83b8b69f23880b1ea70da6a9537f30c1ed3aa1a6e
                                            • Opcode Fuzzy Hash: 17de93f2489608755237434f8f5e09f648d27c8e17da9d8174f51a1e36afe512
                                            • Instruction Fuzzy Hash: B3119695F04B4041F912F752A0993AE5351AB85FE4F444265EE5957BCFDE2CC7058B80
                                            Function 00000200393C4488 Relevance: 9.1, APIs: 6, Instructions: 51pipefileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: NamedPipe$ErrorLast$CreateDisconnectFileHandleStateWait
                                            • String ID:
                                            • API String ID: 3798860377-0
                                            • Opcode ID: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                                            • Instruction ID: 4fd46fabd30995386e25049243b0ddeb4d3a8302b2b139fa487b451c39441b0d
                                            • Opcode Fuzzy Hash: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                                            • Instruction Fuzzy Hash: 0D11EFB3E08B4082FB219B21F49C72E32A1E784BA4F404254DE5A57AD6CF7CC6458B00
                                            Function 00000200393CEFEC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 00000200393CF044
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnomalloc$_callnewh$AllocHeap_invalid_parameter_noinfo_snprintf
                                            • String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
                                            • API String ID: 3518644649-2739389480
                                            • Opcode ID: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                                            • Instruction ID: 250848470c4fc5b8e4c11764684c1a59e2d8ed0c17fb3b16131a44c3b1b3d436
                                            • Opcode Fuzzy Hash: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                                            • Instruction Fuzzy Hash: 670100B6B00B9042FA45DB52B8887596399F38CFE0F444269EEA8537CBCF38C1018B80
                                            Function 000002003910E3EC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
                                            • String ID: dpoolWait
                                            • API String ID: 2026495703-1875951006
                                            • Opcode ID: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                                            • Instruction ID: d23bc7aaabce27d64d1032bb99645e3d135c81e5cd8ff6bf144a5e8363ec92b2
                                            • Opcode Fuzzy Hash: 8070209c1cbe6b8a0a820429e4883b75791e823d018c18b7f063917c64386bf6
                                            • Instruction Fuzzy Hash: 5B01C4B1B0079141FA15DB13B888759A699F798FE0F454259EEA9677C7CE38C0818740
                                            Function 00000200393C31F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: freemallocstrchr$rand
                                            • String ID:
                                            • API String ID: 1305919620-0
                                            • Opcode ID: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                                            • Instruction ID: 273cf51a0fb96643c6d7df5db39b78640a6b99e2c4da99aa4b06e8aceca2938f
                                            • Opcode Fuzzy Hash: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                                            • Instruction Fuzzy Hash: 62713AE2A04FC451FF279B29A4993EA6390EF95B84F084154DF8927797EE2DC247CB01
                                            Function 00000200391025F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: freemallocstrchr$rand
                                            • String ID:
                                            • API String ID: 1305919620-0
                                            • Opcode ID: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                                            • Instruction ID: dd8a589edb34845af63ec489422070d1d2ac5716d95b5741b9f1d6965643a5c3
                                            • Opcode Fuzzy Hash: f55c98597b31e9256bdda085e271814e8bdd530284bc77f6856305a025606a71
                                            • Instruction Fuzzy Hash: 32714961E04BC641FA379B2AA4493EAA3D0EF95BC4F085555DFC927797EE2EC1838700
                                            Function 00000200393B4170 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc$AllocHeap
                                            • String ID:
                                            • API String ID: 996410232-0
                                            • Opcode ID: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                                            • Instruction ID: 0f7c84e065978b0ae9b881bb3492f3823b8b2dcc543d491f7556487842efe2ef
                                            • Opcode Fuzzy Hash: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                                            • Instruction Fuzzy Hash: 88410166B00B858BFA57DB6699DC36E6790B749BC0F8041A0DF460B747DF34DA22C708
                                            Function 00000200390F3570 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc
                                            • String ID:
                                            • API String ID: 2761444284-0
                                            • Opcode ID: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                                            • Instruction ID: 0a311bef26f1b57046e0255f58d13b8120ca98b64593baa904cb01b7255d15bd
                                            • Opcode Fuzzy Hash: 3866d312ddc7406d2c13ac3d10959d9d3de063b9a6b1dce899036bf231b32379
                                            • Instruction Fuzzy Hash: DD41F322B00B829BFE2EDB36A5D835927A0B749FD0F8480A0DE5657B53DF38D562C700
                                            Function 00000200393BF274 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: htonl$freemalloc
                                            • String ID: zyxwvutsrqponmlk
                                            • API String ID: 1249573706-3884694604
                                            • Opcode ID: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                                            • Instruction ID: bec1e896c0c63289b13d07cfd29c7999f0cc8073530544ca6bede94b856ffb4c
                                            • Opcode Fuzzy Hash: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                                            • Instruction Fuzzy Hash: 27314DA6B00B8042FB06EBB2A4D936D66D19788BC0F445074EE4D977DBDE3CC6068700
                                            Function 00000200393C3FA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CurrentProcess$AddressErrorHandleLastModuleProc
                                            • String ID: NtMapViewOfSection$ntdll.dll
                                            • API String ID: 1006775078-3170647572
                                            • Opcode ID: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
                                            • Instruction ID: 02cf01090a21f3b1b08ca4d6efff2ef5a7c7e83e7616e7a1ddf9c9a981f4dabb
                                            • Opcode Fuzzy Hash: 4efd516be26a68cc1ab5fab53fe02ed59a35285f2b4b3cec42098ec83d9277dd
                                            • Instruction Fuzzy Hash: 4031E3B2B04B4486FB11DB21E48D76A63A0F788BB4F040729AE6907BD7DF3CC6458B00
                                            Function 000002003910B630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: strtok$_getptd_time64malloc
                                            • String ID: eThreadpoolTimer
                                            • API String ID: 1522986614-2707337283
                                            • Opcode ID: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                                            • Instruction ID: de4a03fcca1c7ff94fdda0de8b03abd4a076595bd26e3271c3626f655750ac53
                                            • Opcode Fuzzy Hash: b02d7519bf37bc4b38ca8186062a8fc85f913fef5048514e0fa6af22142f2d69
                                            • Instruction Fuzzy Hash: 4421B4B2E4079681FB11DF12A0CC7AD77A8F754B94F564296EF6A53782CA34C4818780
                                            Function 00000200393C1FB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$remove$AllocHeap_callnewh_invalid_parameter_noinfo_snprintfmalloc
                                            • String ID: %s\%s
                                            • API String ID: 1896346573-4073750446
                                            • Opcode ID: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                                            • Instruction ID: c753c702f220cb12b339c206aff47d28847edc175ed7acf06b4703f69b1673c1
                                            • Opcode Fuzzy Hash: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                                            • Instruction Fuzzy Hash: 37F0B4A6A08F5086F3159B51B89439EA360E784FC0F584161FF8827B9BCE78C6118B44
                                            Function 00000200391013B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$remove$_callnewh_invalid_parameter_noinfo_snprintfmalloc
                                            • String ID: uld not open process: %d (%u)
                                            • API String ID: 2566950902-823969559
                                            • Opcode ID: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                                            • Instruction ID: e4de6dfc11b9550376b0c6d48636df53be6d3d07b5ec6a036ca5e2cc09d528d9
                                            • Opcode Fuzzy Hash: fcd4f31b16295b3d981e03ccf995d44eb940f919008a0e94d9d9162e5faefa64
                                            • Instruction Fuzzy Hash: A6F09061A0474289F252AB13B8853AAA360A784BD0F9C4161BF8937B97CE3DC4818744
                                            Function 00000200390FDA8C Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintf$strchr$_errno_invalid_parameter_noinfo
                                            • String ID: /'); %s$rshell -nop -exec bypass -EncodedCommand "%s"
                                            • API String ID: 199363273-1250630670
                                            • Opcode ID: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                                            • Instruction ID: 0dd351515e58adf4f57e4df4f0c5e991cc17ed063a5b3e94afe3f1b5b378cf92
                                            • Opcode Fuzzy Hash: 6e2045361780fadf1587795c869fcd23f7db7a84374f415de51a140654aa30c6
                                            • Instruction Fuzzy Hash: 5E71C322B0078286FB66DF61E8C879E73A1F784B94F404192EE8A27B96DF78C545C740
                                            Function 00000200393C00F8 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                                            • Instruction ID: 5e7cf0d2238697c108d80e3dbbf5d30a3309539f46eb2eb002b4afed5b6d0b78
                                            • Opcode Fuzzy Hash: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                                            • Instruction Fuzzy Hash: 3B51CEA2F04F8096FF12EB65C4993ED2360FB55B88F409155EE092769BEF38D649CB40
                                            Function 00000200393D062C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1640621425-0
                                            • Opcode ID: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                                            • Instruction ID: 3db12c0a976dee798f09bb83d571fdcfc157884b4b16f390763e6a5e6fe85a69
                                            • Opcode Fuzzy Hash: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                                            • Instruction Fuzzy Hash: 76413BA1B0074046FA6B9F2355EC3DEB691FB84FE0F5842649F664BBD3D738C6818600
                                            Function 000002003910FA2C Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
                                            • String ID:
                                            • API String ID: 1640621425-0
                                            • Opcode ID: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                                            • Instruction ID: 95449f68faafa0d5a41210684d680a347b64afb1bc61ca57e5fc26b1a47f1bb3
                                            • Opcode Fuzzy Hash: f714c1e563aa58d873e3883a1df435710c86d18d380f096712ab5731ea4c4750
                                            • Instruction Fuzzy Hash: EE415721B0034686FE6B8F2359DE36EBA91B748FE0F188260DF5667BD3D639C4C18640
                                            Function 00000200393B54F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc$AllocHeap
                                            • String ID:
                                            • API String ID: 996410232-0
                                            • Opcode ID: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                                            • Instruction ID: b1617f8bf9424e63dc843e583e33644ea1e5b25d2e794601500651a088e81a87
                                            • Opcode Fuzzy Hash: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                                            • Instruction Fuzzy Hash: 1F412662B047C946FB17DB26588876A6B94FB99BC8F4850A0DD458B747EE38CA07C700
                                            Function 00000200390F48F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc
                                            • String ID:
                                            • API String ID: 2761444284-0
                                            • Opcode ID: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                                            • Instruction ID: cb912773e567707c4658b93385c1c5758d9e6d6a986885295289fb73ce537aca
                                            • Opcode Fuzzy Hash: 326b315c93b4297f8d1cd44fbd3c536e1a3741d65750285d3f659b19031d268f
                                            • Instruction Fuzzy Hash: 1E411722B183864AFF2BDF2664CC3597795F794B88F494060DD568B753EE38C606C304
                                            Function 00000200393C2D70 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 94stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                                            • String ID: %s&%s$?%s
                                            • API String ID: 1095232423-1750478248
                                            • Opcode ID: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                                            • Instruction ID: 585cabdc708cb5b26a7c16d622e70064163d9fc703942da1f0675807bf223394
                                            • Opcode Fuzzy Hash: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                                            • Instruction Fuzzy Hash: 614195A2A14F8091FA129F2AD1893E8A3B0FF98B85F045551DF4877B66DF34D2B2C740
                                            Function 00000200393DAC98 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
                                            • String ID:
                                            • API String ID: 2998201375-0
                                            • Opcode ID: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                                            • Instruction ID: a9798e1b848683086070a18d0f25d9c46207d6b14b5aecf86204e106e8c82c03
                                            • Opcode Fuzzy Hash: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                                            • Instruction Fuzzy Hash: 0C41FBB260478086FB618F19D2E476D77A5F744FD1F144161EF8997B96DB34CA41C700
                                            Function 00000200390FF064 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$free$_callnewhfclosefwritemalloc
                                            • String ID:
                                            • API String ID: 1696598829-0
                                            • Opcode ID: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                                            • Instruction ID: a5210c960f66ecf70c795daa8d4065bc5f188e429c13b726f65566cc66f979c7
                                            • Opcode Fuzzy Hash: 1bdd5497ac55f9ceee01cd46502ea43f72165348b95f2b256c95d8f9a827a5ec
                                            • Instruction Fuzzy Hash: 5611E991F0474141FE26F712E0993AE6391A784BD4F444261EFAE6BBCBDE3DC6418740
                                            Function 00000200393DA5EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno_errno
                                            • String ID:
                                            • API String ID: 2964073243-0
                                            • Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                                            • Instruction ID: 852b0a01550a05bfdc223dc24aab027b7fe2bb9089cb76c6e197d5bb8d1ada90
                                            • Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                                            • Instruction Fuzzy Hash: 3F01AFE2F0170486FF1B6B68C9F936C22519B50B72FA54380DD29073D3D72846528611
                                            Function 00000200391199EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _getptd_noexit$__doserrno_errno
                                            • String ID:
                                            • API String ID: 2964073243-0
                                            • Opcode ID: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                                            • Instruction ID: 7a3c418513fb7fbd912e501bf79c8b365ae48bbe928353e92b9514ea4c1db813
                                            • Opcode Fuzzy Hash: 02e55afb5f5e5304a095475b8354770d2627f5ba6f47f1d288df05a1981eaf7d
                                            • Instruction Fuzzy Hash: 6F01AF66E1574655FF4B2B34E8D93ACA7619B90B32F918381DF3A273E3C76848088610
                                            Function 00000200393BD83C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID: %s!%s
                                            • API String ID: 0-2935588013
                                            • Opcode ID: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
                                            • Instruction ID: 5f4ebe99c74fc986b89464ab3c3929096f482e73ed6564fd871911e65ef0ba7b
                                            • Opcode Fuzzy Hash: 2575759d0ae14333fa4d595125301f6413fce9519f9dbc799c601f61bbf3305b
                                            • Instruction Fuzzy Hash: 565180E7A0474086FB269F55D0887AD73A1F389B94F448062EF9E5778ADB38CA42C704
                                            Function 0000020039105228 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _snprintfmallocstrrchr
                                            • String ID: Failed to impersonate token: %d$t permissions in process: %d
                                            • API String ID: 3587327836-1492073275
                                            • Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                                            • Instruction ID: 6752d7bff6428fe89bc68034b083a8add209a60f8740c7338789503a13be4c41
                                            • Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
                                            • Instruction Fuzzy Hash: F641A461F047424AFB1AFB23A99836B6791B78AFD4F444560AE5A5B79BDF3CC0428700
                                            Function 00000200393C2818 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93sleeppipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTick$CreateInfoPipeSleepStartup
                                            • String ID: h
                                            • API String ID: 1809008225-2439710439
                                            • Opcode ID: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                                            • Instruction ID: 04d1f4afcf8d553cf1d82a3036f4cc86dd488ad5f5227963ae3f984cd055ad67
                                            • Opcode Fuzzy Hash: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                                            • Instruction Fuzzy Hash: 87418A73A04B848AE311CF65E88478E77B5F388798F104115EE8C63BA9DF78D645CB40
                                            Function 00000200393CE1D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AccountInformationLookupToken_snprintf
                                            • String ID: %s\%s
                                            • API String ID: 2107350476-4073750446
                                            • Opcode ID: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                                            • Instruction ID: aaf4c0f9ca1ff3991a9157308b5519066c5badab4ed1b08de176ad74ce206b2e
                                            • Opcode Fuzzy Hash: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                                            • Instruction Fuzzy Hash: 11314F72604FC195EB25DF61E8447DA63A4F788B88F448125EE8D67B59DF38C709CB40
                                            Function 00000200393D7E20 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CaptureContextFeaturePresentPreviousProcessor__crt__raise_securityfailure
                                            • String ID: P?9
                                            • API String ID: 2585579334-2558814433
                                            • Opcode ID: fa3aebd98754aec5c2a36f7327a256f2afd717e403199b14b25e934204aebfe6
                                            • Instruction ID: 960c7319d8db84daae00f742e0496311a23c96bf1befcaaf9eacc56827c915ba
                                            • Opcode Fuzzy Hash: fa3aebd98754aec5c2a36f7327a256f2afd717e403199b14b25e934204aebfe6
                                            • Instruction Fuzzy Hash: 0621E7F5E02B0081FA629B18F8A935577A5F794348F9001AAED8E867B3EF7CC6558700
                                            Function 00000200393C4224 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: RtlCreateUserThread$ntdll.dll
                                            • API String ID: 1646373207-2935400652
                                            • Opcode ID: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                                            • Instruction ID: 1a26c95c5ab3e4922ae4f8a1ec48261b15799f7d553cd4470c0c66bf232c23e6
                                            • Opcode Fuzzy Hash: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                                            • Instruction Fuzzy Hash: B1112D72A14F9482EB21CF51F88864AB7A8F798B80F998175EE9D43B18DF38C555CB00
                                            Function 00000200393C3C0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: NtQueueApcThread$ntdll
                                            • API String ID: 1646373207-1374908105
                                            • Opcode ID: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                                            • Instruction ID: 0d22f87004e93dcbde7a5357e1355f7dab74e9fc56c86f00fd76c3390560793b
                                            • Opcode Fuzzy Hash: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                                            • Instruction Fuzzy Hash: B501A2A6B04F4182FB019B16F8C835EA3A0FB85BD0F948561EE5943B5ADF38C6518B00
                                            Function 00000200393C0C64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: IsWow64Process$kernel32
                                            • API String ID: 1646373207-3789238822
                                            • Opcode ID: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                                            • Instruction ID: 9fd341aae47b554d30a9bfb604cffe8358f0412ba6f10ef64a8b171770617c01
                                            • Opcode Fuzzy Hash: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                                            • Instruction Fuzzy Hash: 96E0DFE2F25B4182FF06CB15E8C87656360EB88791F481090DD4B0A367EF2CC789CB00
                                            Function 00000200393C20AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: Wow64DisableWow64FsRedirection$kernel32
                                            • API String ID: 1646373207-736604160
                                            • Opcode ID: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                                            • Instruction ID: f72f0d4956449a05f78898393a838d80722dc5a735cbcc6476dc72a4dca8e9d7
                                            • Opcode Fuzzy Hash: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                                            • Instruction Fuzzy Hash: 05D05E91F5570981FE079B91BCCC7646350AB49B40F8810A58C1E06362EE2CC38AC714
                                            Function 00000200393C20E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AddressHandleModuleProc
                                            • String ID: Wow64RevertWow64FsRedirection$kernel32
                                            • API String ID: 1646373207-3900151262
                                            • Opcode ID: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                                            • Instruction ID: c0e92cf3804050e1502f183a9fa210fb013a4e08b55cc62e50ae4c23d49229cb
                                            • Opcode Fuzzy Hash: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                                            • Instruction Fuzzy Hash: E3D05E91F5570981FE0B9B92B8CC7641350AB49B40F4810A08C1A06362EE6CC789C710
                                            Function 00000200393CBFC0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                                            • Instruction ID: c7d57b1ab70bfaa5929684e44dadf368b03dd665693c613916e346032e81ed7d
                                            • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                                            • Instruction Fuzzy Hash: DC619DF2E41B4086F75A8B15E8DD77933E0E358B55F2445A9DD165B3A3CB38CA42CB40
                                            Function 000002003910B3C0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                                            • Instruction ID: 445452661b380aafd4e356e2ef2521a5a409e3ee28cc60bfc96a54c8578ed904
                                            • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                                            • Instruction Fuzzy Hash: BC617136E4174786FB168F29E5CD36933B0E758B59F1441E9DE15673A3CB39C4818B40
                                            Function 0000020039102170 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                                            • String ID: not create token: %d
                                            • API String ID: 1095232423-2272930512
                                            • Opcode ID: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
                                            • Instruction ID: 2d168c1d710d0a70454268696f6710747b5d546a63fae7dec979e5697db59948
                                            • Opcode Fuzzy Hash: 9f33a31cc3dbe4d390e57a8e0463a50ad11e38a52d1dbdd6b3122e58f7288ae2
                                            • Instruction Fuzzy Hash: 4741A066A00F8191FA229B6AD1893ECA3B0FF98B94F049951DF4D27B52DF35D1F28340
                                            Function 00000200393C4A04 Relevance: 6.1, APIs: 4, Instructions: 80synchronizationCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno$AllocHeapNamedObjectPeekPipeSingleWait_callnewhfreehtonlmalloc
                                            • String ID:
                                            • API String ID: 2495333179-0
                                            • Opcode ID: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                                            • Instruction ID: 1fcb4a37baa1f752bf1c246ec87175bf0ee5efed09fc9e049950b91a4886e947
                                            • Opcode Fuzzy Hash: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                                            • Instruction Fuzzy Hash: 6C3127BAE00F4081FB66DF22E5CC36973A4FB48B88F094544DE062769BDB34CA81CB45
                                            Function 00000200393CC230 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Timestrtok$FileSystem_getptd_time64malloc
                                            • String ID:
                                            • API String ID: 460628555-0
                                            • Opcode ID: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                                            • Instruction ID: d25e073f152f88bfaf52751d1d3de0ef1e0426c0a28543738b86db8ecfaa37fd
                                            • Opcode Fuzzy Hash: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                                            • Instruction Fuzzy Hash: D521B1F6A00B9482FB45CF91A0D87A977A8F788F94F164295EF5A53787CB34C6418B40
                                            Function 00000200393DF5D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                                            • String ID:
                                            • API String ID: 4151157258-0
                                            • Opcode ID: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                                            • Instruction ID: 86111e5994e1d1bdf52816b510c6e942b2221a4bd4645c14e5f1b992048de417
                                            • Opcode Fuzzy Hash: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                                            • Instruction Fuzzy Hash: 7221E7D2E283A041FB66571190F833E66D0E740FD4F1C41A1EE960BEE7CA68C7418710
                                            Function 00000200393B10D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: clock
                                            • String ID:
                                            • API String ID: 3195780754-0
                                            • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                            • Instruction ID: 60a3c5327fe6e7e488acd4a56a4e3e05967c690a86ef90f520f26b5e434aeaeb
                                            • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                            • Instruction Fuzzy Hash: 331125A2E0474445F7B2EFE668C477BFB90F784390F1901B1EE4653687E974CA818640
                                            Function 00000200390F04D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: clock
                                            • String ID:
                                            • API String ID: 3195780754-0
                                            • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                            • Instruction ID: 488bfbc4d8a544fb327917692b47c65fa97fb721796ec940600869ffcd6f501b
                                            • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                                            • Instruction Fuzzy Hash: 80110632A0474599F77A9FA665C432FF6A0BB84B90F190065EF4693253E9B4C9818700
                                            Function 000002003911E9D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                                            • String ID:
                                            • API String ID: 4151157258-0
                                            • Opcode ID: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                                            • Instruction ID: b74a928c3f60ff379f86ae31a7e7126fcf3252f6a6d32df97c8b0825b446d705
                                            • Opcode Fuzzy Hash: 89153f5c64fab27db57a2af5758249aa045b2e8adbb4ff24b9161b74b74b034e
                                            • Instruction Fuzzy Hash: C2212462E083A661FB739751A0D833EABD0F384BD5F1841A1EF972BAC7C92CC5418B40
                                            Function 00000200393CEF5C Relevance: 6.0, APIs: 4, Instructions: 39networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$closesocketsend$accept
                                            • String ID:
                                            • API String ID: 47150829-0
                                            • Opcode ID: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                                            • Instruction ID: f910400350ef1e7cc1e9f0d08c866b0f799b970e6487b5edb69939ae51237837
                                            • Opcode Fuzzy Hash: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                                            • Instruction Fuzzy Hash: A10175A6F04B4441FB659B36E6DD7296361E749FF4F049251DE26077C6CE28C6818B40
                                            Function 00000200393C53EC Relevance: 6.0, APIs: 4, Instructions: 34sleeppipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTick$NamedPeekPipeSleep
                                            • String ID:
                                            • API String ID: 1593283408-0
                                            • Opcode ID: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                                            • Instruction ID: fe8ba4afe81241c83d6bc5ee1c69975e1c4efe7ff1e63f777e941b88b59a5b37
                                            • Opcode Fuzzy Hash: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                                            • Instruction Fuzzy Hash: 6701A972E1CF50D2F7218B25F88831BA3A1FB88781F644160DF4942A65DF38C6818B05
                                            Function 00000200393C76F0 Relevance: 6.0, APIs: 4, Instructions: 32memorythreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: AttributeHeapInitializeListProcThread$AllocProcess
                                            • String ID:
                                            • API String ID: 1212816094-0
                                            • Opcode ID: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                                            • Instruction ID: d7ee4a42def1311dab3086c78fd3a0c9c3e1d9003636885e132e37df964b59e6
                                            • Opcode Fuzzy Hash: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                                            • Instruction Fuzzy Hash: 65F0FCA7F14B4442FB568B35A48976A53D0D788790F555425BE4B42755CE3CC6448E00
                                            Function 00000200393C48D8 Relevance: 6.0, APIs: 4, Instructions: 32sleeppipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: CountTick$NamedPeekPipeSleep
                                            • String ID:
                                            • API String ID: 1593283408-0
                                            • Opcode ID: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                                            • Instruction ID: 7a4fcc9b9afff0f1e60897750f43a881d4e6494ad1cbf86f0fefba1932d0fafc
                                            • Opcode Fuzzy Hash: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                                            • Instruction Fuzzy Hash: 6E018173E18F5182F7218B15F88C31AB7A1E789B94F644164DF8652A66DF3DCA818B04
                                            Function 00000200393CF098 Relevance: 6.0, APIs: 4, Instructions: 15COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$ErrorFreeHeapLast_errnoclosesocket
                                            • String ID:
                                            • API String ID: 1525665891-0
                                            • Opcode ID: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                                            • Instruction ID: 00db48a62ebf4de940de6ddc3be96b5e1bb9cabad504ef5663b532f0c51ff4db
                                            • Opcode Fuzzy Hash: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                                            • Instruction Fuzzy Hash: A7E012AAA10E4481FF15EB72D8E936C1720E788F44F540061DE0E572ABCE54C551C704
                                            Function 00000200393CF860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID: B
                                            • API String ID: 1812809483-1255198513
                                            • Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                                            • Instruction ID: b278afcfaaf4261ebf558587905167d1c4c9eae5498cfc5376abc34e4d2bb1be
                                            • Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                                            • Instruction Fuzzy Hash: E211A5B2A14B4086FB119F12D48439DB661F798FE4F644361AF5817BDACF38C645CB00
                                            Function 000002003910EC60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                                            • String ID: B
                                            • API String ID: 1812809483-1255198513
                                            • Opcode ID: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                                            • Instruction ID: 2ef58be0c4cdbf14dbf3b4962c791393c3f69dd89ba17bdbcdd5f731c8d166bd
                                            • Opcode Fuzzy Hash: 60c63a2ab9f2c694e46ab874add7d0a6eb48e0963f6941f66a4f1d1620c6c169
                                            • Instruction Fuzzy Hash: 2211A172A10B4486FB219B12D58839EB760F798FE4F548360EF6827B96CF38C180CB00
                                            Function 00007FF7B3AD2B80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-3474627141
                                            • Opcode ID: 8efc95ffd7d094d1c55f2c83651e4cf95bf71ace6618daba1ef9382a31ce3abe
                                            • Instruction ID: 8d1f65a444008623a51c59ff81af7b8d650190929c320b3d1ae7c29c2a500dff
                                            • Opcode Fuzzy Hash: 8efc95ffd7d094d1c55f2c83651e4cf95bf71ace6618daba1ef9382a31ce3abe
                                            • Instruction Fuzzy Hash: FD017C62D08F8482E741AF1C98005BBB330FF6E749F659325EB8C26569DF29E6C6C710
                                            Function 00007FF7B3AD2C50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-2187435201
                                            • Opcode ID: 83fe417ba23f7c760ff7640a9f7ce77f3b2d6c9b6213163451e97cf2ba7ae610
                                            • Instruction ID: 68549ff2e1919baa2899075c03d46de791babc06a68c4f79766f47cac9cd7ac5
                                            • Opcode Fuzzy Hash: 83fe417ba23f7c760ff7640a9f7ce77f3b2d6c9b6213163451e97cf2ba7ae610
                                            • Instruction Fuzzy Hash: 64F0FF56D18E8482D342AF1CA8005ABB330FB5E799F645325EB8D3A559DF28E5868710
                                            Function 00007FF7B3AD2C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-4064033741
                                            • Opcode ID: 74e09aa575fd0eb09efd5c65a1ab8721fd1e1bbf019f3c7c3870be295d840a01
                                            • Instruction ID: 026f7029fcdc9fd6e72fef31bb980ab3bcceb196e4c5b5d50e010c8b16061a38
                                            • Opcode Fuzzy Hash: 74e09aa575fd0eb09efd5c65a1ab8721fd1e1bbf019f3c7c3870be295d840a01
                                            • Instruction Fuzzy Hash: 21F04F52908E8482D342AF1CA8005ABB330FB5E788F645326EB8D36559DF28E586C710
                                            Function 00007FF7B3AD2C30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-4283191376
                                            • Opcode ID: 3faf0962be28f07c1c00cef48ed72810d495cf090cb8ca7c876e21a0f2c70bc3
                                            • Instruction ID: 68095a97b87d6a8e390271b129c6c0f0532c616028f059ca2e9259d69ce901bd
                                            • Opcode Fuzzy Hash: 3faf0962be28f07c1c00cef48ed72810d495cf090cb8ca7c876e21a0f2c70bc3
                                            • Instruction Fuzzy Hash: A0F0FF56908E8482D342AF1CA8005ABB330FB5E799F649325EF8D36559DF28E5868710
                                            Function 00007FF7B3AD2C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-2713391170
                                            • Opcode ID: cb07598e139970ad81351c1d338f46eaf70ef9053e127c7390882103bd99d184
                                            • Instruction ID: e56ca9921d88e93649e953b6e5d278739157b4ea95d19dfc978d43803f06b03c
                                            • Opcode Fuzzy Hash: cb07598e139970ad81351c1d338f46eaf70ef9053e127c7390882103bd99d184
                                            • Instruction Fuzzy Hash: D3F0FF56908E8482D342AF1CA8005ABB330FB6E799F645325EB8D36559DF28E5868710
                                            Function 00007FF7B3AD2C60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-4273532761
                                            • Opcode ID: e6fc0f3e3cd5116f5424484a03ff70adc84f4fd6dee3a721e6e4a6d8abded98b
                                            • Instruction ID: 579e58a24e09a4e21852651c5154a2d8c1f55e2f3c8e356fa924b218af9237c3
                                            • Opcode Fuzzy Hash: e6fc0f3e3cd5116f5424484a03ff70adc84f4fd6dee3a721e6e4a6d8abded98b
                                            • Instruction Fuzzy Hash: 7CF0FF56908E8482D342AF1CA8005ABB330FB6E799F645325EF8D36559DF28E5C68710
                                            Function 00007FF7B3AD2BB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2697101787.00007FF7B3AD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B3AD0000, based on PE: true
                                            • Associated: 00000000.00000002.2697087616.00007FF7B3AD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697117288.00007FF7B3AD4000.00000008.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697145167.00007FF7B3B2D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B30000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697156961.00007FF7B3B33000.00000004.00000001.01000000.00000003.sdmpDownload File
                                            • Associated: 00000000.00000002.2697179648.00007FF7B3B36000.00000002.00000001.01000000.00000003.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_7ff7b3ad0000_gJtW7azO4o.jbxd
                                            Similarity
                                            • API ID: fprintf
                                            • String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
                                            • API String ID: 383729395-2468659920
                                            • Opcode ID: 17e46e00d7f73161f78a66af6e90ec561b2c72189f82bad60ae8b1828b6dcdb6
                                            • Instruction ID: da29f803108e9a5b36fd7bbafcf2e9a46bf8e9f3d3a3585c3d34bcd4a62cdf84
                                            • Opcode Fuzzy Hash: 17e46e00d7f73161f78a66af6e90ec561b2c72189f82bad60ae8b1828b6dcdb6
                                            • Instruction Fuzzy Hash: 03F01256908E8482D342AF2CA8005ABB330FB5E799F645326EFCD3A559DF28E5C68710
                                            Function 00000200393B1CC4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_calloc_implcalloc
                                            • String ID:
                                            • API String ID: 4000150058-0
                                            • Opcode ID: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                                            • Instruction ID: 7e9924536172b831c451f05c6bd14b40aba645ad2c5811bce0566921af25d93c
                                            • Opcode Fuzzy Hash: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                                            • Instruction Fuzzy Hash: C6C12A76604B848AE765CF65E48479EB7A4F388B84F10412AEF8E83B59EF38C555CB00
                                            Function 00000200390F10C4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_calloc_implcalloc
                                            • String ID:
                                            • API String ID: 4000150058-0
                                            • Opcode ID: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                                            • Instruction ID: b4b39d73b9f4fc8e83aba5da265540a6c2b0edefdfdff0f3f92fbf9690437ea6
                                            • Opcode Fuzzy Hash: 1990de878bdb2b18b214190b8058df6cf8cdb58ae8a7ad838a221dc59059176c
                                            • Instruction Fuzzy Hash: E1C10B32608B858AE7A5CF65E48439E77B4F788B88F50412AEF8E53B59DF38C555CB00
                                            Function 00000200393CAD44 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$AllocHeap_callnewhmalloc
                                            • String ID:
                                            • API String ID: 3531731211-0
                                            • Opcode ID: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                                            • Instruction ID: e8e10c80fb1da7c7c4b20045abaf129614fe9e3827da1e79958c9b71f0fd744b
                                            • Opcode Fuzzy Hash: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                                            • Instruction Fuzzy Hash: DC51D6F5B00B4541FA1AAB22D8DC3AE7351F780B90F5404A5EE0AA7B97EF79C7058B00
                                            Function 000002003910A144 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: free$_errno$_callnewhmalloc
                                            • String ID:
                                            • API String ID: 2761444284-0
                                            • Opcode ID: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                                            • Instruction ID: 096f2fac11b639ed2c9f40df34829ad15d012a6f3b6d89bae6e9a698cba7756a
                                            • Opcode Fuzzy Hash: 4bbd7cf35d3a9611d3bfe0cac302482741ce3a5729489c26a54f39a05b56b302
                                            • Instruction Fuzzy Hash: 2C510431B0034785FA2AEB22A5DD3AD73A1B780780F4445A5DE0A3BB87DF3AC585C700
                                            Function 00000200393B4300 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: malloc
                                            • String ID:
                                            • API String ID: 2803490479-0
                                            • Opcode ID: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                                            • Instruction ID: 528845e46fc7a8db258bb145558ee0862f0dfd858993b464222d0383fe93eeca
                                            • Opcode Fuzzy Hash: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                                            • Instruction Fuzzy Hash: 7541F4B2B0078087FB5ADB26E48C76E73A0F784B88F4444A4DE6A47786EF34DA15C704
                                            Function 00000200390F3700 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696562682.00000200390F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000200390F0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200390f0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: malloc
                                            • String ID:
                                            • API String ID: 2803490479-0
                                            • Opcode ID: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                                            • Instruction ID: 1a6cb1e5d3df1616edb3fae6967d5385704f97edfb57d0f094e87604be6ea534
                                            • Opcode Fuzzy Hash: 80bcae34b50f6f3c58066c2fc9d1801100724e039a84313f03cb0366590bdd42
                                            • Instruction Fuzzy Hash: EF41A162A007818BFB6EDB36A48876D73A1F344BE4F444464DE6B47786EF38D946C700
                                            Function 00000200393C1038 Relevance: 5.1, APIs: 4, Instructions: 109COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2696951288.00000200393B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000200393B0000, based on PE: true
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_200393b0000_gJtW7azO4o.jbxd
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorLast$CurrentProcessfreemalloc
                                            • String ID:
                                            • API String ID: 1397824077-0
                                            • Opcode ID: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
                                            • Instruction ID: ec822a324a9b9e8d92128f21378c3ad433d2016fa22cd5b4426856ed5bad4490
                                            • Opcode Fuzzy Hash: cf62d47a1d5fdb9c876962cfa4c676d021a3fa8d1c8180fd698ba2a0010a64ef
                                            • Instruction Fuzzy Hash: 7641D4F2B18F9082F765DB62E4847AF6391E784788F005465AF8957B8BEF3CC2418B00