Edit tour

Windows Analysis Report
VBqmdl6ttr.exe

Overview

General Information

Sample name:	VBqmdl6ttr.exe renamed because original name is a hash value
Original sample name:	9fd4c19371695542b32c3affee29c23939e18d6ec52a3d7329fc31bba5c870d6.exe
Analysis ID:	1542744
MD5:	4139a824287596151a7fbc2e357a33ad
SHA1:	8f0a5e23c48a42320594090f1a24dd5cd32e194d
SHA256:	9fd4c19371695542b32c3affee29c23939e18d6ec52a3d7329fc31bba5c870d6
Tags:	20-25-126-96exeuser-JAMESWT_MHT
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

Yara detected Powershell download and execute

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to detect sleep reduction / modifications

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

VBqmdl6ttr.exe (PID: 5536 cmdline: "C:\Users\user\Desktop\VBqmdl6ttr.exe" MD5: 4139A824287596151A7FBC2E357A33AD)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "20.25.126.96,/cm", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x329c3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a3b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x331a0:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x334d2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33464:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x334d2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x32a9e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32c2f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x32ae4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b22:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x3351c:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x32d8a:$a11: Could not open service control manager on %s: %d 0x332bc:$a12: %d is an x64 process (can't inject x86 content) 0x332ec:$a13: %d is an x86 process (can't inject x64 content) 0x3360d:$a14: Failed to impersonate logged on user %d (%u) 0x33275:$a15: could not create remote thread in %d: %d 0x32b58:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33223:$a17: could not write to process memory: %d 0x32dbb:$a18: Could not create service %s on %s: %d 0x32e44:$a19: Could not delete service %s on %s: %d 0x32ca9:$a20: Could not open process token: %d (%u)
00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1de48:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x334d2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3351c:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x332ec:$x3: %d is an x86 process (can't inject x64 content) 0x32ca9:$s1: Could not open process token: %d (%u) 0x329c3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d67:$s4: Could not connect to pipe (%s): %d
00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x41c83:$loader_export: ReflectiveLoader 0x32980:$exportname: beacon.dll
00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x332bc:$x2: %d is an x64 process (can't inject x86 content) 0x3360d:$x3: Failed to impersonate logged on user %d (%u) 0x3351c:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x334d2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x32c2f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x33223:$s4: could not write to process memory: %d 0x329c3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d67:$s6: Could not connect to pipe (%s): %d
00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x33998:$str1: %s (admin) 0x32980:$str2: beacon.dll
00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x3351c:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x332ec:$x2: %d is an x86 process (can't inject x64 content) 0x334d2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x335b6:$x4: Failed to impersonate token from %d (%u) 0x3360d:$x5: Failed to impersonate logged on user %d (%u) 0x329c3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x334aa:$s1: %%IMPORT%% 0x329a7:$s2: www6.%x%x.%s 0x3299b:$s3: cdn.%x%x.%s 0x32c23:$s4: api.%x%x.%s 0x33998:$s5: %s (admin) 0x32c92:$s6: could not spawn %s: %d 0x3354e:$s7: Could not kill %d: %d 0x32d67:$s8: Could not connect to pipe (%s): %d 0x329b4:$s9: %s.1%x.%x%x.%s 0x329c3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a3b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a9e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32ae4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b22:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x32b58:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b81:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32ba6:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x32bc7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x32be4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x32bfd:$s9: %s.1%08x%08x.%x%x.%s 0x32c12:$s9: %s.1%08x.%x%x.%s
00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x317c3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3183b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31fa0:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x322d2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x32264:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x322d2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3189e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31a2f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x318e4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31922:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x3231c:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x31b8a:$a11: Could not open service control manager on %s: %d 0x320bc:$a12: %d is an x64 process (can't inject x86 content) 0x320ec:$a13: %d is an x86 process (can't inject x64 content) 0x3240d:$a14: Failed to impersonate logged on user %d (%u) 0x32075:$a15: could not create remote thread in %d: %d 0x31958:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32023:$a17: could not write to process memory: %d 0x31bbb:$a18: Could not create service %s on %s: %d 0x31c44:$a19: Could not delete service %s on %s: %d 0x31aa9:$a20: Could not open process token: %d (%u)
00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d248:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x322d2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3231c:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x320ec:$x3: %d is an x86 process (can't inject x64 content) 0x31aa9:$s1: Could not open process token: %d (%u) 0x317c3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31b67:$s4: Could not connect to pipe (%s): %d
00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x40a83:$loader_export: ReflectiveLoader 0x31780:$exportname: beacon.dll
00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x320bc:$x2: %d is an x64 process (can't inject x86 content) 0x3240d:$x3: Failed to impersonate logged on user %d (%u) 0x3231c:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x322d2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a2f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x32023:$s4: could not write to process memory: %d 0x317c3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31b67:$s6: Could not connect to pipe (%s): %d
00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x32798:$str1: %s (admin) 0x31780:$str2: beacon.dll
00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x3231c:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x320ec:$x2: %d is an x86 process (can't inject x64 content) 0x322d2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x323b6:$x4: Failed to impersonate token from %d (%u) 0x3240d:$x5: Failed to impersonate logged on user %d (%u) 0x317c3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x322aa:$s1: %%IMPORT%% 0x317a7:$s2: www6.%x%x.%s 0x3179b:$s3: cdn.%x%x.%s 0x31a23:$s4: api.%x%x.%s 0x32798:$s5: %s (admin) 0x31a92:$s6: could not spawn %s: %d 0x3234e:$s7: Could not kill %d: %d 0x31b67:$s8: Could not connect to pipe (%s): %d 0x317b4:$s9: %s.1%x.%x%x.%s 0x317c3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3183b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3189e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x318e4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31922:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31958:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31981:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x319a6:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x319c7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x319e4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x319fd:$s9: %s.1%08x%08x.%x%x.%s 0x31a12:$s9: %s.1%08x.%x%x.%s
Process Memory Space: VBqmdl6ttr.exe PID: 5536	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
Process Memory Space: VBqmdl6ttr.exe PID: 5536	JoeSecurity_CobaltStrike_1	Yara detected CobaltStrike	Joe Security
Process Memory Space: VBqmdl6ttr.exe PID: 5536	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: VBqmdl6ttr.exe PID: 5536	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
Process Memory Space: VBqmdl6ttr.exe PID: 5536	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: VBqmdl6ttr.exe PID: 5536	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x4313:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0xe9d1:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x438b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0xea49:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x4af0:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0xf1ae:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x4e18:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xf4d6:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x4daa:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x4e18:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0xf468:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0xf4d6:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x43ee:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0xeaac:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x457f:$a7: could not run command (w/ token) because of its length of %d bytes! 0xec3d:$a7: could not run command (w/ token) because of its length of %d bytes! 0x4434:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0xeaf2:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x4472:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0xeb30:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x4e62:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
Process Memory Space: VBqmdl6ttr.exe PID: 5536	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x9432:$loader_export: ReflectiveLoader 0x9453:$loader_export: ReflectiveLoader 0x13ac6:$loader_export: ReflectiveLoader 0x13ae7:$loader_export: ReflectiveLoader 0x4151:$exportname: beacon.dll 0x42da:$exportname: beacon.dll 0xe80f:$exportname: beacon.dll 0xe998:$exportname: beacon.dll
Process Memory Space: VBqmdl6ttr.exe PID: 5536	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x4e62:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0xf520:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x4c3c:$x2: %d is an x86 process (can't inject x64 content) 0xf2fa:$x2: %d is an x86 process (can't inject x64 content) 0x4e18:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0xf4d6:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x4efc:$x4: Failed to impersonate token from %d (%u) 0xf5ba:$x4: Failed to impersonate token from %d (%u) 0x4f53:$x5: Failed to impersonate logged on user %d (%u) 0xf611:$x5: Failed to impersonate logged on user %d (%u) 0x4313:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0xe9d1:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x329c3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a3b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x331a0:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x334d2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33464:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x334d2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x32a9e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32c2f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x32ae4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b22:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x3351c:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x32d8a:$a11: Could not open service control manager on %s: %d 0x332bc:$a12: %d is an x64 process (can't inject x86 content) 0x332ec:$a13: %d is an x86 process (can't inject x64 content) 0x3360d:$a14: Failed to impersonate logged on user %d (%u) 0x33275:$a15: could not create remote thread in %d: %d 0x32b58:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33223:$a17: could not write to process memory: %d 0x32dbb:$a18: Could not create service %s on %s: %d 0x32e44:$a19: Could not delete service %s on %s: %d 0x32ca9:$a20: Could not open process token: %d (%u)
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1de48:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x334d2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3351c:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x332ec:$x3: %d is an x86 process (can't inject x64 content) 0x32ca9:$s1: Could not open process token: %d (%u) 0x329c3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d67:$s4: Could not connect to pipe (%s): %d
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x41c83:$loader_export: ReflectiveLoader 0x32980:$exportname: beacon.dll
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x332bc:$x2: %d is an x64 process (can't inject x86 content) 0x3360d:$x3: Failed to impersonate logged on user %d (%u) 0x3351c:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x334d2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x32c2f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x33223:$s4: could not write to process memory: %d 0x329c3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d67:$s6: Could not connect to pipe (%s): %d
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x33998:$str1: %s (admin) 0x32980:$str2: beacon.dll
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x3351c:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x332ec:$x2: %d is an x86 process (can't inject x64 content) 0x334d2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x335b6:$x4: Failed to impersonate token from %d (%u) 0x3360d:$x5: Failed to impersonate logged on user %d (%u) 0x329c3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x334aa:$s1: %%IMPORT%% 0x329a7:$s2: www6.%x%x.%s 0x3299b:$s3: cdn.%x%x.%s 0x32c23:$s4: api.%x%x.%s 0x33998:$s5: %s (admin) 0x32c92:$s6: could not spawn %s: %d 0x3354e:$s7: Could not kill %d: %d 0x32d67:$s8: Could not connect to pipe (%s): %d 0x329b4:$s9: %s.1%x.%x%x.%s 0x329c3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a3b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a9e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32ae4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b22:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x32b58:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b81:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32ba6:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x32bc7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x32be4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x32bfd:$s9: %s.1%08x%08x.%x%x.%s 0x32c12:$s9: %s.1%08x.%x%x.%s
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30bc3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30c3b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x310d2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31064:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x310d2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x30c9e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30ce4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30d22:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x3111c:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x30ebc:$a12: %d is an x64 process (can't inject x86 content) 0x30eec:$a13: %d is an x86 process (can't inject x64 content) 0x3120d:$a14: Failed to impersonate logged on user %d (%u) 0x30e75:$a15: could not create remote thread in %d: %d 0x30d58:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30e23:$a17: could not write to process memory: %d 0x30d81:$a21: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30e9e:$a27: could not open process %d: %d 0x30fb5:$a30: kerberos ticket use failed: 0x3117e:$a33: I'm already in SMB mode 0x30978:$a39: %s as %s\%s: %d 0x30bb4:$a40: %s.1%x.%x%x.%s
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1c648:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x310d2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3111c:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x30eec:$x3: %d is an x86 process (can't inject x64 content) 0x30bc3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x3f883:$loader_export: ReflectiveLoader 0x30b80:$exportname: beacon.dll
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x30ebc:$x2: %d is an x64 process (can't inject x86 content) 0x3120d:$x3: Failed to impersonate logged on user %d (%u) 0x3111c:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x310d2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x30e23:$s4: could not write to process memory: %d 0x30bc3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x31598:$str1: %s (admin) 0x30b80:$str2: beacon.dll
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x3111c:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x30eec:$x2: %d is an x86 process (can't inject x64 content) 0x310d2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x311b6:$x4: Failed to impersonate token from %d (%u) 0x3120d:$x5: Failed to impersonate logged on user %d (%u) 0x30bc3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x310aa:$s1: %%IMPORT%% 0x30ba7:$s2: www6.%x%x.%s 0x30b9b:$s3: cdn.%x%x.%s 0x31598:$s5: %s (admin) 0x3114e:$s7: Could not kill %d: %d 0x30bb4:$s9: %s.1%x.%x%x.%s 0x30bc3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30c3b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30c9e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30ce4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30d22:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x30d58:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x30d81:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31064:$pwsh1: IEX (New-Object Net.Webclient).DownloadString('http 0x310d2:$pwsh1: IEX (New-Object Net.Webclient).DownloadString('http 0x3111c:$pwsh2: powershell -nop -exec bypass -EncodedCommand "%s"
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x317c3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3183b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31fa0:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x322d2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x32264:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x322d2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3189e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31a2f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x318e4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31922:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x3231c:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x31b8a:$a11: Could not open service control manager on %s: %d 0x320bc:$a12: %d is an x64 process (can't inject x86 content) 0x320ec:$a13: %d is an x86 process (can't inject x64 content) 0x3240d:$a14: Failed to impersonate logged on user %d (%u) 0x32075:$a15: could not create remote thread in %d: %d 0x31958:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32023:$a17: could not write to process memory: %d 0x31bbb:$a18: Could not create service %s on %s: %d 0x31c44:$a19: Could not delete service %s on %s: %d 0x31aa9:$a20: Could not open process token: %d (%u)
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d248:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x322d2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3231c:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x320ec:$x3: %d is an x86 process (can't inject x64 content) 0x31aa9:$s1: Could not open process token: %d (%u) 0x317c3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31b67:$s4: Could not connect to pipe (%s): %d
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x40a83:$loader_export: ReflectiveLoader 0x31780:$exportname: beacon.dll
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x320bc:$x2: %d is an x64 process (can't inject x86 content) 0x3240d:$x3: Failed to impersonate logged on user %d (%u) 0x3231c:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x322d2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a2f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x32023:$s4: could not write to process memory: %d 0x317c3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31b67:$s6: Could not connect to pipe (%s): %d
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x32798:$str1: %s (admin) 0x31780:$str2: beacon.dll
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x3231c:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x320ec:$x2: %d is an x86 process (can't inject x64 content) 0x322d2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x323b6:$x4: Failed to impersonate token from %d (%u) 0x3240d:$x5: Failed to impersonate logged on user %d (%u) 0x317c3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x322aa:$s1: %%IMPORT%% 0x317a7:$s2: www6.%x%x.%s 0x3179b:$s3: cdn.%x%x.%s 0x31a23:$s4: api.%x%x.%s 0x32798:$s5: %s (admin) 0x31a92:$s6: could not spawn %s: %d 0x3234e:$s7: Could not kill %d: %d 0x31b67:$s8: Could not connect to pipe (%s): %d 0x317b4:$s9: %s.1%x.%x%x.%s 0x317c3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3183b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3189e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x318e4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31922:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31958:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31981:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x319a6:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x319c7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x319e4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x319fd:$s9: %s.1%08x%08x.%x%x.%s 0x31a12:$s9: %s.1%08x.%x%x.%s
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x317c3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3183b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31fa0:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x322d2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x32264:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x322d2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3189e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31a2f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x318e4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31922:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x3231c:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x31b8a:$a11: Could not open service control manager on %s: %d 0x320bc:$a12: %d is an x64 process (can't inject x86 content) 0x320ec:$a13: %d is an x86 process (can't inject x64 content) 0x3240d:$a14: Failed to impersonate logged on user %d (%u) 0x32075:$a15: could not create remote thread in %d: %d 0x31958:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32023:$a17: could not write to process memory: %d 0x31bbb:$a18: Could not create service %s on %s: %d 0x31c44:$a19: Could not delete service %s on %s: %d 0x31aa9:$a20: Could not open process token: %d (%u)
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d248:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x322d2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3231c:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x320ec:$x3: %d is an x86 process (can't inject x64 content) 0x31aa9:$s1: Could not open process token: %d (%u) 0x317c3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31b67:$s4: Could not connect to pipe (%s): %d
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x40a83:$loader_export: ReflectiveLoader 0x31780:$exportname: beacon.dll
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x320bc:$x2: %d is an x64 process (can't inject x86 content) 0x3240d:$x3: Failed to impersonate logged on user %d (%u) 0x3231c:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x322d2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a2f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x32023:$s4: could not write to process memory: %d 0x317c3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31b67:$s6: Could not connect to pipe (%s): %d
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x32798:$str1: %s (admin) 0x31780:$str2: beacon.dll
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x3231c:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x320ec:$x2: %d is an x86 process (can't inject x64 content) 0x322d2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x323b6:$x4: Failed to impersonate token from %d (%u) 0x3240d:$x5: Failed to impersonate logged on user %d (%u) 0x317c3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x322aa:$s1: %%IMPORT%% 0x317a7:$s2: www6.%x%x.%s 0x3179b:$s3: cdn.%x%x.%s 0x31a23:$s4: api.%x%x.%s 0x32798:$s5: %s (admin) 0x31a92:$s6: could not spawn %s: %d 0x3234e:$s7: Could not kill %d: %d 0x31b67:$s8: Could not connect to pipe (%s): %d 0x317b4:$s9: %s.1%x.%x%x.%s 0x317c3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3183b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3189e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x318e4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31922:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31958:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31981:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x319a6:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x319c7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x319e4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x319fd:$s9: %s.1%08x%08x.%x%x.%s 0x31a12:$s9: %s.1%08x.%x%x.%s
Click to see the 41 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: VBqmdl6ttr.exe

Avira: detected

Found malware configuration

Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "20.25.126.96,/cm", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Multi AV Scanner detection for submitted file

Source: VBqmdl6ttr.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: VBqmdl6ttr.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96A1184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

0_2_000001D7C96A1184

Source: VBqmdl6ttr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96B975C malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_000001D7C96B975C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96B2170 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_000001D7C96B2170

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 4x nop then sub rsp, 58h

0_2_00007FF7F72D2E70

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 20.25.126.96

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96
Source: unknown	TCP traffic detected without corresponding DNS query: 20.25.126.96

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96B60F8 recv,

0_2_000001D7C96B60F8

Source: VBqmdl6ttr.exe, 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:%u/
Source: VBqmdl6ttr.exe, 00000000.00000003.2096130665.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2094602387.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2095890747.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.1492910943.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C944C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/
Source: VBqmdl6ttr.exe, 00000000.00000003.2096130665.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2094602387.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2095890747.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.1492910943.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/4
Source: VBqmdl6ttr.exe, 00000000.00000003.2118756330.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C944C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/6
Source: VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cm
Source: VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2096130665.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2418998322.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2094602387.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2118756330.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2095890747.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cmD
Source: VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cmf
Source: VBqmdl6ttr.exe, 00000000.00000003.2096130665.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2094602387.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2095890747.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/cmr
Source: VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C944C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96/m
Source: VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C94C2000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://20.25.126.96:443/cm

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_00007FF7F72D16CA GetCurrentProcess,GetCurrentProcess,NtCreateJobSet,GetCurrentProcess,NtCompareSigningLevels,	0_2_00007FF7F72D16CA
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_00007FF7F72D1C4B NtAccessCheckAndAuditAlarm,	0_2_00007FF7F72D1C4B
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_00007FF7F72D1C97 GetCurrentProcess,NtSetTimer,	0_2_00007FF7F72D1C97
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_00007FF7F72D14D8 GetCurrentProcess,GetCurrentProcess,NtAlpcCreatePortSection,GetCurrentProcess,GetCurrentProcess,NtCreatePagingFile,	0_2_00007FF7F72D14D8

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96B17A8 CreateProcessWithLogonW,GetLastError,

0_2_000001D7C96B17A8

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9421840	0_2_000001D7C9421840
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9421858	0_2_000001D7C9421858
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9400874	0_2_000001D7C9400874
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9421818	0_2_000001D7C9421818
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C941D820	0_2_000001D7C941D820
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9421828	0_2_000001D7C9421828
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9421830	0_2_000001D7C9421830
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C94218B8	0_2_000001D7C94218B8
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C94218C0	0_2_000001D7C94218C0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C94148E0	0_2_000001D7C94148E0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9421898	0_2_000001D7C9421898
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9407FB8	0_2_000001D7C9407FB8
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C94217B8	0_2_000001D7C94217B8
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C94217C0	0_2_000001D7C94217C0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C941BFE0	0_2_000001D7C941BFE0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9421798	0_2_000001D7C9421798
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C94217A0	0_2_000001D7C94217A0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C94217A8	0_2_000001D7C94217A8
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9411A88	0_2_000001D7C9411A88
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C941214C	0_2_000001D7C941214C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C93F916C	0_2_000001D7C93F916C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9407474	0_2_000001D7C9407474
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9414BFC	0_2_000001D7C9414BFC
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9416414	0_2_000001D7C9416414
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9414C18	0_2_000001D7C9414C18
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9410C34	0_2_000001D7C9410C34
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9412C9C	0_2_000001D7C9412C9C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C941B370	0_2_000001D7C941B370
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C941CBC7	0_2_000001D7C941CBC7
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C93FCE40	0_2_000001D7C93FCE40
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C940FE70	0_2_000001D7C940FE70
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C941EE30	0_2_000001D7C941EE30
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C93F9680	0_2_000001D7C93F9680
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C941CEB0	0_2_000001D7C941CEB0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96B8074	0_2_000001D7C96B8074
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96C1834	0_2_000001D7C96C1834
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96C7014	0_2_000001D7C96C7014
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96C389C	0_2_000001D7C96C389C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96CBF70	0_2_000001D7C96CBF70
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96CD7C7	0_2_000001D7C96CD7C7
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96C0A70	0_2_000001D7C96C0A70
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96ADA40	0_2_000001D7C96ADA40
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96CFA30	0_2_000001D7C96CFA30
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96CDAB0	0_2_000001D7C96CDAB0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96AA280	0_2_000001D7C96AA280
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96B1474	0_2_000001D7C96B1474
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96CE420	0_2_000001D7C96CE420
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96CCBE0	0_2_000001D7C96CCBE0
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96B8BB8	0_2_000001D7C96B8BB8
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96C2688	0_2_000001D7C96C2688
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96A9D6C	0_2_000001D7C96A9D6C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96C2D4C	0_2_000001D7C96C2D4C

Source: VBqmdl6ttr.exe

Static PE information: Number of sections : 11 > 10

Source: VBqmdl6ttr.exe, 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs VBqmdl6ttr.exe
Source: VBqmdl6ttr.exe	Binary or memory string: OriginalFilenameEXPLORER.EXEj% vs VBqmdl6ttr.exe

Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96B10B0 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

0_2_000001D7C96B10B0

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96B3FA4 CreateThread,GetModuleHandleA,GetProcAddress,CreateToolhelp32Snapshot,Thread32Next,Sleep,

0_2_000001D7C96B3FA4

Source: VBqmdl6ttr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VBqmdl6ttr.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

File read: C:\Users\user\Desktop\VBqmdl6ttr.exe

Jump to behavior

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: VBqmdl6ttr.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: VBqmdl6ttr.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96AD840 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_000001D7C96AD840

Source: VBqmdl6ttr.exe

Static PE information: section name: .xdata

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C9427F8C push 0000006Ah; retf		0_2_000001D7C9427FA4
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96D918C push 0000006Ah; retf		0_2_000001D7C96D91A4

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96C0A70 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_000001D7C96C0A70

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96AFF5C		0_2_000001D7C96AFF5C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96B5D98		0_2_000001D7C96B5D98

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-42330
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Evasive API call chain: GetLocalTime,DecisionNodes			graph_0-42188

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

API coverage: 7.4 %

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96B5D98

0_2_000001D7C96B5D98

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe TID: 5864

Thread sleep time: -60000s >= -30000s

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96B975C malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,		0_2_000001D7C96B975C
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96B2170 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,		0_2_000001D7C96B2170

Source: VBqmdl6ttr.exe, 00000000.00000003.2093408888.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2095684788.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.1493109439.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2118756330.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C9457000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2096075885.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

API call chain: ExitProcess graph end node

graph_0-42259

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96D0040 MultiByteToWideChar,MultiByteToWideChar,DebuggerProbe,DebuggerRuntime,IsDebuggerPresent,_RTC_GetSrcLine,WideCharToMultiByte,WideCharToMultiByte,

0_2_000001D7C96D0040

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96C9F80 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_000001D7C96C9F80

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96AD840 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_000001D7C96AD840

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96CC8FC _lseeki64_nolock,_lseeki64_nolock,GetProcessHeap,HeapAlloc,_errno,_errno,_setmode_nolock,__doserrno,_errno,_setmode_nolock,GetProcessHeap,HeapFree,_lseeki64_nolock,SetEndOfFile,_errno,__doserrno,GetLastError,_lseeki64_nolock,

0_2_000001D7C96CC8FC

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_00007FF7F72D1180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm,

0_2_00007FF7F72D1180

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	NtProtectVirtualMemory: Indirect: 0x7FF7F72D1768	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	NtProtectVirtualMemory: Indirect: 0x7FF7F72D1593	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	NtCreateThreadEx: Indirect: 0x7FF7F72D17B1	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	NtMapViewOfSection: Indirect: 0x7FF7F72D1D04	Jump to behavior
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	NtProtectVirtualMemory: Indirect: 0x7FF7F72D15F6	Jump to behavior

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96BE45C LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,

0_2_000001D7C96BE45C

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96BE3D4 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_000001D7C96BE3D4

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96B0E60 CreateNamedPipeA,

0_2_000001D7C96B0E60

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96AF900 GetLocalTime,

0_2_000001D7C96AF900

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96B6368 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

0_2_000001D7C96B6368

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Code function: 0_2_000001D7C96B6368 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,

0_2_000001D7C96B6368

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: Process Memory Space: VBqmdl6ttr.exe PID: 5536, type: MEMORYSTR
Source: Yara match	File source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VBqmdl6ttr.exe.1d7c93f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VBqmdl6ttr.exe.1d7c96a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96B6FB4 socket,htons,ioctlsocket,closesocket,bind,listen,	0_2_000001D7C96B6FB4
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96BF398 socket,closesocket,htons,bind,listen,	0_2_000001D7C96BF398
Source: C:\Users\user\Desktop\VBqmdl6ttr.exe	Code function: 0_2_000001D7C96B6BAC htonl,htons,socket,closesocket,bind,ioctlsocket,	0_2_000001D7C96B6BAC

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	2 Valid Accounts	2 Valid Accounts	2 Valid Accounts	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	21 Access Token Manipulation	1 Virtualization/Sandbox Evasion	LSASS Memory	141 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Process Injection	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Abuse Elevation Control Mechanism	21 Access Token Manipulation	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Process Injection	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	5 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
VBqmdl6ttr.exe	63%	ReversingLabs	Win64.Trojan.CobaltStrike
VBqmdl6ttr.exe	100%	Avira	TR/Crypt.EPACK.Gen2
VBqmdl6ttr.exe	100%	Joe Sandbox ML

Name	Malicious	Antivirus Detection	Reputation
20.25.126.96	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://20.25.126.96:443/cm	VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C94C2000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C9457000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://20.25.126.96/m	VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C944C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://20.25.126.96/cmf	VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C94CB000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://127.0.0.1:%u/	VBqmdl6ttr.exe, 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp	false	unknown
https://20.25.126.96/	VBqmdl6ttr.exe, 00000000.00000003.2096130665.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2094602387.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2095890747.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.1492910943.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C944C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://20.25.126.96/cm	VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C9457000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://20.25.126.96/6	VBqmdl6ttr.exe, 00000000.00000003.2118756330.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C944C000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://20.25.126.96/cmr	VBqmdl6ttr.exe, 00000000.00000003.2096130665.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2094602387.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2095890747.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://20.25.126.96/4	VBqmdl6ttr.exe, 00000000.00000003.2096130665.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2094602387.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2095890747.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.1492910943.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://20.25.126.96/cmD	VBqmdl6ttr.exe, 00000000.00000002.2734382612.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2096130665.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2418998322.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2094602387.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2118756330.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp, VBqmdl6ttr.exe, 00000000.00000003.2095890747.000001D7C94A4000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
20.25.126.96	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542744
Start date and time:	2024-10-26 09:10:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VBqmdl6ttr.exe renamed because original name is a hash value
Original Sample Name:	9fd4c19371695542b32c3affee29c23939e18d6ec52a3d7329fc31bba5c870d6.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 17 Number of non-executed functions: 179
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: VBqmdl6ttr.exe

Simulations

Behavior and APIs

Time	Type	Description
03:11:34	API Interceptor	2x Sleep call for process: VBqmdl6ttr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
20.25.126.96	Ljrfk7uRvO.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MICROSOFT-CORP-MSN-AS-BLOCKUS	Ljrfk7uRvO.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	20.25.126.96
	https://www.google.co.uk/url?q=38pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/taxigiarebienhoa.vn/nini/ybmex/captcha/Z3VsYW1yYXN1bC5jaGVwdXdhbGFAY2V2YWxvZ2lzdGljcy5jb20	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.246.60
	https://load.aberegg-immobilien.ch/	Get hash	malicious	HTMLPhisher	Browse	40.126.31.73
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	22.252.12.135
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	20.57.78.10
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	21.238.75.88
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	40.99.246.89
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	22.36.15.81
	la.bot.powerpc.elf	Get hash	malicious	Unknown	Browse	22.23.166.67
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	20.189.202.203

File type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Entropy (8bit):	6.987436042134288
TrID:	Win64 Executable (generic) (12005/4) 74.95% Generic Win/DOS Executable (2004/3) 12.51% DOS Executable Generic (2002/1) 12.50% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
File name:	VBqmdl6ttr.exe
File size:	384'000 bytes
MD5:	4139a824287596151a7fbc2e357a33ad
SHA1:	8f0a5e23c48a42320594090f1a24dd5cd32e194d
SHA256:	9fd4c19371695542b32c3affee29c23939e18d6ec52a3d7329fc31bba5c870d6
SHA512:	649a971469c145322112b7fce60f82acfc3f667af035c8e74cceea7fb0f76e072c51a862c4084101dd2e6abdde402b929cda508f805be52452676a93ba09c525
SSDEEP:	6144:sdEoW2cEL31FdmByY98AHUmCfSfkHWU0B+/KSnJh807jxhuL:RkJAHJVVJOtH8+jxkL
TLSH:	CD849DD43165C406EE21DF7CBBF6DFFA541A83EB1EC50A0999D06B496ACB42EF950C80
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......g...............+.........".............@.....................................>....`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1400013d0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, DEBUG_STRIPPED
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6718BD13 [Wed Oct 23 09:08:35 2024 UTC]
TLS Callbacks:	0x40002ae0, 0x1, 0x40002ab0, 0x1
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9f6362cf62b1180cc621ed9ff8c2e95a

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0005C015h]
mov dword ptr [eax], 00000001h
call 00007EFF809683CFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
dec eax
mov eax, dword ptr [0005BFF5h]
mov dword ptr [eax], 00000000h
call 00007EFF809683AFh
nop
nop
dec eax
add esp, 28h
ret
nop dword ptr [eax]
dec eax
sub esp, 28h
call 00007EFF8096AD7Ch
dec eax
cmp eax, 01h
sbb eax, eax
dec eax
add esp, 28h
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
dec eax
lea ecx, dword ptr [00000009h]
jmp 00007EFF80968609h
nop dword ptr [eax+00h]
ret
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
push ebx
dec eax
sub esp, 20h
dec eax
mov eax, dword ptr [00000020h]
dec eax
mov eax, dword ptr [eax]
mov ebx, dword ptr [eax]
call dword ptr [00061DBFh]
dec eax
mov ecx, eax
mov edx, ebx
call dword ptr [00061E2Ch]
dec eax
mov ecx, dword ptr [0005EBCDh]
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00061DF9h]
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
call dword ptr [00061D9Bh]
mov dword ptr [000000A5h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x63000	0x7c0	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x66000	0x3e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x5e000	0x42c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x67000	0x7c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5d040	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x63200	0x1c0	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2d28	0x2e00	c6f78c1f6f8a2b004ebfc4624a0f2222	False	0.5230978260869565	data	6.1559002164004175	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4000	0x582d0	0x58400	bd3d81dedf173bd17954ac6928588fdd	False	0.5881783374645893	data	7.020465403162309	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5d000	0x950	0xa00	e3eb31941209fef7a8197669af3e8c88	False	0.23359375	data	4.04449932695149	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.pdata	0x5e000	0x42c	0x600	cc7f39d5599ab9dece0ce5bdc4320633	False	0.3580729166666667	data	3.401984181084123	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x5f000	0x2f8	0x400	8b696c25032bb12be4efebdb1153aaf9	False	0.30078125	data	3.1199595534588123	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x60000	0x2180	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x63000	0x7c0	0x800	42c40f95eebdca66bee2332dfc34e88c	False	0.3583984375	data	4.206586897193121	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x64000	0x60	0x200	88597a0024ad171691784e44f2d44b20	False	0.068359375	data	0.28655982431271465	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x65000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x66000	0x3e8	0x400	896d2cb22ee8b69e7921e7b1163f627c	False	0.4482421875	data	3.3356298725544145	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x67000	0x7c	0x200	bbf8d3181ec4b8697567993b81ee4ba4	False	0.25390625	data	1.5178825269260272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x66058	0x38c	PGP symmetric key encrypted data - Plaintext or unencrypted data	English	United States	0.46365638766519823

Imports

DLL	Import
KERNEL32.dll	ConvertThreadToFiber, CreateFiber, DeleteCriticalSection, DeleteFiber, EnterCriticalSection, GetCurrentProcess, GetCurrentThreadId, GetLastError, GetModuleFileNameA, GetModuleHandleA, GetProcAddress, InitializeCriticalSection, LeaveCriticalSection, SetUnhandledExceptionFilter, Sleep, SleepEx, SwitchToFiber, TlsGetValue, VirtualProtect, VirtualQuery, WaitForSingleObject
msvcrt.dll	__C_specific_handler, __getmainargs, __initenv, __iob_func, __set_app_type, __setusermatherr, _amsg_exit, _cexit, _commode, _fmode, _initterm, _onexit, abort, calloc, exit, fclose, fopen, fprintf, fread, free, fsetpos, fwrite, malloc, mbstowcs, memcmp, memcpy, rand, signal, strlen, strncmp, vfprintf, wcsncat, wcsncpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 26, 2024 09:11:33.040510893 CEST	49706	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:11:33.040565968 CEST	443	49706	20.25.126.96	192.168.2.11
Oct 26, 2024 09:11:33.040674925 CEST	49706	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:11:33.042669058 CEST	49706	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:11:33.042682886 CEST	443	49706	20.25.126.96	192.168.2.11
Oct 26, 2024 09:11:34.097081900 CEST	443	49706	20.25.126.96	192.168.2.11
Oct 26, 2024 09:11:34.097143888 CEST	49706	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:11:34.102045059 CEST	49706	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:11:34.102071047 CEST	443	49706	20.25.126.96	192.168.2.11
Oct 26, 2024 09:11:34.109855890 CEST	49707	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:11:34.109884024 CEST	443	49707	20.25.126.96	192.168.2.11
Oct 26, 2024 09:11:34.109951019 CEST	49707	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:11:34.113543034 CEST	49707	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:11:34.113558054 CEST	443	49707	20.25.126.96	192.168.2.11
Oct 26, 2024 09:11:35.206110954 CEST	443	49707	20.25.126.96	192.168.2.11
Oct 26, 2024 09:11:35.206173897 CEST	49707	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:11:35.206314087 CEST	49707	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:11:35.206331015 CEST	443	49707	20.25.126.96	192.168.2.11
Oct 26, 2024 09:11:35.206832886 CEST	49708	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:11:35.206895113 CEST	443	49708	20.25.126.96	192.168.2.11
Oct 26, 2024 09:11:35.206964016 CEST	49708	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:11:35.208118916 CEST	49708	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:11:35.208154917 CEST	443	49708	20.25.126.96	192.168.2.11
Oct 26, 2024 09:11:35.208199024 CEST	49708	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:12:35.570633888 CEST	49714	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:12:35.570668936 CEST	443	49714	20.25.126.96	192.168.2.11
Oct 26, 2024 09:12:35.570774078 CEST	49714	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:12:35.571135998 CEST	49714	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:12:35.571150064 CEST	443	49714	20.25.126.96	192.168.2.11
Oct 26, 2024 09:12:36.738022089 CEST	443	49714	20.25.126.96	192.168.2.11
Oct 26, 2024 09:12:36.738079071 CEST	49714	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:12:36.738146067 CEST	49714	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:12:36.738159895 CEST	443	49714	20.25.126.96	192.168.2.11
Oct 26, 2024 09:12:36.738579988 CEST	49715	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:12:36.738653898 CEST	443	49715	20.25.126.96	192.168.2.11
Oct 26, 2024 09:12:36.738725901 CEST	49715	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:12:36.739064932 CEST	49715	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:12:36.739111900 CEST	443	49715	20.25.126.96	192.168.2.11
Oct 26, 2024 09:12:37.791801929 CEST	443	49715	20.25.126.96	192.168.2.11
Oct 26, 2024 09:12:37.791943073 CEST	49715	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:12:37.792022943 CEST	49715	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:12:37.792062998 CEST	443	49715	20.25.126.96	192.168.2.11
Oct 26, 2024 09:12:37.792423964 CEST	49716	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:12:37.792459011 CEST	443	49716	20.25.126.96	192.168.2.11
Oct 26, 2024 09:12:37.792521000 CEST	49716	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:12:37.792843103 CEST	49716	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:12:37.792865038 CEST	443	49716	20.25.126.96	192.168.2.11
Oct 26, 2024 09:12:37.792933941 CEST	49716	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:13:37.805069923 CEST	49982	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:13:37.805109024 CEST	443	49982	20.25.126.96	192.168.2.11
Oct 26, 2024 09:13:37.805171967 CEST	49982	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:13:37.805471897 CEST	49982	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:13:37.805483103 CEST	443	49982	20.25.126.96	192.168.2.11
Oct 26, 2024 09:13:38.865907907 CEST	443	49982	20.25.126.96	192.168.2.11
Oct 26, 2024 09:13:38.865981102 CEST	49982	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:13:38.866089106 CEST	49982	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:13:38.866108894 CEST	443	49982	20.25.126.96	192.168.2.11
Oct 26, 2024 09:13:38.866558075 CEST	49983	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:13:38.866651058 CEST	443	49983	20.25.126.96	192.168.2.11
Oct 26, 2024 09:13:38.866748095 CEST	49983	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:13:38.867022991 CEST	49983	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:13:38.867052078 CEST	443	49983	20.25.126.96	192.168.2.11
Oct 26, 2024 09:13:39.923165083 CEST	443	49983	20.25.126.96	192.168.2.11
Oct 26, 2024 09:13:39.923476934 CEST	49983	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:13:39.923476934 CEST	49983	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:13:40.238837004 CEST	49983	443	192.168.2.11	20.25.126.96
Oct 26, 2024 09:13:40.238872051 CEST	443	49983	20.25.126.96	192.168.2.11

Target ID:	0
Start time:	03:11:32
Start date:	26/10/2024
Path:	C:\Users\user\Desktop\VBqmdl6ttr.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\VBqmdl6ttr.exe"
Imagebase:	0x7ff7f72d0000
File size:	384'000 bytes
MD5 hash:	4139A824287596151A7FBC2E357A33AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_4, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Author: unknown Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Author: yara@s3c.za.net Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Author: @VK_Intel Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Author: Florian Roth Rule: INDICATOR_SUSPICIOUS_ReflectiveLoader, Description: detects Reflective DLL injection artifacts, Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	79.4%
Signature Coverage:	16.3%
Total number of Nodes:	436
Total number of Limit Nodes:	30

Executed Functions

Function 000001D7C96B6368 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001D7C96B652C: malloc.LIBCMT ref: 000001D7C96B6548

GetUserNameA.ADVAPI32 ref: 000001D7C96B63EF
GetComputerNameA.KERNEL32 ref: 000001D7C96B6402
GetModuleFileNameA.KERNEL32 ref: 000001D7C96B641B
strrchr.LIBCMT ref: 000001D7C96B642D
GetVersionExA.KERNEL32 ref: 000001D7C96B6450
_snprintf.LIBCMT ref: 000001D7C96B64DB

Strings

%s%s%s, xrefs: 000001D7C96B64BF

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Name$ComputerFileModuleUserVersion_snprintfmallocstrrchr
String ID: %s%s%s
API String ID: 1671524875-1891519693
Opcode ID: d6e05053124b8dff8425dc3cf1f92d55cccad1505d70d60e1a9c084601c5b39b
Instruction ID: f5258ebb3f670824d861dd887f3854088e67f3ac837103fe61a768dba90c998c
Opcode Fuzzy Hash: d6e05053124b8dff8425dc3cf1f92d55cccad1505d70d60e1a9c084601c5b39b
Instruction Fuzzy Hash: 3E41B3317286824EFA84EB22A8553EA7791B789BE6F444123EE55177D6FF3CC4129700

Function 00007FF7F72D1180 Relevance: 10.6, APIs: 7, Instructions: 138
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(?,?,?,00007FF7F72D13E6), ref: 00007FF7F72D11BE
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7F72D122F
malloc.MSVCRT ref: 00007FF7F72D1263
strlen.MSVCRT ref: 00007FF7F72D1284
malloc.MSVCRT ref: 00007FF7F72D1290
memcpy.MSVCRT ref: 00007FF7F72D12A8

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandledmemcpystrlen
String ID:
API String ID: 3806033187-0
Opcode ID: f101c46afb30c7957e4eff7f0e05608a286d701db5dbf3b1a0632ae887ab647f
Instruction ID: 75859539a615dbffd65fe48a22c804a472f47db037c31291b428ef1845b1949c
Opcode Fuzzy Hash: f101c46afb30c7957e4eff7f0e05608a286d701db5dbf3b1a0632ae887ab647f
Instruction Fuzzy Hash: 1E51393AA0969396F750BB55E8C0279E3B1AF44B84F954039D92D877D6DE3CF44283A0

Function 000001D7C96A1184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
encryptionCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptAcquireContextA.ADVAPI32 ref: 000001D7C96A11B8
CryptAcquireContextA.ADVAPI32 ref: 000001D7C96A11DC
CryptGenRandom.ADVAPI32 ref: 000001D7C96A11F0
CryptReleaseContext.ADVAPI32 ref: 000001D7C96A1204

Strings

Microsoft Base Cryptographic Provider v1.0, xrefs: 000001D7C96A11A2, 000001D7C96A11C6
(, xrefs: 000001D7C96A11D4

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Crypt$Context$Acquire$RandomRelease
String ID: ($Microsoft Base Cryptographic Provider v1.0
API String ID: 685801729-4046902070
Opcode ID: fa0b29f9760dabc340fcd7cbc21f7117ced170409b555a10c43338b8a3fe18f4
Instruction ID: 4bfb0e300342a2191696f29429a9ac5757d0ee5c754b361a06099589eb835d83
Opcode Fuzzy Hash: fa0b29f9760dabc340fcd7cbc21f7117ced170409b555a10c43338b8a3fe18f4
Instruction Fuzzy Hash: 84012D7231874286F790CF55E884399B7A1F7D8B89F448012C618933E4EF7CCA59C380

Function 00007FF7F72D14D8 Relevance: 4.6, APIs: 3, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7F72D156D
GetCurrentProcess.KERNEL32 ref: 00007FF7F72D15B4
GetCurrentProcess.KERNEL32 ref: 00007FF7F72D15D9

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: cca5a1ca99f8f84fe824436626c2083d10e503a6589d2d4ad15d8275bd06f2d4
Instruction ID: 58b09ccd6b73811e01f54d1e8505266640d99711a35b2bea8096f471ac86b811
Opcode Fuzzy Hash: cca5a1ca99f8f84fe824436626c2083d10e503a6589d2d4ad15d8275bd06f2d4
Instruction Fuzzy Hash: E131CD36A09B8596D760DB15B900A2BF3B1FB89B94F804138EE9C97B54EF7CD442DB40

Function 00007FF7F72D1C97 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF7F72D1CB4

Strings

@, xrefs: 00007FF7F72D1CEA

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: CurrentProcess
String ID: @
API String ID: 2050909247-2766056989
Opcode ID: 10b0b8c1d52fa35fa606de6c8dc4ab17d8839643b3196dfd5ca5394de3015a64
Instruction ID: 1fcdfb96b080513b0c42f6fdadf23d6491ccbd69b7bf341429cab74fee78e712
Opcode Fuzzy Hash: 10b0b8c1d52fa35fa606de6c8dc4ab17d8839643b3196dfd5ca5394de3015a64
Instruction Fuzzy Hash: 25F0F676A18B8186D7609B54F48024BBBA5F788794FA04129EBCC83B68EF3DD054CB40

Function 00007FF7F72D16CA Relevance: 3.1, APIs: 2, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F72D1C97: GetCurrentProcess.KERNEL32 ref: 00007FF7F72D1CB4

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000800,00007FF7F72D4000), ref: 00007FF7F72D1744
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000800,00007FF7F72D4000), ref: 00007FF7F72D176D

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: b9ddc85af339ca7b4a72427eec99d6b2652adb9ca33a515feb6f9a9ef3457fea
Instruction ID: f737d341816c4947089c8b91838922f26443f62439ec8136b38c6f82b0190747
Opcode Fuzzy Hash: b9ddc85af339ca7b4a72427eec99d6b2652adb9ca33a515feb6f9a9ef3457fea
Instruction Fuzzy Hash: CA21D83760DB4146E750AB65F48026AB7E4EB897C0F544135EA8D83FA9EE3CD042C750

Function 00007FF7F72D1C4B Relevance: 1.3, Strings: 1, Instructions: 19COMMON

Download Yara Rule

Strings

@, xrefs: 00007FF7F72D1C66

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 18499add16e78753605d273a7ff3c60a1e52f63b3d8e7b04dec0ca4303b45796
Instruction ID: 646ceae8e80fade1403ae860484a4a0e5a285dca9089808d4d926d89751363f0
Opcode Fuzzy Hash: 18499add16e78753605d273a7ff3c60a1e52f63b3d8e7b04dec0ca4303b45796
Instruction Fuzzy Hash: FCE0C966A28A8187D311EF18E45025BBAB2F7C1344FA08125E78C87E59DB3EC5158F44

Function 000001D7C96AE6BC Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snprintf.LIBCMT ref: 000001D7C96AE763

Part of subcall function 000001D7C96BFB3C: _errno.LIBCMT ref: 000001D7C96BFB73
Part of subcall function 000001D7C96BFB3C: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C96BFB7E

Part of subcall function 000001D7C96B8074: _snprintf.LIBCMT ref: 000001D7C96B81E1

_snprintf.LIBCMT ref: 000001D7C96AE7FA
_snprintf.LIBCMT ref: 000001D7C96AE811
WinHttpOpenRequest.WINHTTP ref: 000001D7C96AE880
WinHttpSetCredentials.WINHTTP ref: 000001D7C96AE91D
WinHttpSendRequest.WINHTTP ref: 000001D7C96AE957
WinHttpReceiveResponse.WINHTTP ref: 000001D7C96AE96A

Part of subcall function 000001D7C96B32B0: strchr.LIBCMT ref: 000001D7C96B3316
Part of subcall function 000001D7C96B32B0: _snprintf.LIBCMT ref: 000001D7C96B334C

Part of subcall function 000001D7C96B314C: strchr.LIBCMT ref: 000001D7C96B31A9
Part of subcall function 000001D7C96B314C: _snprintf.LIBCMT ref: 000001D7C96B31F3

WinHttpQueryHeaders.WINHTTP ref: 000001D7C96AE999
WinHttpQueryAuthSchemes.WINHTTP ref: 000001D7C96AE9CF
GetLastError.KERNEL32 ref: 000001D7C96AEA00
WinHttpQueryDataAvailable.WINHTTP ref: 000001D7C96AEA5C
WinHttpCloseHandle.WINHTTP ref: 000001D7C96AEA79
WinHttpReadData.WINHTTP ref: 000001D7C96AEABC
WinHttpCloseHandle.WINHTTP ref: 000001D7C96AEADE

Strings

%s%s, xrefs: 000001D7C96AE806
*/*, xrefs: 000001D7C96AE6ED

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Http$_snprintf$Query$CloseDataHandleRequeststrchr$AuthAvailableCredentialsErrorHeadersLastOpenReadReceiveResponseSchemesSend_errno_invalid_parameter_noinfo
String ID: %s%s$*/*
API String ID: 4056314505-856325523
Opcode ID: a69e4937a94b429416c7d0aa71b4f67c05955be3f66186a7053f6ed42f8e31b0
Instruction ID: 7d208e86d747ac6b0c9a767817fe7ce2e732cb203135ea93ca19caf458301339
Opcode Fuzzy Hash: a69e4937a94b429416c7d0aa71b4f67c05955be3f66186a7053f6ed42f8e31b0
Instruction Fuzzy Hash: 3CC17E726286828AFBA0DB65E8507DA77A0F788B85F404127DF4A677D5FF38C446CB40

Function 000001D7C96ACA74 Relevance: 7.8, APIs: 6, Instructions: 296
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001D7C96B652C: malloc.LIBCMT ref: 000001D7C96B6548

malloc.LIBCMT ref: 000001D7C96ACB3B

Part of subcall function 000001D7C96BF784: _FF_MSGBANNER.LIBCMT ref: 000001D7C96BF7B4
Part of subcall function 000001D7C96BF784: _NMSG_WRITE.LIBCMT ref: 000001D7C96BF7BE
Part of subcall function 000001D7C96BF784: HeapAlloc.KERNEL32 ref: 000001D7C96BF7D9
Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF7F2
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF7FD
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF808

Part of subcall function 000001D7C96BC73C: _time64.LIBCMT ref: 000001D7C96BC760
Part of subcall function 000001D7C96BC73C: malloc.LIBCMT ref: 000001D7C96BC7A8
Part of subcall function 000001D7C96BC73C: strtok.LIBCMT ref: 000001D7C96BC80C
Part of subcall function 000001D7C96BC73C: strtok.LIBCMT ref: 000001D7C96BC81D

Part of subcall function 000001D7C96B39E0: _time64.LIBCMT ref: 000001D7C96B39EE

Part of subcall function 000001D7C96BEFB4: malloc.LIBCMT ref: 000001D7C96BF004

Part of subcall function 000001D7C96BEFB4: realloc.LIBCMT ref: 000001D7C96BF013

Part of subcall function 000001D7C96AF900: GetLocalTime.KERNEL32 ref: 000001D7C96AF91F

malloc.LIBCMT ref: 000001D7C96ACC4A
_snprintf.LIBCMT ref: 000001D7C96ACCC1
_snprintf.LIBCMT ref: 000001D7C96ACCE7
free.LIBCMT ref: 000001D7C96ACEC6

Part of subcall function 000001D7C96BB280: malloc.LIBCMT ref: 000001D7C96BB2B4
Part of subcall function 000001D7C96BB280: free.LIBCMT ref: 000001D7C96BB46B

Part of subcall function 000001D7C96B9348: htonl.WS2_32 ref: 000001D7C96B9379
Part of subcall function 000001D7C96B9348: htonl.WS2_32 ref: 000001D7C96B9386

_snprintf.LIBCMT ref: 000001D7C96ACD0E

Part of subcall function 000001D7C96BDF80: Sleep.KERNEL32 ref: 000001D7C96BDFC8
Part of subcall function 000001D7C96BDF80: ExitThread.KERNEL32 ref: 000001D7C96BDFD2

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno_time64freehtonlstrtok$AllocExitHeapLocalSleepThreadTime_callnewhrealloc
String ID:
API String ID: 548016584-0
Opcode ID: 021f67030ebb1c0742149ef9574873c39fd2858c24acc11b94baa40b13049e2a
Instruction ID: 8332531ab25bf916908ea701fb5ed6408215a7711767dd3b9fcfb2cf61c56531
Opcode Fuzzy Hash: 021f67030ebb1c0742149ef9574873c39fd2858c24acc11b94baa40b13049e2a
Instruction Fuzzy Hash: 93C1BF313282834EFB94FB7294517EA6295AB85B86F404027EE1A677D7FF38C8059750

Function 000001D7C96AEC94 Relevance: 6.1, APIs: 4, Instructions: 140
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WinHttpOpen.WINHTTP ref: 000001D7C96AEEE0
WinHttpSetOption.WINHTTP ref: 000001D7C96AEF00
WinHttpSetOption.WINHTTP ref: 000001D7C96AEF18
WinHttpConnect.WINHTTP ref: 000001D7C96AEF42

Part of subcall function 000001D7C96B652C: malloc.LIBCMT ref: 000001D7C96B6548

Part of subcall function 000001D7C96BEFB4: malloc.LIBCMT ref: 000001D7C96BF004

Part of subcall function 000001D7C96BEFB4: realloc.LIBCMT ref: 000001D7C96BF013

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Http$Optionmalloc$ConnectOpenrealloc
String ID:
API String ID: 3404656368-0
Opcode ID: b855d478e0993058d055fdf9cb4d1871519f46178ed5ef37dad5c072d1d066a9
Instruction ID: 08dbacca1757b4cb0c9b4916a6590ef6c4941082eee7175f571688fac4fa7ab2
Opcode Fuzzy Hash: b855d478e0993058d055fdf9cb4d1871519f46178ed5ef37dad5c072d1d066a9
Instruction Fuzzy Hash: 5A711435628B838EFB80DB11E8907D633A0BB89756F104027CA4A6B3E5FF39C0568B54

Function 00007FF7F72D161F Relevance: 6.0, APIs: 4, Instructions: 32
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F72D14D8: GetCurrentProcess.KERNEL32 ref: 00007FF7F72D156D
Part of subcall function 00007FF7F72D14D8: GetCurrentProcess.KERNEL32 ref: 00007FF7F72D15B4
Part of subcall function 00007FF7F72D14D8: GetCurrentProcess.KERNEL32 ref: 00007FF7F72D15D9

ConvertThreadToFiber.KERNEL32 ref: 00007FF7F72D164B
CreateFiber.KERNEL32 ref: 00007FF7F72D166A
SwitchToFiber.KERNEL32 ref: 00007FF7F72D1676
DeleteFiber.KERNEL32 ref: 00007FF7F72D167F

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: Fiber$CurrentProcess$ConvertCreateDeleteSwitchThread
String ID:
API String ID: 1957389288-0
Opcode ID: 6a037e21e67eaa63333cd04506eca0327f3f3caf750fbc0155445db6ff382fb3
Instruction ID: e828165202006ec8ff44ec464a96b0b93f8175873d625687dd50887c430e058a
Opcode Fuzzy Hash: 6a037e21e67eaa63333cd04506eca0327f3f3caf750fbc0155445db6ff382fb3
Instruction Fuzzy Hash: FF014F2AA0865752EBA06B21F844269E221AF04781F85813DCC2D86AD0DE3CA14787A0

Function 000001D7C96AF554 Relevance: 4.6, APIs: 3, Instructions: 66
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000001D7C96AF658: WSAStartup.WS2_32 ref: 000001D7C96AF676

WSASocketA.WS2_32 ref: 000001D7C96AF582
WSAIoctl.WS2_32 ref: 000001D7C96AF5CF
closesocket.WS2_32 ref: 000001D7C96AF62E

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: IoctlSocketStartupclosesocket
String ID:
API String ID: 365704328-0
Opcode ID: 3b002878a253f710bfbcdeef10aed79583f0fb1cb8ac18c2645925e9684d3859
Instruction ID: 0065259ce0eefbb21925c7b409b75e75962a0b97f28a029da79f16600def46cf
Opcode Fuzzy Hash: 3b002878a253f710bfbcdeef10aed79583f0fb1cb8ac18c2645925e9684d3859
Instruction Fuzzy Hash: 1021E5327187C14BE7A08F24F64079AB7A4F3887E5F505226DE9913BD5EF39C5128B10

Function 00007FF7F72D2900 Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00007FF7F72D2912
GetModuleFileNameA.KERNEL32 ref: 00007FF7F72D2926
malloc.MSVCRT ref: 00007FF7F72D2967

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: malloc$FileModuleName
String ID:
API String ID: 3634825322-0
Opcode ID: dc5dda09de865df51fca8e04114dd6f26778cc455da49e1b2ad297201e6a36ee
Instruction ID: 2f417dcc528ad4d87a79752cf5bab6a0762c84a046a1f49198e0c8004f522b42
Opcode Fuzzy Hash: dc5dda09de865df51fca8e04114dd6f26778cc455da49e1b2ad297201e6a36ee
Instruction Fuzzy Hash: C811B41AB0D68295EB10BB12A4D05F9E760AF89BD4FD44038ED5E9B786DD2CD54283E0

Function 000001D7C9408E10 Relevance: 3.7, APIs: 2, Instructions: 671
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 000001D7C94092AF
LoadLibraryA.KERNELBASE ref: 000001D7C94093FB

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: b6194f7ecb9c7bda0839972a33261a802d5f620b58ca6edd0253a6b67f127526
Instruction ID: 12abd3e0c6bbe40a33d1f97a9e10f89507739acae8987672286034e8411a7b49
Opcode Fuzzy Hash: b6194f7ecb9c7bda0839972a33261a802d5f620b58ca6edd0253a6b67f127526
Instruction Fuzzy Hash: CE620976711B988EDB94CF6AC88039D37E1F748B9CF109126EA4D87BA8EB38C551C740

Function 000001D7C96AF658 Relevance: 3.0, APIs: 2, Instructions: 42
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 000001D7C96AF676
WSACleanup.WS2_32 ref: 000001D7C96AF712

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CleanupStartup
String ID:
API String ID: 915672949-0
Opcode ID: 964554bc9ffc6533e3d674705f1ab106cd53805b7097fcf37dcb04b5daa89abe
Instruction ID: 32995e57284e31f9fd04c96a7e9a6a000192a801afd71dfb097e42b5ed4f0d0f
Opcode Fuzzy Hash: 964554bc9ffc6533e3d674705f1ab106cd53805b7097fcf37dcb04b5daa89abe
Instruction Fuzzy Hash: 811130705287478FFB94AB70F4557E43295AB41307F00002BD65A3A3E2FF7E88558B50

Function 000001D7C96AEC58 Relevance: 3.0, APIs: 2, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WinHttpCloseHandle.WINHTTP ref: 000001D7C96AEC68
WinHttpCloseHandle.WINHTTP ref: 000001D7C96AEC7A

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CloseHandleHttp
String ID:
API String ID: 3048089778-0
Opcode ID: 53aaf727594a5f7467c05443cb871e66c14e33a01580db28005367e5ca5c9bbc
Instruction ID: 7d0b651682442c902a99fa16e47431773b33c3eb87eea3a273df760c07e394cf
Opcode Fuzzy Hash: 53aaf727594a5f7467c05443cb871e66c14e33a01580db28005367e5ca5c9bbc
Instruction Fuzzy Hash: A0E0E23062E942CEFAE98B41A8A07E82220AF84B07F100503C81B622E0FF2A80619311

Function 00007FF7F72D3CC0 Relevance: 3.0, APIs: 2, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F72D2900: malloc.MSVCRT ref: 00007FF7F72D2912
Part of subcall function 00007FF7F72D2900: GetModuleFileNameA.KERNEL32 ref: 00007FF7F72D2926
Part of subcall function 00007FF7F72D2900: malloc.MSVCRT ref: 00007FF7F72D2967

GetCurrentProcess.KERNEL32(?,?,-00000008,00000001,00007FF7F72D12EE,?,?,?,00007FF7F72D13E6), ref: 00007FF7F72D3CE0
WaitForSingleObject.KERNEL32(?,?,-00000008,00000001,00007FF7F72D12EE,?,?,?,00007FF7F72D13E6), ref: 00007FF7F72D3CEA

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: malloc$CurrentFileModuleNameObjectProcessSingleWait
String ID:
API String ID: 343681413-0
Opcode ID: 8295383bd2c69be7a8f54b704a9ed9e1b5ff756f56c927397a777c3f1495be5d
Instruction ID: 2fdc124d75837eddfedcd395d9bbda474b9e3a06686de5631f68ad01a11f6c87
Opcode Fuzzy Hash: 8295383bd2c69be7a8f54b704a9ed9e1b5ff756f56c927397a777c3f1495be5d
Instruction Fuzzy Hash: 20D0C719E1D15E51E7647332EC9547986A55F44790F94443EDC2D933D2CD2CE44353E0

Non-executed Functions

Function 000001D7C96C7014 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000001D7C96C706A
_errno.LIBCMT ref: 000001D7C96C7071
_invalid_parameter_noinfo.LIBCMT ref: 000001D7C96C707C

Strings

U, xrefs: 000001D7C96C75DE

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 6d21db2a166f0f02da4564763f6819608b891abcaacc0062094833d904163e1f
Instruction ID: 67e10ee775cb9d9bb3f5451def7a2c02cbc82f5af4316cde326c5495a8a654e6
Opcode Fuzzy Hash: 6d21db2a166f0f02da4564763f6819608b891abcaacc0062094833d904163e1f
Instruction Fuzzy Hash: 421206322286828EEBA08F29D4843EEB7A1F784B56F540117FA49977D4EF3DC545CB10

Function 000001D7C96B8BB8 Relevance: 46.6, APIs: 22, Strings: 4, Instructions: 1078processCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000001D7C96B94DC
CreateToolhelp32Snapshot.KERNEL32 ref: 000001D7C96B9515
Process32First.KERNEL32 ref: 000001D7C96B9537

Strings

x86, xrefs: 000001D7C96B9503, 000001D7C96B95EC
x64, xrefs: 000001D7C96B94EE, 000001D7C96B94FC
%s%d%d, xrefs: 000001D7C96B9582
%s%d%d%s%s%d, xrefs: 000001D7C96B961C

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CreateCurrentFirstProcessProcess32SnapshotToolhelp32
String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
API String ID: 718051232-1833344708
Opcode ID: ab6c4b034608c4bfb5a8e7bb1882252f7892f542baa750dff7c1fcd94f587fe1
Instruction ID: 75dd2d29e1c6629087f1c55229409f8b128ff3b691e2d0266f441efac3af49d7
Opcode Fuzzy Hash: ab6c4b034608c4bfb5a8e7bb1882252f7892f542baa750dff7c1fcd94f587fe1
Instruction Fuzzy Hash: 3F82C431B3C6438EFAE8DB2694513E922D1A785B86F944117DE0A737D9FF38C942A740

Function 000001D7C96C389C Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001D7C96C38FD

Part of subcall function 000001D7C96C0304: _getptd.LIBCMT ref: 000001D7C96C031A
Part of subcall function 000001D7C96C0304: __updatetlocinfo.LIBCMT ref: 000001D7C96C034F
Part of subcall function 000001D7C96C0304: __updatetmbcinfo.LIBCMT ref: 000001D7C96C0376

_errno.LIBCMT ref: 000001D7C96C3902

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

_fileno.LIBCMT ref: 000001D7C96C392F

Part of subcall function 000001D7C96C6550: _errno.LIBCMT ref: 000001D7C96C6559
Part of subcall function 000001D7C96C6550: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C96C6564

write_multi_char.LIBCMT ref: 000001D7C96C3F6B
write_string.LIBCMT ref: 000001D7C96C3F88
write_multi_char.LIBCMT ref: 000001D7C96C3FA5
write_string.LIBCMT ref: 000001D7C96C4004
write_string.LIBCMT ref: 000001D7C96C403B
write_multi_char.LIBCMT ref: 000001D7C96C405D
free.LIBCMT ref: 000001D7C96C4071
_isleadbyte_l.LIBCMT ref: 000001D7C96C4142
write_char.LIBCMT ref: 000001D7C96C4158
write_char.LIBCMT ref: 000001D7C96C4179
_errno.LIBCMT ref: 000001D7C96C427C
_invalid_parameter_noinfo.LIBCMT ref: 000001D7C96C4287

Strings

@, xrefs: 000001D7C96C391B
, xrefs: 000001D7C96C3F3F

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3318157856-1077428164
Opcode ID: 4fdb0f008eacadda7e995c826f33c081d4a351578f1fad9b5116de50cf84694b
Instruction ID: 7f394637bde0d94aeab3788d3a2619ead475e7df8a1bf795fc5a6cb3ed8b07ed
Opcode Fuzzy Hash: 4fdb0f008eacadda7e995c826f33c081d4a351578f1fad9b5116de50cf84694b
Instruction Fuzzy Hash: E452CE7262C6868EFBE5CB259544BFE6BA0B755786F141007FE4667AD8FB39C840CB00

Function 000001D7C96C2D4C Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 687COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001D7C96C2DAD

Part of subcall function 000001D7C96C0304: _getptd.LIBCMT ref: 000001D7C96C031A
Part of subcall function 000001D7C96C0304: __updatetlocinfo.LIBCMT ref: 000001D7C96C034F
Part of subcall function 000001D7C96C0304: __updatetmbcinfo.LIBCMT ref: 000001D7C96C0376

_errno.LIBCMT ref: 000001D7C96C2DB2

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

_fileno.LIBCMT ref: 000001D7C96C2DDF

Part of subcall function 000001D7C96C6550: _errno.LIBCMT ref: 000001D7C96C6559
Part of subcall function 000001D7C96C6550: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C96C6564

write_multi_char.LIBCMT ref: 000001D7C96C340F
write_string.LIBCMT ref: 000001D7C96C342C
write_multi_char.LIBCMT ref: 000001D7C96C3449
write_string.LIBCMT ref: 000001D7C96C34A8
write_string.LIBCMT ref: 000001D7C96C34DF
write_multi_char.LIBCMT ref: 000001D7C96C3501
free.LIBCMT ref: 000001D7C96C3515
_isleadbyte_l.LIBCMT ref: 000001D7C96C35E6
write_char.LIBCMT ref: 000001D7C96C35FC
write_char.LIBCMT ref: 000001D7C96C361D
_errno.LIBCMT ref: 000001D7C96C3717
_invalid_parameter_noinfo.LIBCMT ref: 000001D7C96C3722

Strings

, xrefs: 000001D7C96C33E3

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 3318157856-3916222277
Opcode ID: 43dc0f7f762fcca7f57d1b99570bba7f9ec05733d4a268e068958360070d05d4
Instruction ID: 694e5eff4e4109c85d966b7e8152ef84de19f8a5664d44c83285a9c129673f96
Opcode Fuzzy Hash: 43dc0f7f762fcca7f57d1b99570bba7f9ec05733d4a268e068958360070d05d4
Instruction Fuzzy Hash: CB52DF7262C6868EFBE58B159544BEE7BA0B741786F544007FE4A67ED8FB39C9408B00

Function 000001D7C9412C9C Relevance: 32.2, APIs: 16, Strings: 2, Instructions: 693COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001D7C9412CFD

Part of subcall function 000001D7C940F704: _getptd.LIBCMT ref: 000001D7C940F71A
Part of subcall function 000001D7C940F704: __updatetlocinfo.LIBCMT ref: 000001D7C940F74F
Part of subcall function 000001D7C940F704: __updatetmbcinfo.LIBCMT ref: 000001D7C940F776

_errno.LIBCMT ref: 000001D7C9412D02

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

_fileno.LIBCMT ref: 000001D7C9412D2F

Part of subcall function 000001D7C9415950: _errno.LIBCMT ref: 000001D7C9415959
Part of subcall function 000001D7C9415950: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C9415964

write_multi_char.LIBCMT ref: 000001D7C941336B
write_string.LIBCMT ref: 000001D7C9413388
write_multi_char.LIBCMT ref: 000001D7C94133A5
write_string.LIBCMT ref: 000001D7C9413404
write_string.LIBCMT ref: 000001D7C941343B
write_multi_char.LIBCMT ref: 000001D7C941345D
free.LIBCMT ref: 000001D7C9413471
_isleadbyte_l.LIBCMT ref: 000001D7C9413542
write_char.LIBCMT ref: 000001D7C9413558
write_char.LIBCMT ref: 000001D7C9413579
_errno.LIBCMT ref: 000001D7C941367C
_invalid_parameter_noinfo.LIBCMT ref: 000001D7C9413687

Strings

@, xrefs: 000001D7C9412D1B
, xrefs: 000001D7C941333F

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3318157856-1077428164
Opcode ID: dbaff82d1775837e2f6c3a91c2d206b1e8049a0421d00542bb8409871d8f2639
Instruction ID: dd4a893344a309d7a0c4fc82a292b5cf38d7e2612dbf8e4b83eb8e897013a198
Opcode Fuzzy Hash: dbaff82d1775837e2f6c3a91c2d206b1e8049a0421d00542bb8409871d8f2639
Instruction Fuzzy Hash: 4C52B17262C686CEFBE98B1595443EF6BA2B745796F341007DA4646ED8FB38CB40CB04

Function 000001D7C941214C Relevance: 30.4, APIs: 14, Strings: 3, Instructions: 645COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001D7C94121AD

Part of subcall function 000001D7C940F704: _getptd.LIBCMT ref: 000001D7C940F71A
Part of subcall function 000001D7C940F704: __updatetlocinfo.LIBCMT ref: 000001D7C940F74F
Part of subcall function 000001D7C940F704: __updatetmbcinfo.LIBCMT ref: 000001D7C940F776

_errno.LIBCMT ref: 000001D7C94121B2

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

_fileno.LIBCMT ref: 000001D7C94121DF

Part of subcall function 000001D7C9415950: _errno.LIBCMT ref: 000001D7C9415959
Part of subcall function 000001D7C9415950: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C9415964

write_multi_char.LIBCMT ref: 000001D7C941280F
write_string.LIBCMT ref: 000001D7C941282C
_errno.LIBCMT ref: 000001D7C9412B17
_invalid_parameter_noinfo.LIBCMT ref: 000001D7C9412B22

Strings

uld not open service control manager on %s: %d, xrefs: 000001D7C9412152
0, xrefs: 000001D7C941254C
-, xrefs: 000001D7C94127C0

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$Locale_invalid_parameter_noinfo$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexitwrite_multi_charwrite_string
String ID: -$0$uld not open service control manager on %s: %d
API String ID: 3246410048-1877474130
Opcode ID: 7be9b96657ee8d73f97f9f2c2be5265d49fe5bbcddd9d2f69a9c8ec1162abf2e
Instruction ID: 197b91c4ebc44b6c066347bd4f1ee07333287e22160ad085c1f7bbdf3c358e3e
Opcode Fuzzy Hash: 7be9b96657ee8d73f97f9f2c2be5265d49fe5bbcddd9d2f69a9c8ec1162abf2e
Instruction Fuzzy Hash: DF42CF7263C6C6CEFBE98A2995543EF6BB0B745796F341007DA4A966D8F738CA40C700

Function 000001D7C9416414 Relevance: 26.7, APIs: 14, Strings: 1, Instructions: 460COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 000001D7C941646A
_errno.LIBCMT ref: 000001D7C9416471
_invalid_parameter_noinfo.LIBCMT ref: 000001D7C941647C

Strings

U, xrefs: 000001D7C94169DE

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: 94a4f75cf0e11987a7af01aaacde3e6c73ffaf3aad320ef027232a3192f70caa
Instruction ID: fb26964411bb697f94545a2e78ad758f3d5c33e8c1bce0b1225cd44fcd1a693d
Opcode Fuzzy Hash: 94a4f75cf0e11987a7af01aaacde3e6c73ffaf3aad320ef027232a3192f70caa
Instruction Fuzzy Hash: 1C12C332228A42CEEBA08F29D4843DF77A5F785796F604117EB89437D8EB39C645CB10

Function 000001D7C96B8074 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 545COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001D7C96B82A2
_snprintf.LIBCMT ref: 000001D7C96B82BF
_snprintf.LIBCMT ref: 000001D7C96B81E1

Part of subcall function 000001D7C96BFB3C: _errno.LIBCMT ref: 000001D7C96BFB73
Part of subcall function 000001D7C96BFB3C: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C96BFB7E

_snprintf.LIBCMT ref: 000001D7C96B8514
_snprintf.LIBCMT ref: 000001D7C96B8870

Strings

%s%s, xrefs: 000001D7C96B8613
%s&%s, xrefs: 000001D7C96B87A6
%s&%s=%s, xrefs: 000001D7C96B82B3
%s%s: %s, xrefs: 000001D7C96B81D0
%s%s, xrefs: 000001D7C96B8503, 000001D7C96B852D, 000001D7C96B86D1, 000001D7C96B8862
?%s=%s, xrefs: 000001D7C96B8296
?%s, xrefs: 000001D7C96B8793

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID: %s%s$%s%s$%s%s: %s$%s&%s$%s&%s=%s$?%s$?%s=%s
API String ID: 3442832105-1222817042
Opcode ID: a300468c6fe72c6097da56499318fb5d8946b08ca5a53162cc10779ed73073ce
Instruction ID: 69cb1dfeb85e7ee4eea52de7ce2e5072db9c3abeea6614cfcf781e838a5a9e3a
Opcode Fuzzy Hash: a300468c6fe72c6097da56499318fb5d8946b08ca5a53162cc10779ed73073ce
Instruction Fuzzy Hash: 0B42BA72628E8696E7659B1DD0013E9A3B0FF5479AF445102DF8927BE1FF38D2A6D300

Function 000001D7C96B2170 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150filetimeCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C96B21A3

Part of subcall function 000001D7C96BF784: _FF_MSGBANNER.LIBCMT ref: 000001D7C96BF7B4
Part of subcall function 000001D7C96BF784: _NMSG_WRITE.LIBCMT ref: 000001D7C96BF7BE
Part of subcall function 000001D7C96BF784: HeapAlloc.KERNEL32 ref: 000001D7C96BF7D9
Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF7F2
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF7FD
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF808

Part of subcall function 000001D7C96AD044: malloc.LIBCMT ref: 000001D7C96AD057

Part of subcall function 000001D7C96AD074: htonl.WS2_32 ref: 000001D7C96AD07F

GetCurrentDirectoryA.KERNEL32 ref: 000001D7C96B221B
FindFirstFileA.KERNEL32 ref: 000001D7C96B2254
GetLastError.KERNEL32 ref: 000001D7C96B2263
free.LIBCMT ref: 000001D7C96B229E
free.LIBCMT ref: 000001D7C96B22AB

Part of subcall function 000001D7C96BF744: HeapFree.KERNEL32 ref: 000001D7C96BF75A
Part of subcall function 000001D7C96BF744: _errno.LIBCMT ref: 000001D7C96BF764
Part of subcall function 000001D7C96BF744: GetLastError.KERNEL32 ref: 000001D7C96BF76C

FileTimeToSystemTime.KERNEL32 ref: 000001D7C96B22B8
SystemTimeToTzSpecificLocalTime.KERNEL32 ref: 000001D7C96B22C9
FindNextFileA.KERNEL32 ref: 000001D7C96B2386
FindClose.KERNEL32 ref: 000001D7C96B2397

Strings

F%I64d%02d/%02d/%02d %02d:%02d:%02d%s, xrefs: 000001D7C96B2369
%s, xrefs: 000001D7C96B2239
D0%02d/%02d/%02d %02d:%02d:%02d%s, xrefs: 000001D7C96B230B
.\*, xrefs: 000001D7C96B21FF

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Time$FileFind_errno$ErrorHeapLastSystemfreemalloc$AllocCloseCurrentDirectoryFirstFreeLocalNextSpecific_callnewhhtonl
String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
API String ID: 723279517-1754256099
Opcode ID: b2cddefc7184c549bf107702bf07d2e8f4ce03f5a0a54331037525f2b06f63c0
Instruction ID: d52d1ad279de1b4e2e256773f2cb690e285b26bf2f3a5b5c54d8f0bc36d42d19
Opcode Fuzzy Hash: b2cddefc7184c549bf107702bf07d2e8f4ce03f5a0a54331037525f2b06f63c0
Instruction Fuzzy Hash: 5961CF723287928AEB90DF62E4502DDB3A1F395B95F404016EE5963BD9FF78C50ADB00

Function 000001D7C9407474 Relevance: 23.0, APIs: 10, Strings: 5, Instructions: 545COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001D7C94076A2
_snprintf.LIBCMT ref: 000001D7C94076BF
_snprintf.LIBCMT ref: 000001D7C94075E1

Part of subcall function 000001D7C940EF3C: _errno.LIBCMT ref: 000001D7C940EF73
Part of subcall function 000001D7C940EF3C: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C940EF7E

_snprintf.LIBCMT ref: 000001D7C9407914
_snprintf.LIBCMT ref: 000001D7C9407C70

Strings

n %s: %d, xrefs: 000001D7C9407A13
Could not delete service %s on %s: %d, xrefs: 000001D7C9407903, 000001D7C940792D, 000001D7C9407AD1, 000001D7C9407C62
uotaPrivilege, xrefs: 000001D7C94076B3
s on %s: %d, xrefs: 000001D7C9407B93
UnsolicitedInputPrivilege, xrefs: 000001D7C94075D0

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID: Could not delete service %s on %s: %d$UnsolicitedInputPrivilege$n %s: %d$s on %s: %d$uotaPrivilege
API String ID: 3442832105-3357686960
Opcode ID: 4a388a3500e23309305211a0916fb9d5f2e56421d066dfecfb9cf0b23f619661
Instruction ID: 7e365b9e6d39181ec63ea4e3afa07507a96bb11ab601f8584cbe7a323b8ead18
Opcode Fuzzy Hash: 4a388a3500e23309305211a0916fb9d5f2e56421d066dfecfb9cf0b23f619661
Instruction Fuzzy Hash: CC42BB71628E8595F6E58B29D4013EAA7B0FF54B56F046102DF8917BA1FF38D3A2C340

Function 000001D7C96B1474 Relevance: 18.2, APIs: 12, Instructions: 163processCOMMON

Download Yara Rule

APIs

CreateProcessAsUserA.ADVAPI32 ref: 000001D7C96B14CF
GetLastError.KERNEL32 ref: 000001D7C96B14DD
GetLastError.KERNEL32 ref: 000001D7C96B1501

Part of subcall function 000001D7C96B0394: MultiByteToWideChar.KERNEL32 ref: 000001D7C96B03C1
Part of subcall function 000001D7C96B0394: MultiByteToWideChar.KERNEL32 ref: 000001D7C96B03E9

CreateProcessA.KERNEL32 ref: 000001D7C96B1553
GetLastError.KERNEL32 ref: 000001D7C96B155D
GetCurrentDirectoryW.KERNEL32 ref: 000001D7C96B18B4
GetCurrentDirectoryW.KERNEL32 ref: 000001D7C96B18C8
CreateProcessWithTokenW.ADVAPI32 ref: 000001D7C96B1911

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CreateErrorLastProcess$ByteCharCurrentDirectoryMultiWide$TokenUserWith
String ID:
API String ID: 3044875250-0
Opcode ID: 04179c845964deb68c3e57eb4d130a16038a537e60ffa904158875380d3ce5c6
Instruction ID: 46b392a2bcf0db6eae19888293becbb6e93721c9ba4c8b324a615f44b28098e3
Opcode Fuzzy Hash: 04179c845964deb68c3e57eb4d130a16038a537e60ffa904158875380d3ce5c6
Instruction Fuzzy Hash: 96719E72628B829AE7A09F61E48439E73A1F748B96F014127DE4D63BD4FF38C554DB40

Function 000001D7C96B975C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C96B978B

Part of subcall function 000001D7C96BF784: _FF_MSGBANNER.LIBCMT ref: 000001D7C96BF7B4
Part of subcall function 000001D7C96BF784: _NMSG_WRITE.LIBCMT ref: 000001D7C96BF7BE
Part of subcall function 000001D7C96BF784: HeapAlloc.KERNEL32 ref: 000001D7C96BF7D9
Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF7F2
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF7FD
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF808

_snprintf.LIBCMT ref: 000001D7C96B97A3

Part of subcall function 000001D7C96BFB3C: _errno.LIBCMT ref: 000001D7C96BFB73
Part of subcall function 000001D7C96BFB3C: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C96BFB7E

FindFirstFileA.KERNEL32 ref: 000001D7C96B97AE
free.LIBCMT ref: 000001D7C96B97BA

Part of subcall function 000001D7C96BF744: HeapFree.KERNEL32 ref: 000001D7C96BF75A
Part of subcall function 000001D7C96BF744: _errno.LIBCMT ref: 000001D7C96BF764
Part of subcall function 000001D7C96BF744: GetLastError.KERNEL32 ref: 000001D7C96BF76C

malloc.LIBCMT ref: 000001D7C96B980A
_snprintf.LIBCMT ref: 000001D7C96B9822
free.LIBCMT ref: 000001D7C96B984A
FindNextFileA.KERNEL32 ref: 000001D7C96B9863
FindClose.KERNEL32 ref: 000001D7C96B9874

Strings

%s\*, xrefs: 000001D7C96B9790

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$Find$FileHeap_snprintffreemalloc$AllocCloseErrorFirstFreeLastNext_callnewh_invalid_parameter_noinfo
String ID: %s\*
API String ID: 2620626937-766152087
Opcode ID: 54f9aa238a9b14b78d6900c9a608394a74549a6a2548d8692def23f6ee0e1ee0
Instruction ID: 562282f9d5a916bd891461190ce270229c479f17801721d05e1bba3bcdf915ec
Opcode Fuzzy Hash: 54f9aa238a9b14b78d6900c9a608394a74549a6a2548d8692def23f6ee0e1ee0
Instruction Fuzzy Hash: 1931B73222C2C24DEA955B1368203E56B517746FD5F484553DEBA2B7E6FB38C462E304

Function 000001D7C96B3FA4 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113sleepprocesslibraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001D7C96B400E
GetProcAddress.KERNEL32 ref: 000001D7C96B401E

Part of subcall function 000001D7C96B3EC4: malloc.LIBCMT ref: 000001D7C96B3F02
Part of subcall function 000001D7C96B3EC4: free.LIBCMT ref: 000001D7C96B3F85

CreateToolhelp32Snapshot.KERNEL32 ref: 000001D7C96B4050
Thread32Next.KERNEL32 ref: 000001D7C96B40BA
Sleep.KERNEL32 ref: 000001D7C96B40D0

Strings

ntdll, xrefs: 000001D7C96B3FD9
NtQueueApcThread, xrefs: 000001D7C96B4014

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: AddressCreateHandleModuleNextProcSleepSnapshotThread32Toolhelp32freemalloc
String ID: NtQueueApcThread$ntdll
API String ID: 1427994231-1374908105
Opcode ID: 20a59f507c174f0246855fe173aa443fc8ca1cea60125863fb72f73cd4d096d5
Instruction ID: 5475e1b89103765c100a6039e52f300158b48c49802498f7ce6d29bef7ddc692
Opcode Fuzzy Hash: 20a59f507c174f0246855fe173aa443fc8ca1cea60125863fb72f73cd4d096d5
Instruction Fuzzy Hash: 96417932B29B4289EBA0DB62E8403ED33E4B74878AF544126DE4D67BD9FF38C5558340

Function 000001D7C96B6FB4 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 000001D7C96B6FEC
htons.WS2_32 ref: 000001D7C96B700C
ioctlsocket.WS2_32 ref: 000001D7C96B7028
closesocket.WS2_32 ref: 000001D7C96B7036
bind.WS2_32 ref: 000001D7C96B7049
listen.WS2_32 ref: 000001D7C96B7059

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonsioctlsocketlistensocket
String ID:
API String ID: 1767165869-0
Opcode ID: 421e139cbce63abcd903417d6c5fda3bfdeb631b68c69ebdeb05ee0f2575c63a
Instruction ID: f8b44b71cda5c48153137056ea582bf9f1380b48040c5e5ea7ddd79bee92ac4e
Opcode Fuzzy Hash: 421e139cbce63abcd903417d6c5fda3bfdeb631b68c69ebdeb05ee0f2575c63a
Instruction Fuzzy Hash: 9E213A723287818AEB608F02A410699B3A1F388FE2F441627DE6A237D4FF3CD4558700

Function 000001D7C96B6BAC Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 000001D7C96B6BD4
htons.WS2_32 ref: 000001D7C96B6BE0
socket.WS2_32 ref: 000001D7C96B6BF8
closesocket.WS2_32 ref: 000001D7C96B6C0A
bind.WS2_32 ref: 000001D7C96B6C37
ioctlsocket.WS2_32 ref: 000001D7C96B6C51

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonlhtonsioctlsocketsocket
String ID:
API String ID: 3910169428-0
Opcode ID: 5f1f9b92f709edd561825915fa2472d332640f924a90d7f2475158cda650eb4f
Instruction ID: 5568c28713cc831a38eafc19c7889ce99a8543939dca097e1c8be6b66ab3abf5
Opcode Fuzzy Hash: 5f1f9b92f709edd561825915fa2472d332640f924a90d7f2475158cda650eb4f
Instruction Fuzzy Hash: E321DF36328B918AE7A49F21E4143D93760F788BA6F504226CE69633D1FF3DC85AC740

Function 000001D7C96BE45C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001D7C96BE1CC: RevertToSelf.ADVAPI32 ref: 000001D7C96BE1E9

LogonUserA.ADVAPI32 ref: 000001D7C96BE4A4
GetLastError.KERNEL32 ref: 000001D7C96BE4AE

Part of subcall function 000001D7C96B652C: malloc.LIBCMT ref: 000001D7C96B6548

Part of subcall function 000001D7C96B0394: MultiByteToWideChar.KERNEL32 ref: 000001D7C96B03C1
Part of subcall function 000001D7C96B0394: MultiByteToWideChar.KERNEL32 ref: 000001D7C96B03E9

Part of subcall function 000001D7C96AD044: malloc.LIBCMT ref: 000001D7C96AD057

ImpersonateLoggedOnUser.ADVAPI32 ref: 000001D7C96BE4CC
GetLastError.KERNEL32 ref: 000001D7C96BE4D6

Strings

%s\%s, xrefs: 000001D7C96BE590

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiUserWidemalloc$ImpersonateLoggedLogonRevertSelf
String ID: %s\%s
API String ID: 3621627092-4073750446
Opcode ID: 6cb54b0b77f34fceee840662518323cff89727c1bed3c68f1ad772e27f7d3d95
Instruction ID: e1aadde8555272a0ad8b44e3cbdd78271909e641db274777719fe245193e07e4
Opcode Fuzzy Hash: 6cb54b0b77f34fceee840662518323cff89727c1bed3c68f1ad772e27f7d3d95
Instruction Fuzzy Hash: FE413B71338B8689FA80EB62E8647DA33A1A785B92F400027ED4D677D6FF3DC5458740

Function 000001D7C96AFF5C Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001D7C96AFF7D
Sleep.KERNEL32 ref: 000001D7C96AFFEC
GetTickCount.KERNEL32 ref: 000001D7C96AFFF2
Sleep.KERNEL32 ref: 000001D7C96B000B
closesocket.WS2_32 ref: 000001D7C96B0014

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CountSleepTick$closesocket
String ID:
API String ID: 2363407838-0
Opcode ID: e78d28b31ffa37aab22e1791000697b612504a349b969914c2f477dbee4f7dbd
Instruction ID: 4ce7eb4780f99125c35b11700ed6337f82ff7200fd504dc38b9f0cde15e00dd4
Opcode Fuzzy Hash: e78d28b31ffa37aab22e1791000697b612504a349b969914c2f477dbee4f7dbd
Instruction Fuzzy Hash: 6C21F63272C68689EA90AB22E4552DA6350B785BF5F404722EEB9637E6FF3CC5058701

Function 000001D7C96BF398 Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

socket.WS2_32 ref: 000001D7C96BF3CD
closesocket.WS2_32 ref: 000001D7C96BF3DF
htons.WS2_32 ref: 000001D7C96BF3F0
bind.WS2_32 ref: 000001D7C96BF411
listen.WS2_32 ref: 000001D7C96BF426

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: bindclosesockethtonslistensocket
String ID:
API String ID: 564772725-0
Opcode ID: 3fdb714628dd163d5f8f076491d0d27cf3ed2110022bd917b45244b3f4d73c15
Instruction ID: fd6baf702e7b84e865de5fb02c80a7d4b09097fe0867b667c70f6203c26b4331
Opcode Fuzzy Hash: 3fdb714628dd163d5f8f076491d0d27cf3ed2110022bd917b45244b3f4d73c15
Instruction Fuzzy Hash: 4D11E9362287968AEAA0AF12E4152997360F784FA5F440216EEA9677E5FF3CC4158704

Function 00007FF7F72D2E70 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 00007FF7F72D31C0
Unknown pseudo relocation bit size %d., xrefs: 00007FF7F72D31B4
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00007FF7F72D2FFD

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: b0cf50d5c08cb4d86ba747f7a961140536a9f465ff7ed6e19a0df4589b4b5e41
Instruction ID: 2288b955b3a66f00f8cb18f13c392ba13d98226ff03cef309c4c447b636b1d00
Opcode Fuzzy Hash: b0cf50d5c08cb4d86ba747f7a961140536a9f465ff7ed6e19a0df4589b4b5e41
Instruction Fuzzy Hash: 5E91C32BE0955386EB106B25D5C02B9E2B0BF55760F948239DD3D977D9DF3CE80382A0

Function 000001D7C96AD840 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE

Download Yara Rule

Strings

%s!%s, xrefs: 000001D7C96AD9EF

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID: %s!%s
API String ID: 0-2935588013
Opcode ID: a4c05c1b14daa3a77a53e829bdfcfb3d534517f36a48215eead891447f542af8
Instruction ID: cd9ac4f7a8b3c84cf24139579821fd92be1d28e2d0a2399ac85f83e8eb8f1cfa
Opcode Fuzzy Hash: a4c05c1b14daa3a77a53e829bdfcfb3d534517f36a48215eead891447f542af8
Instruction Fuzzy Hash: 905151762286428AEBA49F52D0107E973A1F788F95F448027DF8A677C5FF38C942C714

Function 000001D7C96B10B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

LookupPrivilegeValueA.ADVAPI32 ref: 000001D7C96B112A
AdjustTokenPrivileges.ADVAPI32 ref: 000001D7C96B115A
GetLastError.KERNEL32 ref: 000001D7C96B1164

Strings

%s, xrefs: 000001D7C96B1172

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID: %s
API String ID: 4244140340-620797490
Opcode ID: 34473db27fbecd0f4eb9555b0174b27b37fc7610363351362d1624780b6d2fed
Instruction ID: 15068be5a9ccd99b57cdeb44e58090ad43ec00e1af965620c9ed2ff27cd1d37b
Opcode Fuzzy Hash: 34473db27fbecd0f4eb9555b0174b27b37fc7610363351362d1624780b6d2fed
Instruction Fuzzy Hash: 84214872B24B41AEE7509BA1D4547ED73A5E758B89F448426CE0DA3AC9FF34C629C380

Function 000001D7C96B5D98 Relevance: 6.1, APIs: 4, Instructions: 73sleepnetworkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001D7C96B5DBF
Sleep.KERNEL32 ref: 000001D7C96B5E0E
GetTickCount.KERNEL32 ref: 000001D7C96B5E14
WSAGetLastError.WS2_32 ref: 000001D7C96B5E1E

Part of subcall function 000001D7C96B5F64: ioctlsocket.WS2_32 ref: 000001D7C96B5F86

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CountTick$ErrorLastSleepioctlsocket
String ID:
API String ID: 1121440892-0
Opcode ID: 792327efb1382e688cc84a4780f364e8344829cec60b3608e7b407cebac9372d
Instruction ID: 0aa11c5d282834b6e619110fb16cd0b09f797022b56c590587f1bf989750f3f1
Opcode Fuzzy Hash: 792327efb1382e688cc84a4780f364e8344829cec60b3608e7b407cebac9372d
Instruction Fuzzy Hash: DA316C36B18B418AEB50DBA2E4942EC77B5F388BA1F410226DE6DA37D5EF30C556D340

Function 000001D7C941BFE0 Relevance: 5.9, Strings: 4, Instructions: 884COMMONLIBRARYCODE

Download Yara Rule

Strings

<, xrefs: 000001D7C941C69E
ailure #%d - %s, xrefs: 000001D7C941C2EA, 000001D7C941C53F, 000001D7C941C906
, xrefs: 000001D7C941C693
e ', xrefs: 000001D7C941CC63, 000001D7C941CCDC, 000001D7C941CD55, 000001D7C941CDCE

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID: $<$ailure #%d - %s$e '
API String ID: 0-963976815
Opcode ID: 3dd62a58e4c8a2f1ab0d058f17d6638ac7d51d29487c991669104ce781cd66b3
Instruction ID: fe917de0882d75acaeea0d25f3303b31e51297d6fe83324554accb1f85c89146
Opcode Fuzzy Hash: 3dd62a58e4c8a2f1ab0d058f17d6638ac7d51d29487c991669104ce781cd66b3
Instruction Fuzzy Hash: 809213B2328A8187DB58CB1DE4A173AB7A1F3C8B84F54512AE79B87794DE3CC551CB04

Function 000001D7C96ADA40 Relevance: 4.9, APIs: 3, Instructions: 374memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001D7C96B6654: htonl.WS2_32 ref: 000001D7C96B6671

GetLastError.KERNEL32 ref: 000001D7C96ADD37

Part of subcall function 000001D7C96BD10C: GetCurrentProcess.KERNEL32 ref: 000001D7C96BD199

HeapCreate.KERNEL32 ref: 000001D7C96ADCDE
HeapAlloc.KERNEL32 ref: 000001D7C96ADCFC

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Heap$AllocCreateCurrentErrorLastProcesshtonl
String ID:
API String ID: 3419463915-0
Opcode ID: 02b7ddf5de5b4d92ccd982b661501ff526260ec95ebc56a69cbe10d1074755d6
Instruction ID: cafc0f440d13ee6e8c65555ab1dbc6135a1fa23fadc8105465e95cfd3c4e89ab
Opcode Fuzzy Hash: 02b7ddf5de5b4d92ccd982b661501ff526260ec95ebc56a69cbe10d1074755d6
Instruction Fuzzy Hash: 43E162B2624B428BFBA4DB25E8513EA63A1F754756F444126DB8AA77D2FF3CE441C300

Function 000001D7C96BE3D4 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32 ref: 000001D7C96BE423
CheckTokenMembership.ADVAPI32 ref: 000001D7C96BE43A
FreeSid.ADVAPI32 ref: 000001D7C96BE44B

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a75cdac8505179d215611e31dd2353c992142b8573aa84a62485a2f2ad9d8795
Instruction ID: e13c1d5a9613a3ae823de1208b3542c6001c7c124a598554555fc7222b5e8402
Opcode Fuzzy Hash: a75cdac8505179d215611e31dd2353c992142b8573aa84a62485a2f2ad9d8795
Instruction Fuzzy Hash: CA011A73624A818FE7208F20E8493AE37B0F7547AFF011919E65946AD9DB7CC169CB80

Function 000001D7C9407FB8 Relevance: 3.6, Strings: 2, Instructions: 1078COMMONLIBRARYCODE

Download Yara Rule

Strings

nputPrivilege, xrefs: 000001D7C9408069
ineAccountPrivilege, xrefs: 000001D7C9408982

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID: ineAccountPrivilege$nputPrivilege
API String ID: 0-565763626
Opcode ID: 8b5d356e72782b4cabc311c546230909388f4c5c7f8ffaa225ea34b5a455c1d8
Instruction ID: bda8c0892c81a10f68561980821fca916ec5e3831c90a6378ca316daedb67a36
Opcode Fuzzy Hash: 8b5d356e72782b4cabc311c546230909388f4c5c7f8ffaa225ea34b5a455c1d8
Instruction Fuzzy Hash: F882C031B3C6438EFAE8DB2699507EB12D0A789782F946157D90A437D9FF39CB858700

Function 000001D7C96CCBE0 Relevance: 3.4, Strings: 2, Instructions: 884COMMONLIBRARYCODE

Download Yara Rule

Strings

<, xrefs: 000001D7C96CD29E
, xrefs: 000001D7C96CD293

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID: $<
API String ID: 0-428540627
Opcode ID: 3dd62a58e4c8a2f1ab0d058f17d6638ac7d51d29487c991669104ce781cd66b3
Instruction ID: 5e727405afb43f11460854a9a88365a77284d1f7de4270a4529002cf6daccf40
Opcode Fuzzy Hash: 3dd62a58e4c8a2f1ab0d058f17d6638ac7d51d29487c991669104ce781cd66b3
Instruction Fuzzy Hash: E992E2B2329A8187DB58CB1DE4A173AB7A1F3C8B84F44512AE79B87794DE3CD451CB04

Function 000001D7C96B17A8 Relevance: 3.0, APIs: 2, Instructions: 32processCOMMON

Download Yara Rule

APIs

CreateProcessWithLogonW.ADVAPI32 ref: 000001D7C96B17F7
GetLastError.KERNEL32 ref: 000001D7C96B1808

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CreateErrorLastLogonProcessWith
String ID:
API String ID: 2609480667-0
Opcode ID: 03398825b3d1c02719eeb176c161a53c6e60b1fc061c8c08be135642241738ac
Instruction ID: fb12cb89d484563a4eeaa497357a2281d30a36158f6b1ff1c1fd31eaf98ac5f7
Opcode Fuzzy Hash: 03398825b3d1c02719eeb176c161a53c6e60b1fc061c8c08be135642241738ac
Instruction Fuzzy Hash: C701FF72738B098AE7908F25E45539D33E0F709B92F110126DE5C9B3D0EB3AC4918750

Function 000001D7C96B60F8 Relevance: 1.5, APIs: 1, Instructions: 40networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 000001D7C96B6137

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 204e9fabf0f319606b06c1cc87c5eda96219c54615745dc82163117563755456
Instruction ID: 6d33e4dc7d3b370fe5c2e46b1d6cc4ded9b63728a34c21fef8b624eb0cd0391a
Opcode Fuzzy Hash: 204e9fabf0f319606b06c1cc87c5eda96219c54615745dc82163117563755456
Instruction Fuzzy Hash: C7012D32734B9189E7A08F1F998065DA6D1B7C8FD1F591126DF5963FC2EB34C8414700

Function 000001D7C96B0E60 Relevance: 1.5, APIs: 1, Instructions: 33pipeCOMMON

Download Yara Rule

APIs

CreateNamedPipeA.KERNEL32 ref: 000001D7C96B0ECA

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CreateNamedPipe
String ID:
API String ID: 2489174969-0
Opcode ID: 05647b4a4c1fc355d84e7d655355b7c5327ba289d2ddfaea4aea95314d2ad727
Instruction ID: 4750eda948467a93da254a4f5529618c21cad18a55635a22bf477aa5ca6fe700
Opcode Fuzzy Hash: 05647b4a4c1fc355d84e7d655355b7c5327ba289d2ddfaea4aea95314d2ad727
Instruction Fuzzy Hash: B0018072528B828EEB91CB10F4443D977A2F7983A6F444316DA98126D5FB7DC519C700

Function 000001D7C96AF900 Relevance: 1.5, APIs: 1, Instructions: 26timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 000001D7C96AF91F

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID:
API String ID: 481472006-0
Opcode ID: 2ca6bd0b6bd0201f12a1f82776f719e099e7c440c7acce6004dc57a7fa84fe9d
Instruction ID: 45025ec9303a3c27fa925836f107c303f04305d1043a6cb1252a7d0d30598b7b
Opcode Fuzzy Hash: 2ca6bd0b6bd0201f12a1f82776f719e099e7c440c7acce6004dc57a7fa84fe9d
Instruction Fuzzy Hash: BEF05C2331830382E3A05736F4C13BA92A1E7D4706F048033FB89002E8FF2CC554D610

Function 000001D7C941CBC7 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

e ', xrefs: 000001D7C941CC63, 000001D7C941CCDC, 000001D7C941CD55, 000001D7C941CDCE

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID: e '
API String ID: 0-2178105616
Opcode ID: 04cf8bb6c4705d518444ef124c7ec9aebae715bb8b4d17eb2d358352ec1ddb30
Instruction ID: 7092fa5de4ed0f1059c2f93f8f6943ccdf396ef50234b30e6423bd309ffa3c5a
Opcode Fuzzy Hash: 04cf8bb6c4705d518444ef124c7ec9aebae715bb8b4d17eb2d358352ec1ddb30
Instruction Fuzzy Hash: 07610DB62189518BD764CB0DE4906ABB7E1F3CC795F84421AE38B877A8DB3CD645CB40

Function 000001D7C96CE420 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 177cfb6c210dc30187cec561792c10bd606c3241999996ddb5a237ff4e4755f6
Instruction ID: 1b0579b2aded20764f30ba887c5b678299f480d64ff83c8268338384d869d911
Opcode Fuzzy Hash: 177cfb6c210dc30187cec561792c10bd606c3241999996ddb5a237ff4e4755f6
Instruction Fuzzy Hash: 6C5240B22189818BD708CB1CE4A177AB7A1F3C9B81F44852AE7978B7D9DE3DD554CB00

Function 000001D7C941D820 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 177cfb6c210dc30187cec561792c10bd606c3241999996ddb5a237ff4e4755f6
Instruction ID: 56563f0f1914fd445827dd77d968a3e1f0d98d6e3ca2b5e07419546d3562a7ed
Opcode Fuzzy Hash: 177cfb6c210dc30187cec561792c10bd606c3241999996ddb5a237ff4e4755f6
Instruction Fuzzy Hash: D45260B22189418BD748CB1DE4A177BB7A1F3C9B81F44852AE79B8B799DE3CD550CB00

Function 000001D7C96CDAB0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ba36bcabf53b47ba01c37f190381b0d8be5cbd2fc2a90ad990dcb4eb28ae54
Instruction ID: 1b3a0924c78d2d99a3c783f3933db8861f0a1fcc3cbf50e22d6cd5d575d4780f
Opcode Fuzzy Hash: 76ba36bcabf53b47ba01c37f190381b0d8be5cbd2fc2a90ad990dcb4eb28ae54
Instruction Fuzzy Hash: 875262B23189818BD708CF1DE4A177AB7A1F3C9B80F44852AE7968B7D8DA7CD554CB40

Function 000001D7C941CEB0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ba36bcabf53b47ba01c37f190381b0d8be5cbd2fc2a90ad990dcb4eb28ae54
Instruction ID: 7ce942cd32e5bc0468e5d96ea71e44665bf7c3facd478629c5d60c9d3d59b048
Opcode Fuzzy Hash: 76ba36bcabf53b47ba01c37f190381b0d8be5cbd2fc2a90ad990dcb4eb28ae54
Instruction Fuzzy Hash: 505263B22189818BD718CF1DE4A177BB7E1F3C9B80F44852AE7868B799DA3CD555CB00

Function 000001D7C96AA280 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 261718a5b65d74d2d9e8cbe016fa361144473f8925d77c55ec3bf8b97cde1422
Instruction ID: 33b5b37c062327166254d765e7f4c877a5a9eca421aa584a7f810c3def35aa97
Opcode Fuzzy Hash: 261718a5b65d74d2d9e8cbe016fa361144473f8925d77c55ec3bf8b97cde1422
Instruction Fuzzy Hash: 00F1A47632CA438AEBA0DB25D4507EEA3A2F794785F504117EA49A76C5FF38CD05CB40

Function 000001D7C93F9680 Relevance: .4, Instructions: 404COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 66fc62851c9abf3b385335146fbdb6ba028db3909512b6f2b2f9707742c26f42
Instruction ID: cf1d5946d8100ef5c5c21a58ee0950c583941e32c489379eeab676f4f9729389
Opcode Fuzzy Hash: 66fc62851c9abf3b385335146fbdb6ba028db3909512b6f2b2f9707742c26f42
Instruction Fuzzy Hash: 01F1747272CA438AEFA0DB15E4903EE63A1F794799F900196DA49877D9FB34CD05CB40

Function 000001D7C93FCE40 Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861d0326142a104b8eb7dc31cf038aeb0ccd7518fe8e3dcd7051e7ed0b3d7574
Instruction ID: 62fe96725493c03166cb66e2050ca289b5a2a9d923dae8564c82cbcae7701614
Opcode Fuzzy Hash: 861d0326142a104b8eb7dc31cf038aeb0ccd7518fe8e3dcd7051e7ed0b3d7574
Instruction Fuzzy Hash: 94E1A4726247428BFBA4CB75E8453EA63A1F784396F045166DB9A97BD2FB3CE141C300

Function 000001D7C96A9D6C Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2359467e97bf766c8a748fb91a16a593338d6753266c883ef505e57511b55303
Instruction ID: 9adf1d96f2136e1b75886cf27659b03086fc5a881200229574b92e6b7b3ff5d4
Opcode Fuzzy Hash: 2359467e97bf766c8a748fb91a16a593338d6753266c883ef505e57511b55303
Instruction Fuzzy Hash: 50E1E67232CA4399EFA09B65D4903EEA7A1F794789F900013EA4EA76C9FF35C945C740

Function 000001D7C93F916C Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 0c0df894b6042dc5db8f19f1691d6144bd08338a35997678cc92eb69eb014468
Instruction ID: 4136bdf6faf968c39b2bc9103ce665626a944f0daf8f29494f57cd2955145cd8
Opcode Fuzzy Hash: 0c0df894b6042dc5db8f19f1691d6144bd08338a35997678cc92eb69eb014468
Instruction Fuzzy Hash: 8FE1D072328A479AEFA0DB65D4803EE67A1F79479AF800053EA4E876D9FF34C945C740

Function 000001D7C9400874 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1467c70d1553a1d0e3c1f1674eba45bbfab2790acd390ecf68e6afbda94d0812
Instruction ID: 77ae7ae280285cf0f444a0696712b801e1651fdad185a8e814aa7d92b5990955
Opcode Fuzzy Hash: 1467c70d1553a1d0e3c1f1674eba45bbfab2790acd390ecf68e6afbda94d0812
Instruction Fuzzy Hash: EC715C32628A46CAEBE09F61E4443DF73A1F788B96F106126DA4943BD4EF38C655CB50

Function 000001D7C96CD7C7 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04cf8bb6c4705d518444ef124c7ec9aebae715bb8b4d17eb2d358352ec1ddb30
Instruction ID: 5a1104771bce7dd11848dfc6e8d7f200f838784932052ac5af8b4656ac4ab214
Opcode Fuzzy Hash: 04cf8bb6c4705d518444ef124c7ec9aebae715bb8b4d17eb2d358352ec1ddb30
Instruction Fuzzy Hash: 18612DB62185508BD764CF0DE4A0A6AB7E1F3CCBC5F84421AE38A977A8DB3CD555CB40

Function 000001D7C94217A8 Relevance: .1, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7a29c81167dccaa1daa121897eef9cd171a60f0ed2ecd43f4ba4e25b9cc1849
Instruction ID: 67916d88d114099d6b48d0c5851294640c6e092044dacc36e3aed64bc2f2f2a2
Opcode Fuzzy Hash: c7a29c81167dccaa1daa121897eef9cd171a60f0ed2ecd43f4ba4e25b9cc1849
Instruction Fuzzy Hash: 2C411B6347CAF5C8E3DB4639C5AD3DF2E102BD6751F9A8086C151472E3E60D6700E667

Function 000001D7C9414BFC Relevance: .1, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7257b53ee169218146d0da074dabb15e792c227cff79515d69157a49e4bd87e
Instruction ID: b1aed48a3eab768e8cbf5381abbd655dac543823e130bbefc4fb85d61d34d965
Opcode Fuzzy Hash: b7257b53ee169218146d0da074dabb15e792c227cff79515d69157a49e4bd87e
Instruction Fuzzy Hash: F741BC6346CAE2D8E3DB4B34882E3CB2F0023A5752F59849BD155871F3F21D6B00EA57

Function 000001D7C9414C18 Relevance: .1, Instructions: 91COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d9bade748e5799d996e5704c058b68c115c07edf7a52bf47b200609ad3dcd6
Instruction ID: 36f281d50b1edfdcd9160330bc8b945086a91c340f597f0d110d84e1f6e18032
Opcode Fuzzy Hash: 95d9bade748e5799d996e5704c058b68c115c07edf7a52bf47b200609ad3dcd6
Instruction Fuzzy Hash: 64419B6346CAE2D8E3DB4B34C86E3CB2F0023A5752F59849BD155871E3F21D6B00EA57

Function 000001D7C9421858 Relevance: .1, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3660dda1407974d70ffb88eb8eab61afd398a388397400cd12ff9a9ea511d26b
Instruction ID: b6f2e804d20b188346f57ba1cb6e3e813b702754021ba2fc4676e231408add18
Opcode Fuzzy Hash: 3660dda1407974d70ffb88eb8eab61afd398a388397400cd12ff9a9ea511d26b
Instruction Fuzzy Hash: 6931185347CAF5C8E3CB063885AD3CF1E002BD6752F9A8087C1504B2E3B10A6B00EA27

Function 000001D7C94218C0 Relevance: .1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8158077ea318ea9f4d241cbb3e41b99fffe868b69613d1616e691b674cc112f
Instruction ID: 11b54dc1f4a42c10b97d91501e85182b9215af936daa8a066da3d1c34d5fb1ff
Opcode Fuzzy Hash: f8158077ea318ea9f4d241cbb3e41b99fffe868b69613d1616e691b674cc112f
Instruction Fuzzy Hash: 2E314C5347CAF1D8E3C74A38846D3DF2E0017D6751F9A80D6D155471E3B10D6B01EA67

Function 000001D7C9421818 Relevance: .1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97a8e3957a544242ca959196603d6dbb57cdd316dd800b22927bc648f16bb62
Instruction ID: 55fa8ea72590b95a48eab5addf90c6027698c65f389e062fc7d4ca2331189397
Opcode Fuzzy Hash: c97a8e3957a544242ca959196603d6dbb57cdd316dd800b22927bc648f16bb62
Instruction Fuzzy Hash: D411335343CAF1C4E3DB063585AD2CF2F002FD6751F9B818AC150072E3E1096700E627

Function 000001D7C9421828 Relevance: .0, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b18645495ca256217ab2dd4a91cbd65c2c6b655dddb833748d08f91bd2e1b39
Instruction ID: 0914e6f15c1f17189eee514d25c173b729c9cb4ed9cf6be09138a93db376090b
Opcode Fuzzy Hash: 2b18645495ca256217ab2dd4a91cbd65c2c6b655dddb833748d08f91bd2e1b39
Instruction Fuzzy Hash: 7A11256347CAF5C8E3DB063585AD7DF2E102BDA761F9A858AC150472E3A10A6700EA67

Function 000001D7C9421898 Relevance: .0, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc993a659c31b1d60a175b379ce35561194c69a30c4278e0167caa30905b4566
Instruction ID: a9df27944478715de8e71478eaba1e9a694a78c132ac6f4b6e934543a5eaae8c
Opcode Fuzzy Hash: bc993a659c31b1d60a175b379ce35561194c69a30c4278e0167caa30905b4566
Instruction Fuzzy Hash: 0911065346CBF5C8E3DB467984AD2CF2E4017D6752F9A848BD2504B2E3B14A2B40E663

Function 000001D7C9421840 Relevance: .0, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abb56b77912eaa1f88cdd956890c91072901fcf819a01ab95296dbb87f6e9439
Instruction ID: bb39749b413f74267f0d0c9d0e14a5aa37e41f925da867dced0a6673b89fac1c
Opcode Fuzzy Hash: abb56b77912eaa1f88cdd956890c91072901fcf819a01ab95296dbb87f6e9439
Instruction Fuzzy Hash: 5A111B5347CAF5C8F3CB063584AD2DF1E002BD6761F9A8186C150472E3A10A6701EA27

Function 000001D7C94217A0 Relevance: .0, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10d2af5b6c66257311c60e8f870a70fd7aea9df3a9c77542d3c709e4d3e6d926
Instruction ID: dfb6632652df6f8eee2cb4ef94c98a01fba7b39cc43377170f7dd524a0d74f56
Opcode Fuzzy Hash: 10d2af5b6c66257311c60e8f870a70fd7aea9df3a9c77542d3c709e4d3e6d926
Instruction Fuzzy Hash: 4A012E6347CAF6C8E3D74A38C5AD3CF2E1027E6722F998086C151471E3E60D6B00E667

Function 000001D7C9421798 Relevance: .0, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a9dc1997f9fafdf143e339f0faf0dd23e3b5a624eec9c445fb9a1bdfa8ea85
Instruction ID: ce5219af67b461b7cfcf12e65aa6146b9b268d0f5354857cb13eab166071432d
Opcode Fuzzy Hash: e2a9dc1997f9fafdf143e339f0faf0dd23e3b5a624eec9c445fb9a1bdfa8ea85
Instruction Fuzzy Hash: 3E013D6347CAE5C8E3D74A38C9AD2CF2E0017E6722F5A808AC191471E3E20D6B00F667

Function 000001D7C9421830 Relevance: .0, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3890cdc92c189aad4b73e64c0e34a63d7c06d4d0b6a3d5b5cec549642c075c
Instruction ID: 42a152a942003273a5eee42a38dd23958f5645fea1cd19442e52d7c041f57042
Opcode Fuzzy Hash: 1e3890cdc92c189aad4b73e64c0e34a63d7c06d4d0b6a3d5b5cec549642c075c
Instruction Fuzzy Hash: 9D014B5747CAF5C4E3CB4A3594AD2DF2F101BD9721F9B81C6C1514B2E3A10D6710E667

Function 000001D7C94218B8 Relevance: .0, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b81051a975db4bca78117e00df12f6284e44b2b0776ed5e7642aae83ad65a74d
Instruction ID: 6bf67ffca41184a09110367bf8dbdfa3ac22a8f1e6c80ce7764fbf8271110815
Opcode Fuzzy Hash: b81051a975db4bca78117e00df12f6284e44b2b0776ed5e7642aae83ad65a74d
Instruction Fuzzy Hash: 7001375347CAF1C4E3C70678846D6CF1E4017D6711F9A818AD154472D3B14A5B00E627

Function 000001D7C94217B8 Relevance: .0, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8882301a05acc9cebb4cfe71c8087640a57291323ffc8fd706e22c9795861f6b
Instruction ID: b2b27c419d90b2cfb32816fce4f672f370d9341551b30bb7833730d155157a48
Opcode Fuzzy Hash: 8882301a05acc9cebb4cfe71c8087640a57291323ffc8fd706e22c9795861f6b
Instruction Fuzzy Hash: 20F0FF6347CAF6C4E3C74A38D56D2CF2E0017D6B12F9E808AC2914B2D3E14D6B00E623

Function 000001D7C94217C0 Relevance: .0, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60729fe1fc4e479660216f54ecdf6e1e4b166f9a69dbd5f24a058d3eaf03c0fc
Instruction ID: 8b37017e7c59456d5cf221b867a9c915718f2b4a6ca5c8d7cf4572812e6fc989
Opcode Fuzzy Hash: 60729fe1fc4e479660216f54ecdf6e1e4b166f9a69dbd5f24a058d3eaf03c0fc
Instruction Fuzzy Hash: B2F0B25307CAF5C4E3D70939D56D2CF1E1017D6712F9A8086D1914B2D3E1596B01E673

Function 000001D7C96AEF60 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 276sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001D7C96AF048
_snprintf.LIBCMT ref: 000001D7C96AF073
_snprintf.LIBCMT ref: 000001D7C96AF08F
_snprintf.LIBCMT ref: 000001D7C96AF144
_snprintf.LIBCMT ref: 000001D7C96AF15B
WinHttpOpenRequest.WINHTTP ref: 000001D7C96AF1DB
WinHttpSetCredentials.WINHTTP ref: 000001D7C96AF274
WinHttpSendRequest.WINHTTP ref: 000001D7C96AF2B1
WinHttpReceiveResponse.WINHTTP ref: 000001D7C96AF2C4
WinHttpQueryHeaders.WINHTTP ref: 000001D7C96AF2F7
WinHttpQueryAuthSchemes.WINHTTP ref: 000001D7C96AF32F
GetLastError.KERNEL32 ref: 000001D7C96AF362
WinHttpCloseHandle.WINHTTP ref: 000001D7C96AF3A2
Sleep.KERNEL32 ref: 000001D7C96AF3B6
WinHttpCloseHandle.WINHTTP ref: 000001D7C96AF3D5

Strings

%s%s, xrefs: 000001D7C96AF150
*/*, xrefs: 000001D7C96AEF82

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Http$_snprintf$CloseHandleQueryRequest$AuthCredentialsErrorHeadersLastOpenReceiveResponseSchemesSendSleep
String ID: %s%s$*/*
API String ID: 379481838-856325523
Opcode ID: 3c2ef2ae461d2eb14bb6cd757991d8910d1010a7ab1da2219b913b1a059c6b92
Instruction ID: d15a2cc5a6debab0d9ac6aa3fd7bbf75af36319fa56a96d0dd7fc7a0217d4f71
Opcode Fuzzy Hash: 3c2ef2ae461d2eb14bb6cd757991d8910d1010a7ab1da2219b913b1a059c6b92
Instruction Fuzzy Hash: FCD19E72228A828EEBA0DF65E8507D933A0F78879AF400127DA4E677E5FF38C555C750

Function 000001D7C96B711C Relevance: 22.7, APIs: 15, Instructions: 195networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 000001D7C96B7179
select.WS2_32 ref: 000001D7C96B71E7
__WSAFDIsSet.WS2_32 ref: 000001D7C96B71FF
accept.WS2_32 ref: 000001D7C96B721C
ioctlsocket.WS2_32 ref: 000001D7C96B7234
__WSAFDIsSet.WS2_32 ref: 000001D7C96B72D7
accept.WS2_32 ref: 000001D7C96B72ED

Part of subcall function 000001D7C96B5F64: ioctlsocket.WS2_32 ref: 000001D7C96B5F86

__WSAFDIsSet.WS2_32 ref: 000001D7C96B736F
__WSAFDIsSet.WS2_32 ref: 000001D7C96B7387
closesocket.WS2_32 ref: 000001D7C96B7449

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: acceptioctlsocket$closesockethtonlselect
String ID:
API String ID: 2003300010-0
Opcode ID: 7fc8180dad7fc12b42a6d1c61c9cc3578abc139918dd39fc80d7c9543dd8493f
Instruction ID: 5b130647f170cece7aee28a3a5411483747ff082c1f744f5df91ddd2b9512a66
Opcode Fuzzy Hash: 7fc8180dad7fc12b42a6d1c61c9cc3578abc139918dd39fc80d7c9543dd8493f
Instruction Fuzzy Hash: A3919D32228A928AEBA0DF21D9407DD77A0F784B9AF401126EA4D57ED8FF34C564C740

Function 000001D7C96B5924 Relevance: 18.1, APIs: 12, Instructions: 105pipesleepfileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001D7C96B5B28
GetTickCount.KERNEL32 ref: 000001D7C96B5B34
CreateFileA.KERNEL32 ref: 000001D7C96B5B62
GetLastError.KERNEL32 ref: 000001D7C96B5B71
WaitNamedPipeA.KERNEL32 ref: 000001D7C96B5B86
Sleep.KERNEL32 ref: 000001D7C96B5B93
GetTickCount.KERNEL32 ref: 000001D7C96B5B99
GetLastError.KERNEL32 ref: 000001D7C96B5BAF
GetLastError.KERNEL32 ref: 000001D7C96B5BC7
SetNamedPipeHandleState.KERNEL32 ref: 000001D7C96B5BF2
GetLastError.KERNEL32 ref: 000001D7C96B5BFC
DisconnectNamedPipe.KERNEL32 ref: 000001D7C96B5C76

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait
String ID:
API String ID: 34948862-0
Opcode ID: 945c7d521b3e96c2fe00dc85e9b1f72f2f03e93d0182cd224bbe70bf1bc91316
Instruction ID: 2b19cade487c9ceb1ac3e73da3c7a81491107e52b7472581293bcb5ac5869dc6
Opcode Fuzzy Hash: 945c7d521b3e96c2fe00dc85e9b1f72f2f03e93d0182cd224bbe70bf1bc91316
Instruction Fuzzy Hash: C2417332628B428AFB90DB61E8547EC3361E788BA6F504226DE2A677D4FF34C4559740

Function 000001D7C96C0834 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000001D7C96C0845
free.LIBCMT ref: 000001D7C96C0862

Part of subcall function 000001D7C96BF744: HeapFree.KERNEL32 ref: 000001D7C96BF75A
Part of subcall function 000001D7C96BF744: _errno.LIBCMT ref: 000001D7C96BF764
Part of subcall function 000001D7C96BF744: GetLastError.KERNEL32 ref: 000001D7C96BF76C

free.LIBCMT ref: 000001D7C96C0877
free.LIBCMT ref: 000001D7C96C0898
free.LIBCMT ref: 000001D7C96C08AD
free.LIBCMT ref: 000001D7C96C08C1
free.LIBCMT ref: 000001D7C96C08CD
free.LIBCMT ref: 000001D7C96C08F8
EncodePointer.KERNEL32 ref: 000001D7C96C0900
free.LIBCMT ref: 000001D7C96C0919
free.LIBCMT ref: 000001D7C96C0932
free.LIBCMT ref: 000001D7C96C0963

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
String ID:
API String ID: 4099253644-0
Opcode ID: 60ad6c079617da537901ca8f2940b60a2a8a8b99f6e9f423de53085c89060ed6
Instruction ID: 5a9fa8b9f285885c94645a1deca25bd6d84ad010f7d7ae451d8dbe0f964af975
Opcode Fuzzy Hash: 60ad6c079617da537901ca8f2940b60a2a8a8b99f6e9f423de53085c89060ed6
Instruction Fuzzy Hash: BA312B3263AA478DFEC5AF51E8643E433A0AB44B93F184227DD5A3A6E5FF2DC4509740

Function 000001D7C96B7844 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001D7C96B7872
select.WS2_32 ref: 000001D7C96B78C9
__WSAFDIsSet.WS2_32 ref: 000001D7C96B78D8
__WSAFDIsSet.WS2_32 ref: 000001D7C96B78F0
GetTickCount.KERNEL32 ref: 000001D7C96B78F9
gethostbyname.WS2_32 ref: 000001D7C96B790C
htons.WS2_32 ref: 000001D7C96B7924
inet_addr.WS2_32 ref: 000001D7C96B7936
sendto.WS2_32 ref: 000001D7C96B795F

Strings

d, xrefs: 000001D7C96B7883

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
String ID: d
API String ID: 1257931466-2564639436
Opcode ID: 6cdc9b771fc89724d7abc04eb1f34b74a7c4df3fc9e2a1eb9ca9f43801e000c4
Instruction ID: 203e1bc7d4bd719e4e40279d5ace97f659eda7767032ea04c6cdb84c7f23fa7b
Opcode Fuzzy Hash: 6cdc9b771fc89724d7abc04eb1f34b74a7c4df3fc9e2a1eb9ca9f43801e000c4
Instruction Fuzzy Hash: 88316433228BC18AD7608F61E8447DA77A4F788B89F005126EE8D57BD4EF78C555C740

Function 000001D7C9416D1C Relevance: 16.6, APIs: 11, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C9416D4E

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

__doserrno.LIBCMT ref: 000001D7C9416D45

Part of subcall function 000001D7C94118CC: _getptd_noexit.LIBCMT ref: 000001D7C94118D0

__doserrno.LIBCMT ref: 000001D7C9416DAB
_errno.LIBCMT ref: 000001D7C9416DB2
_invalid_parameter_noinfo.LIBCMT ref: 000001D7C9416E16

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: 2cf4fd34009df996d67cc9b91136e795f04800b1a19b53a3e2ac4eebef8247f3
Instruction ID: 8fe32ceecc6dff2311569a687340d58c2757cea24ae94cda900482895132ff3c
Opcode Fuzzy Hash: 2cf4fd34009df996d67cc9b91136e795f04800b1a19b53a3e2ac4eebef8247f3
Instruction Fuzzy Hash: BD31C132338782CEE7966F6699413EF3651A7847A2F658217A921077D2FB38CB42C704

Function 000001D7C941236C Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

write_multi_char.LIBCMT ref: 000001D7C941280F
write_string.LIBCMT ref: 000001D7C941282C
write_multi_char.LIBCMT ref: 000001D7C9412849
write_string.LIBCMT ref: 000001D7C94128A8
write_multi_char.LIBCMT ref: 000001D7C9412901
free.LIBCMT ref: 000001D7C9412915

Strings

, xrefs: 000001D7C94127E3

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: write_multi_char$write_string$free
String ID:
API String ID: 2630409672-3916222277
Opcode ID: 620c4b8af33bd80c1bbb3547b529bec1dcc0e99b9abdf6e3b9f3d6c13cf3f98f
Instruction ID: 98479b8ce5ecc596c5e659b921e61a151ff01b09234ac269e55c85bfc1721d4a
Opcode Fuzzy Hash: 620c4b8af33bd80c1bbb3547b529bec1dcc0e99b9abdf6e3b9f3d6c13cf3f98f
Instruction Fuzzy Hash: 62A1D43262C686CAFBA08B55E4043EF6BB0B785795F340007DE4997BD8EB38CA45CB04

Function 000001D7C96B7738 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57networksleepCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001D7C96B7758
select.WS2_32 ref: 000001D7C96B77BE
__WSAFDIsSet.WS2_32 ref: 000001D7C96B77CD
__WSAFDIsSet.WS2_32 ref: 000001D7C96B77E2
send.WS2_32 ref: 000001D7C96B77F8
WSAGetLastError.WS2_32 ref: 000001D7C96B7803
Sleep.KERNEL32 ref: 000001D7C96B7815
GetTickCount.KERNEL32 ref: 000001D7C96B781B

Strings

d, xrefs: 000001D7C96B7766

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CountTick$ErrorLastSleepselectsend
String ID: d
API String ID: 2152284305-2564639436
Opcode ID: 69847d6e6c5b3986b2098871a0e98e5797b468300fd40e710efd5f1391f0d949
Instruction ID: f26acc9ca70c627fca532abbc7cddb8df337c4fea4635772f8d0709aefcd2997
Opcode Fuzzy Hash: 69847d6e6c5b3986b2098871a0e98e5797b468300fd40e710efd5f1391f0d949
Instruction Fuzzy Hash: 01212172628B828AE7A08F21F8847CD7365F788B96F505126EB9D57ED4EF38C454C780

Function 000001D7C96B0048 Relevance: 15.1, APIs: 10, Instructions: 91sleepfilepipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001D7C96B0069
GetLastError.KERNEL32 ref: 000001D7C96B00C3
GetTickCount.KERNEL32 ref: 000001D7C96B00CE
Sleep.KERNEL32 ref: 000001D7C96B00DE
GetLastError.KERNEL32 ref: 000001D7C96B00EB
WriteFile.KERNEL32 ref: 000001D7C96B011E
WriteFile.KERNEL32 ref: 000001D7C96B014D
FlushFileBuffers.KERNEL32 ref: 000001D7C96B0165
DisconnectNamedPipe.KERNEL32 ref: 000001D7C96B016F
Sleep.KERNEL32 ref: 000001D7C96B0183

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
String ID:
API String ID: 3101085627-0
Opcode ID: 7cd2abcd268e96737cafd12e237a3a1e0830f3ebd8b7f7b4de76dbe304a1a7cb
Instruction ID: a0ae11d0f789e48e229019da9730500d9e00dabe9dbb4a16030b75ec53f458bf
Opcode Fuzzy Hash: 7cd2abcd268e96737cafd12e237a3a1e0830f3ebd8b7f7b4de76dbe304a1a7cb
Instruction Fuzzy Hash: 63415E327289428EE7509FB5D8843DD23A1F744B9AF410123EE49A7AE9FF38C549D340

Function 000001D7C96C791C Relevance: 15.1, APIs: 10, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C96C794E

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

__doserrno.LIBCMT ref: 000001D7C96C7945

Part of subcall function 000001D7C96C24CC: _getptd_noexit.LIBCMT ref: 000001D7C96C24D0

__doserrno.LIBCMT ref: 000001D7C96C79AB
_errno.LIBCMT ref: 000001D7C96C79B2
_invalid_parameter_noinfo.LIBCMT ref: 000001D7C96C7A16

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: ccb79bd5883eb67ce236768007c03e37228ecf8c52955bd302a881ab720c4208
Instruction ID: f02622a7e36fe2cebcc4969e21d85cfa621f3f924b4da7a354885b73f2bf5df9
Opcode Fuzzy Hash: ccb79bd5883eb67ce236768007c03e37228ecf8c52955bd302a881ab720c4208
Instruction Fuzzy Hash: 853106323283828EE3966FA9D8813ED7550B740FA2F854517FD25273D3EB38C4428714

Function 000001D7C9417990 Relevance: 15.1, APIs: 10, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C94179BB

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

__doserrno.LIBCMT ref: 000001D7C94179B3

Part of subcall function 000001D7C94118CC: _getptd_noexit.LIBCMT ref: 000001D7C94118D0

__lock_fhandle.LIBCMT ref: 000001D7C94179FF
_lseek_nolock.LIBCMT ref: 000001D7C9417A18
_unlock_fhandle.LIBCMT ref: 000001D7C9417A39

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
String ID:
API String ID: 1078912150-0
Opcode ID: 7eb9343c0016ea857e7af25990b124ce1ac1d58249d6fc682c61ebada0c2d391
Instruction ID: eeb1e8853196e14fc9e13befb6f118d52f2eb805ef1da795ed173a268c0fc5cf
Opcode Fuzzy Hash: 7eb9343c0016ea857e7af25990b124ce1ac1d58249d6fc682c61ebada0c2d391
Instruction Fuzzy Hash: D021D132638682CDF7812F25D8413EF6A50A784BA2F294217AA25073D2FB788B41C714

Function 000001D7C9417B08 Relevance: 15.1, APIs: 10, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C9417B33

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

__doserrno.LIBCMT ref: 000001D7C9417B2B

Part of subcall function 000001D7C94118CC: _getptd_noexit.LIBCMT ref: 000001D7C94118D0

__lock_fhandle.LIBCMT ref: 000001D7C9417B77
_lseeki64_nolock.LIBCMT ref: 000001D7C9417B90
_unlock_fhandle.LIBCMT ref: 000001D7C9417BB3

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 32b07ca81a92ecb0f4b1c23859d496d7e06b53c4ba190a2fb9fefefc91b009a9
Instruction ID: ba3e46533ceccd58d9aef5888d445b0bf0ee810486aad78dcb09edf0ecb465f5
Opcode Fuzzy Hash: 32b07ca81a92ecb0f4b1c23859d496d7e06b53c4ba190a2fb9fefefc91b009a9
Instruction Fuzzy Hash: A421C232238582C9E6812B2598013EE7651A784BB6F294307AE35073D2FB388781C725

Function 000001D7C96D0580 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001D7C96D05A6
_errno.LIBCMT ref: 000001D7C96D059B

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: 8cb0fc128e201a2e2079c9d20385c1cf6d87ed7ebad56190ca1c39a3a8d9e9a2
Instruction ID: 7a3abd864e2934a79034905dd47b92884b3496ab317d4d80294d4ecac9bdc27f
Opcode Fuzzy Hash: 8cb0fc128e201a2e2079c9d20385c1cf6d87ed7ebad56190ca1c39a3a8d9e9a2
Instruction Fuzzy Hash: C041F57363C393CDFBE4AB1196403E936A0E794B96F944123EEE4676C5F768C8618A10

Function 000001D7C941F980 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000001D7C941F9A6
_errno.LIBCMT ref: 000001D7C941F99B

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1812809483-0
Opcode ID: 83511a0468c640ba5403665e94ec512373c404b8ae4397b90c4a169d83771555
Instruction ID: eb4e22dd0632b5131f86fc41c6eab1d2b693656bfbf6cc889760fd688516525e
Opcode Fuzzy Hash: 83511a0468c640ba5403665e94ec512373c404b8ae4397b90c4a169d83771555
Instruction Fuzzy Hash: A841C471638293CDEBE0AB22D5403EB3691E754BD6FB44263AA54476C5F7288B62C600

Function 000001D7C96C0B44 Relevance: 13.6, APIs: 9, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001D7C96C0B2C: _mtinitlocknum.LIBCMT ref: 000001D7C96C54FE
Part of subcall function 000001D7C96C0B2C: _amsg_exit.LIBCMT ref: 000001D7C96C550A

DecodePointer.KERNEL32 ref: 000001D7C96C0BA0
DecodePointer.KERNEL32 ref: 000001D7C96C0BBE
EncodePointer.KERNEL32 ref: 000001D7C96C0BEC
DecodePointer.KERNEL32 ref: 000001D7C96C0C01
EncodePointer.KERNEL32 ref: 000001D7C96C0C0C
DecodePointer.KERNEL32 ref: 000001D7C96C0C1E
DecodePointer.KERNEL32 ref: 000001D7C96C0C2E
__crtCorExitProcess.LIBCMT ref: 000001D7C96C0CB2
ExitProcess.KERNEL32 ref: 000001D7C96C0CBA

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Pointer$Decode$EncodeExitProcess$__crt_amsg_exit_mtinitlocknum
String ID:
API String ID: 1550138920-0
Opcode ID: fc3dfdfe80fc1b25674223ea545d184e5a08173fa113086f4c5449366e20ee1e
Instruction ID: a935008ad835c1376d69ab9cf70ee1d29d5720512f012553313eec7b04714160
Opcode Fuzzy Hash: fc3dfdfe80fc1b25674223ea545d184e5a08173fa113086f4c5449366e20ee1e
Instruction Fuzzy Hash: 5D41603122EB86C9EBD09F11E8503A966A4F748BC7F444027E99E63BE5FF39C4658700

Function 000001D7C96B6A3C Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

htonl.WS2_32 ref: 000001D7C96B6A7D
htons.WS2_32 ref: 000001D7C96B6A8E
socket.WS2_32 ref: 000001D7C96B6AD0
closesocket.WS2_32 ref: 000001D7C96B6AE5
gethostbyname.WS2_32 ref: 000001D7C96B6B04
htons.WS2_32 ref: 000001D7C96B6B34
ioctlsocket.WS2_32 ref: 000001D7C96B6B4E
connect.WS2_32 ref: 000001D7C96B6B66
WSAGetLastError.WS2_32 ref: 000001D7C96B6B70

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
String ID:
API String ID: 3339321253-0
Opcode ID: ee096dba53be1668b747c931f1b7c975ddcd03a6334e9f7e5fdf2246f50c4714
Instruction ID: f12e891d0d6b163d5ab04dbcb2d0caf510f68ab73666e73a6b02ec10107ba9fd
Opcode Fuzzy Hash: ee096dba53be1668b747c931f1b7c975ddcd03a6334e9f7e5fdf2246f50c4714
Instruction Fuzzy Hash: 15313B723286C28AEBA49F25E8547EE6361F744BAAF044122DE1A577D4FF3CC555C700

Function 000001D7C96B70D4 Relevance: 13.6, APIs: 9, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001D7C96B711C: htonl.WS2_32 ref: 000001D7C96B7179
Part of subcall function 000001D7C96B711C: select.WS2_32 ref: 000001D7C96B71E7
Part of subcall function 000001D7C96B711C: __WSAFDIsSet.WS2_32 ref: 000001D7C96B71FF
Part of subcall function 000001D7C96B711C: accept.WS2_32 ref: 000001D7C96B721C
Part of subcall function 000001D7C96B711C: ioctlsocket.WS2_32 ref: 000001D7C96B7234
Part of subcall function 000001D7C96B711C: __WSAFDIsSet.WS2_32 ref: 000001D7C96B72D7

GetTickCount.KERNEL32 ref: 000001D7C96B70E6

Part of subcall function 000001D7C96B7468: malloc.LIBCMT ref: 000001D7C96B749A
Part of subcall function 000001D7C96B7468: htonl.WS2_32 ref: 000001D7C96B74CD
Part of subcall function 000001D7C96B7468: recvfrom.WS2_32 ref: 000001D7C96B7511
Part of subcall function 000001D7C96B7468: WSAGetLastError.WS2_32 ref: 000001D7C96B751E

GetTickCount.KERNEL32 ref: 000001D7C96B70FE
GetTickCount.KERNEL32 ref: 000001D7C96B761C
GetTickCount.KERNEL32 ref: 000001D7C96B7632
shutdown.WS2_32 ref: 000001D7C96B7651
shutdown.WS2_32 ref: 000001D7C96B7666
closesocket.WS2_32 ref: 000001D7C96B7670
free.LIBCMT ref: 000001D7C96B7690
free.LIBCMT ref: 000001D7C96B76A5

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CountTick$freehtonlshutdown$ErrorLastacceptclosesocketioctlsocketmallocrecvfromselect
String ID:
API String ID: 3610715900-0
Opcode ID: c50162f9c59f8108d653f09e315dc0d1efc9b52f4b40ce78e36cf3fc188eb57d
Instruction ID: 800dac63d82e15f555bc99406eb632884a81328319f74c6d34289490ce4328f1
Opcode Fuzzy Hash: c50162f9c59f8108d653f09e315dc0d1efc9b52f4b40ce78e36cf3fc188eb57d
Instruction Fuzzy Hash: 243166326286828AEBE49F35E544398B3B0F748F8AF185123DE59A6AD5FF34C450E710

Function 000001D7C96C8708 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C96C8733

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

__doserrno.LIBCMT ref: 000001D7C96C872B

Part of subcall function 000001D7C96C24CC: _getptd_noexit.LIBCMT ref: 000001D7C96C24D0

__lock_fhandle.LIBCMT ref: 000001D7C96C8777
_lseeki64_nolock.LIBCMT ref: 000001D7C96C8790

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock
String ID:
API String ID: 4140391395-0
Opcode ID: cfc64515289cc0e697e99e53b355c159945a757b88f02c63b7557c221d878ae0
Instruction ID: 86468ef1a9a306e677b8396144a5977da04a5e5acace0ed4f611e8d669b8d27b
Opcode Fuzzy Hash: cfc64515289cc0e697e99e53b355c159945a757b88f02c63b7557c221d878ae0
Instruction Fuzzy Hash: BD21C2322282824EE6A56F29D8413FD7951A780BB3F494757FE39277D2FB38C4418724

Function 000001D7C96C8590 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C96C85BB

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

__doserrno.LIBCMT ref: 000001D7C96C85B3

Part of subcall function 000001D7C96C24CC: _getptd_noexit.LIBCMT ref: 000001D7C96C24D0

__lock_fhandle.LIBCMT ref: 000001D7C96C85FF
_lseek_nolock.LIBCMT ref: 000001D7C96C8618

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock
String ID:
API String ID: 310312816-0
Opcode ID: 5a9b38f2a6578f667b0e169ddf3d1e3188d7ba4a7d9e797e600560c79e926d97
Instruction ID: 0c2652be21de2756b3f8efcd257f2d4daa2874c07a3656c25a3503bad6beca9c
Opcode Fuzzy Hash: 5a9b38f2a6578f667b0e169ddf3d1e3188d7ba4a7d9e797e600560c79e926d97
Instruction Fuzzy Hash: BC2135327382824EF3A56F2AE9513ED7550A780BA3F59411BFE15273D3EB78C8418B24

Function 000001D7C9416334 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C941635F

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

__doserrno.LIBCMT ref: 000001D7C9416357

Part of subcall function 000001D7C94118CC: _getptd_noexit.LIBCMT ref: 000001D7C94118D0

__lock_fhandle.LIBCMT ref: 000001D7C94163A3
_unlock_fhandle.LIBCMT ref: 000001D7C94163DD

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: 0bcb578be6dc864e4d40a3b132e2f3e271713c385706872344b55bd4c704724d
Instruction ID: 1b0d24530745a1085f0d78b0ed1f18ef886fc70eb49ea0be154bde976edc134b
Opcode Fuzzy Hash: 0bcb578be6dc864e4d40a3b132e2f3e271713c385706872344b55bd4c704724d
Instruction Fuzzy Hash: 6A21013273C596CDE7812F2599413FF2650A784BA3F654117AA25073D2FB78CA41C724

Function 000001D7C9415B54 Relevance: 13.6, APIs: 9, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C9415B75

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

__doserrno.LIBCMT ref: 000001D7C9415B6D

Part of subcall function 000001D7C94118CC: _getptd_noexit.LIBCMT ref: 000001D7C94118D0

__lock_fhandle.LIBCMT ref: 000001D7C9415BB9
_close_nolock.LIBCMT ref: 000001D7C9415BCC
_unlock_fhandle.LIBCMT ref: 000001D7C9415BE5

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: 9c0209796af8c4e57d4054e5769c1d0dad805c61973383fb040a5a6a72c02b35
Instruction ID: f6507a0071d781b3bc6c9e475a5c33874bccd7f162ed524244ef9bb8b7f5595d
Opcode Fuzzy Hash: 9c0209796af8c4e57d4054e5769c1d0dad805c61973383fb040a5a6a72c02b35
Instruction Fuzzy Hash: 4911D03223C682CDF2956F2599813EE2650A784763F795227DA294B3D6FB78C6818314

Function 000001D7C940FC34 Relevance: 12.6, APIs: 10, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000001D7C940FC62

Part of subcall function 000001D7C940EB44: _errno.LIBCMT ref: 000001D7C940EB64

free.LIBCMT ref: 000001D7C940FC77
free.LIBCMT ref: 000001D7C940FC98
free.LIBCMT ref: 000001D7C940FCAD
free.LIBCMT ref: 000001D7C940FCC1
free.LIBCMT ref: 000001D7C940FCCD
free.LIBCMT ref: 000001D7C940FCF8
free.LIBCMT ref: 000001D7C940FD19
free.LIBCMT ref: 000001D7C940FD32
free.LIBCMT ref: 000001D7C940FD63

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free$_errno
String ID:
API String ID: 2288870239-0
Opcode ID: 1fbae9a2f2c711fd678618ada93c604b44486ceb3c86ba755e01231b40780067
Instruction ID: ed0a504a0f5a3e06ac72588be8fc10881522853a7edfa42fbb861f60c10874ad
Opcode Fuzzy Hash: 1fbae9a2f2c711fd678618ada93c604b44486ceb3c86ba755e01231b40780067
Instruction Fuzzy Hash: 74310D7127DA4389FED4DF31E9653E763A0BB44B97F0811278E2A062E1FF2C86648201

Function 00007FF7F72D2C90 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 138COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF7F72D2DAB

Strings

Address %p has no image-section, xrefs: 00007FF7F72D2D02, 00007FF7F72D2E55
VirtualQuery failed for %d bytes at address %p, xrefs: 00007FF7F72D2E41
Mingw-w64 runtime failure:, xrefs: 00007FF7F72D2CC7
VirtualProtect failed with code 0x%x, xrefs: 00007FF7F72D2E1E

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: QueryVirtual
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 1804819252-1534286854
Opcode ID: 785072bde8c85f5d4b1c73497ed291e88d8a31ac554300ac2883823fa59db919
Instruction ID: 8224373b6cd26c73a3e48dc7f65451990c1c310eb87001db6b6c9544cd8f5ab0
Opcode Fuzzy Hash: 785072bde8c85f5d4b1c73497ed291e88d8a31ac554300ac2883823fa59db919
Instruction Fuzzy Hash: 7451967BA04A8692EB10AB11E8806A9F7A0FF45B94F844134DE6D473D5DF3CE547C7A0

Function 000001D7C9408B5C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C9408B8B

Part of subcall function 000001D7C940EB84: _FF_MSGBANNER.LIBCMT ref: 000001D7C940EBB4
Part of subcall function 000001D7C940EB84: _NMSG_WRITE.LIBCMT ref: 000001D7C940EBBE
Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EBF2
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EBFD
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC08

_snprintf.LIBCMT ref: 000001D7C9408BA3

Part of subcall function 000001D7C940EF3C: _errno.LIBCMT ref: 000001D7C940EF73
Part of subcall function 000001D7C940EF3C: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C940EF7E

free.LIBCMT ref: 000001D7C9408BBA

Part of subcall function 000001D7C940EB44: _errno.LIBCMT ref: 000001D7C940EB64

malloc.LIBCMT ref: 000001D7C9408C0A
_snprintf.LIBCMT ref: 000001D7C9408C22
free.LIBCMT ref: 000001D7C9408C4A

Strings

ege, xrefs: 000001D7C9408B90
d file: %d, xrefs: 000001D7C9408C0F

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$_callnewh_invalid_parameter_noinfo
String ID: d file: %d$ege
API String ID: 761449704-1344674164
Opcode ID: 12a0ba40ed0719110b2b1c2a2bd9ec70d02ebdf95bb6dc0190aea0c8ebea8954
Instruction ID: 690d4d540521f36506bd36dae7ab2c138541921319dd424808d72d52aef5200e
Opcode Fuzzy Hash: 12a0ba40ed0719110b2b1c2a2bd9ec70d02ebdf95bb6dc0190aea0c8ebea8954
Instruction Fuzzy Hash: 9531E63123C6828CEAD49B2269107E7AB61734AFD2F4850539EA5077D1EF39D752C300

Function 000001D7C96C6F34 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C96C6F5F

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

__doserrno.LIBCMT ref: 000001D7C96C6F57

Part of subcall function 000001D7C96C24CC: _getptd_noexit.LIBCMT ref: 000001D7C96C24D0

__lock_fhandle.LIBCMT ref: 000001D7C96C6FA3

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno
String ID:
API String ID: 2611593033-0
Opcode ID: b782232a89891e70a0c9aa28aa717701ff6926ff8b7c3cb37b6276b8bd71a672
Instruction ID: a6db9219785e427295a6f82d0813966ba46462c8dcef77e14005963df63ff5f2
Opcode Fuzzy Hash: b782232a89891e70a0c9aa28aa717701ff6926ff8b7c3cb37b6276b8bd71a672
Instruction Fuzzy Hash: A021D4327282835EF6962F25D8417ED7951A740BA3F454117FE25273D2EB78C841C728

Function 000001D7C96CB5E8 Relevance: 12.1, APIs: 8, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C96CB601

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

__lock_fhandle.LIBCMT ref: 000001D7C96CB649
FlushFileBuffers.KERNEL32 ref: 000001D7C96CB664
GetLastError.KERNEL32 ref: 000001D7C96CB66E
__doserrno.LIBCMT ref: 000001D7C96CB67E
_errno.LIBCMT ref: 000001D7C96CB685

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit
String ID:
API String ID: 2289611984-0
Opcode ID: 492a0cb4195d54f019de52ad6a6faa164d2ddedcef23c44f069273c515be19b8
Instruction ID: 95a3e69fb5e702f66cad764bcd4cc4c50b2972765aa6d2bd352043745807b65c
Opcode Fuzzy Hash: 492a0cb4195d54f019de52ad6a6faa164d2ddedcef23c44f069273c515be19b8
Instruction Fuzzy Hash: 5821D5327286834DF6956F76DA913ED7650AB80763F49012BFA152B3D2FB78C841CB14

Function 000001D7C96C6754 Relevance: 12.1, APIs: 8, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C96C6775

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

__doserrno.LIBCMT ref: 000001D7C96C676D

Part of subcall function 000001D7C96C24CC: _getptd_noexit.LIBCMT ref: 000001D7C96C24D0

__lock_fhandle.LIBCMT ref: 000001D7C96C67B9
_close_nolock.LIBCMT ref: 000001D7C96C67CC

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno
String ID:
API String ID: 4060740672-0
Opcode ID: 7a8b25c450a087866ded45e2c1a7183fa029a37cdaee3ccc11e7f4b12cbb2b6f
Instruction ID: 19a513575beeeef4391d52a5660d2469248f943f9f92fd0a54eeb3345b23bfde
Opcode Fuzzy Hash: 7a8b25c450a087866ded45e2c1a7183fa029a37cdaee3ccc11e7f4b12cbb2b6f
Instruction Fuzzy Hash: 1211083223C2834EF2956F25E8813EC7550A780763F554927F919673D7FB74C8468728

Function 000001D7C96A460C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C96A46A9

Part of subcall function 000001D7C96BF784: _FF_MSGBANNER.LIBCMT ref: 000001D7C96BF7B4
Part of subcall function 000001D7C96BF784: _NMSG_WRITE.LIBCMT ref: 000001D7C96BF7BE
Part of subcall function 000001D7C96BF784: HeapAlloc.KERNEL32 ref: 000001D7C96BF7D9
Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF7F2
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF7FD
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF808

malloc.LIBCMT ref: 000001D7C96A46B3

Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF818
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF81D

malloc.LIBCMT ref: 000001D7C96A46BE
free.LIBCMT ref: 000001D7C96A487E
free.LIBCMT ref: 000001D7C96A4886
free.LIBCMT ref: 000001D7C96A488E

Part of subcall function 000001D7C96A54F0: malloc.LIBCMT ref: 000001D7C96A553A
Part of subcall function 000001D7C96A54F0: malloc.LIBCMT ref: 000001D7C96A5545
Part of subcall function 000001D7C96A54F0: free.LIBCMT ref: 000001D7C96A562C
Part of subcall function 000001D7C96A54F0: free.LIBCMT ref: 000001D7C96A5634

free.LIBCMT ref: 000001D7C96A489A
free.LIBCMT ref: 000001D7C96A48A7
free.LIBCMT ref: 000001D7C96A48B4

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh$AllocHeap
String ID:
API String ID: 3534990644-0
Opcode ID: 666e97b4c0d929ed48821fbeb8d9ac340f3179b121109675fcedba7a8bd83dd3
Instruction ID: 7a6b891ae40b7d51fb2e76df15293f3e9972711a5df9f750abe7cd87854c2b64
Opcode Fuzzy Hash: 666e97b4c0d929ed48821fbeb8d9ac340f3179b121109675fcedba7a8bd83dd3
Instruction Fuzzy Hash: 9871D83272C6C68EEB949E26A8507EA7791F785BCAF404126DD4667BD6FF38C405C700

Function 000001D7C93F3A0C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C93F3AA9

Part of subcall function 000001D7C940EB84: _FF_MSGBANNER.LIBCMT ref: 000001D7C940EBB4
Part of subcall function 000001D7C940EB84: _NMSG_WRITE.LIBCMT ref: 000001D7C940EBBE
Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EBF2
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EBFD
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC08

malloc.LIBCMT ref: 000001D7C93F3AB3

Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EC18
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC1D

malloc.LIBCMT ref: 000001D7C93F3ABE
free.LIBCMT ref: 000001D7C93F3C7E
free.LIBCMT ref: 000001D7C93F3C86
free.LIBCMT ref: 000001D7C93F3C8E

Part of subcall function 000001D7C93F48F0: malloc.LIBCMT ref: 000001D7C93F493A
Part of subcall function 000001D7C93F48F0: malloc.LIBCMT ref: 000001D7C93F4945
Part of subcall function 000001D7C93F48F0: free.LIBCMT ref: 000001D7C93F4A2C
Part of subcall function 000001D7C93F48F0: free.LIBCMT ref: 000001D7C93F4A34

free.LIBCMT ref: 000001D7C93F3C9A
free.LIBCMT ref: 000001D7C93F3CA7
free.LIBCMT ref: 000001D7C93F3CB4

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: dfa33b388bad419a6b6c24b9f61ea34507f4c3232a8f967c96a2e976d6832338
Instruction ID: dd43720bbbddb0ffcaaa9a07d9166ede0fe6fe96cfd2103c6f6c174b125216b9
Opcode Fuzzy Hash: dfa33b388bad419a6b6c24b9f61ea34507f4c3232a8f967c96a2e976d6832338
Instruction Fuzzy Hash: 3171E3763287864EEFA0DB269444BEB7791B784BC9F044066DE464BBC6FB38C506CB00

Function 000001D7C93FBE74 Relevance: 10.8, APIs: 6, Strings: 1, Instructions: 296COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001D7C940592C: malloc.LIBCMT ref: 000001D7C9405948

malloc.LIBCMT ref: 000001D7C93FBF3B

Part of subcall function 000001D7C940EB84: _FF_MSGBANNER.LIBCMT ref: 000001D7C940EBB4
Part of subcall function 000001D7C940EB84: _NMSG_WRITE.LIBCMT ref: 000001D7C940EBBE
Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EBF2
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EBFD
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC08

Part of subcall function 000001D7C940BB3C: _time64.LIBCMT ref: 000001D7C940BB60
Part of subcall function 000001D7C940BB3C: malloc.LIBCMT ref: 000001D7C940BBA8
Part of subcall function 000001D7C940BB3C: strtok.LIBCMT ref: 000001D7C940BC0C
Part of subcall function 000001D7C940BB3C: strtok.LIBCMT ref: 000001D7C940BC1D

Part of subcall function 000001D7C9402DE0: _time64.LIBCMT ref: 000001D7C9402DEE

Part of subcall function 000001D7C940E3B4: malloc.LIBCMT ref: 000001D7C940E404

Part of subcall function 000001D7C940E3B4: realloc.LIBCMT ref: 000001D7C940E413

malloc.LIBCMT ref: 000001D7C93FC04A
_snprintf.LIBCMT ref: 000001D7C93FC0C1
_snprintf.LIBCMT ref: 000001D7C93FC0E7
_snprintf.LIBCMT ref: 000001D7C93FC10E
free.LIBCMT ref: 000001D7C93FC2C6

Part of subcall function 000001D7C940A680: malloc.LIBCMT ref: 000001D7C940A6B4
Part of subcall function 000001D7C940A680: free.LIBCMT ref: 000001D7C940A86B

Strings

d file: %d, xrefs: 000001D7C93FC0B2, 000001D7C93FC0DA, 000001D7C93FC0F1

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno_time64freestrtok$_callnewhrealloc
String ID: d file: %d
API String ID: 1314452303-2597253706
Opcode ID: 05b73f9a750bd4ef76140b64f23dd751e41094d08eed82295c6e4ef0ec55e37a
Instruction ID: 69c11b46a99ac2c40a5db2f586e3de4525dfaa19c879410a6161a44a3882758e
Opcode Fuzzy Hash: 05b73f9a750bd4ef76140b64f23dd751e41094d08eed82295c6e4ef0ec55e37a
Instruction Fuzzy Hash: 9FC17B312382434EFED8EB72A4557EB6295AB847C3F006167AA46477D7FF38CA058700

Function 000001D7C93FE360 Relevance: 10.8, APIs: 5, Strings: 2, Instructions: 276COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001D7C93FE448
_snprintf.LIBCMT ref: 000001D7C93FE473
_snprintf.LIBCMT ref: 000001D7C93FE48F
_snprintf.LIBCMT ref: 000001D7C93FE544
_snprintf.LIBCMT ref: 000001D7C93FE55B

Strings

d file: %d, xrefs: 000001D7C93FE43F, 000001D7C93FE46A, 000001D7C93FE539
ould not open %s: %d, xrefs: 000001D7C93FE382

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _snprintf
String ID: d file: %d$ould not open %s: %d
API String ID: 3512837008-1708695814
Opcode ID: 58fc555a79c94aaf75c3c75cd909e70d0caca4674cd7db198c2c291c0688b4e7
Instruction ID: 091afd0d9c80af20267c8720455c2a84bcdf95c6a4c3241a9d3487de00715496
Opcode Fuzzy Hash: 58fc555a79c94aaf75c3c75cd909e70d0caca4674cd7db198c2c291c0688b4e7
Instruction Fuzzy Hash: BCD19D32228A828DEBA4DF65E8447DB67A1F78879AF401127DA4E477E5FF38C605C740

Function 000001D7C96BB988 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001D7C96B652C: malloc.LIBCMT ref: 000001D7C96B6548

malloc.LIBCMT ref: 000001D7C96BBA34

Part of subcall function 000001D7C96BF784: _FF_MSGBANNER.LIBCMT ref: 000001D7C96BF7B4
Part of subcall function 000001D7C96BF784: _NMSG_WRITE.LIBCMT ref: 000001D7C96BF7BE
Part of subcall function 000001D7C96BF784: HeapAlloc.KERNEL32 ref: 000001D7C96BF7D9
Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF7F2
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF7FD
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF808

Part of subcall function 000001D7C96BEFB4: malloc.LIBCMT ref: 000001D7C96BF004

GetComputerNameExA.KERNEL32 ref: 000001D7C96BBAF6
GetComputerNameA.KERNEL32 ref: 000001D7C96BBB2B
GetUserNameA.ADVAPI32 ref: 000001D7C96BBB60

Part of subcall function 000001D7C96AF554: WSASocketA.WS2_32 ref: 000001D7C96AF582

malloc.LIBCMT ref: 000001D7C96BBC79

Strings

VUUU, xrefs: 000001D7C96BBBBC

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: malloc$Name$Computer_errno$AllocHeapSocketUser_callnewh
String ID: VUUU
API String ID: 632458648-2040033107
Opcode ID: 57f5cc676f18434ef03e9510b006a83b808d3a058504b11b6f4186337b4dcd9a
Instruction ID: 27e9a812101439d4b67cc8751fe9c933c4ca7b446113b2228c5d292e15e8a213
Opcode Fuzzy Hash: 57f5cc676f18434ef03e9510b006a83b808d3a058504b11b6f4186337b4dcd9a
Instruction Fuzzy Hash: CEA10536B286924EFF94EB36C8517E922A1B7847C6F804027ED49677DAFF38C505A300

Function 000001D7C96B19B8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128processCOMMON

Download Yara Rule

APIs

Part of subcall function 000001D7C96B652C: malloc.LIBCMT ref: 000001D7C96B6548

GetStartupInfoA.KERNEL32 ref: 000001D7C96B1A80

Part of subcall function 000001D7C96B0394: MultiByteToWideChar.KERNEL32 ref: 000001D7C96B03C1
Part of subcall function 000001D7C96B0394: MultiByteToWideChar.KERNEL32 ref: 000001D7C96B03E9

GetCurrentDirectoryW.KERNEL32 ref: 000001D7C96B1B0D
GetCurrentDirectoryW.KERNEL32 ref: 000001D7C96B1B1C
CreateProcessWithLogonW.ADVAPI32 ref: 000001D7C96B1B77
GetLastError.KERNEL32 ref: 000001D7C96B1B81

Strings

%s as %s\%s: %d, xrefs: 000001D7C96B1B87

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: ByteCharCurrentDirectoryMultiWide$CreateErrorInfoLastLogonProcessStartupWithmalloc
String ID: %s as %s\%s: %d
API String ID: 3435635427-816037529
Opcode ID: 73310cc39bfec7e2f0b5b25af43c28e2bbd4c9796d9aa92c6f0328bc60f24865
Instruction ID: 45698f15fbf2f19266bbcc7731e1128b757d8d224f8e55821320e14307a43247
Opcode Fuzzy Hash: 73310cc39bfec7e2f0b5b25af43c28e2bbd4c9796d9aa92c6f0328bc60f24865
Instruction Fuzzy Hash: D3513032718B828AE7A0DF16F44479AB7A5F785B85F144026EF8D53B99EF38C055CB40

Function 000001D7C96BEE98 Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001D7C96BEEE3
OpenProcessToken.ADVAPI32 ref: 000001D7C96BEF07
GetLastError.KERNEL32 ref: 000001D7C96BEF11

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: ErrorLast$OpenProcessToken
String ID:
API String ID: 2009710997-0
Opcode ID: eaf9e285e45b6052ae78f4f3fff298dbc4e75ed4f7a7d62a401475f966be5068
Instruction ID: dd35967bd6024d8b4208b83176210cc172dac2492544af1c89847402846550b8
Opcode Fuzzy Hash: eaf9e285e45b6052ae78f4f3fff298dbc4e75ed4f7a7d62a401475f966be5068
Instruction Fuzzy Hash: 3A31D53232C7428EF7916B62E8547AE6794ABC4B92F44002ADE05637D5FF3CC4459780

Function 000001D7C96D0400 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001D7C96D0434

Part of subcall function 000001D7C96C0304: _getptd.LIBCMT ref: 000001D7C96C031A
Part of subcall function 000001D7C96C0304: __updatetlocinfo.LIBCMT ref: 000001D7C96C034F
Part of subcall function 000001D7C96C0304: __updatetmbcinfo.LIBCMT ref: 000001D7C96C0376

_errno.LIBCMT ref: 000001D7C96D044F
_invalid_parameter_noinfo.LIBCMT ref: 000001D7C96D045A

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 1852ddf3321915ea9215e68c41200b3c3ad39747d4c1325998171d9f8ffd8be3
Instruction ID: 6237d1826391b8d6297ef09844740f9d037a8878cec2044100ef03ccf330988f
Opcode Fuzzy Hash: 1852ddf3321915ea9215e68c41200b3c3ad39747d4c1325998171d9f8ffd8be3
Instruction Fuzzy Hash: 8031B473228785CDE7A09F519180BEDB6A4F784BE1F548122EFA823BC5EB74C851C700

Function 000001D7C941F800 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001D7C941F834

Part of subcall function 000001D7C940F704: _getptd.LIBCMT ref: 000001D7C940F71A
Part of subcall function 000001D7C940F704: __updatetlocinfo.LIBCMT ref: 000001D7C940F74F
Part of subcall function 000001D7C940F704: __updatetmbcinfo.LIBCMT ref: 000001D7C940F776

_errno.LIBCMT ref: 000001D7C941F84F
_invalid_parameter_noinfo.LIBCMT ref: 000001D7C941F85A

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 3191669884-0
Opcode ID: 90c90dd7a3962efa42c0f28768e24c6e5f96ee8075a8b3f29dae101246b3e870
Instruction ID: fc4a02b73b53c94eb613a331f56ca1d2035db3b30855516377aa8f9efb0094bb
Opcode Fuzzy Hash: 90c90dd7a3962efa42c0f28768e24c6e5f96ee8075a8b3f29dae101246b3e870
Instruction Fuzzy Hash: AE318072628785CDE7A09B12D6407DEB6A4F748BE1F644163EE5407BC5EB34CA52C700

Function 000001D7C941A9E8 Relevance: 10.6, APIs: 7, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C941AA01

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

__lock_fhandle.LIBCMT ref: 000001D7C941AA49
__doserrno.LIBCMT ref: 000001D7C941AA7E
_errno.LIBCMT ref: 000001D7C941AA85
_unlock_fhandle.LIBCMT ref: 000001D7C941AA95

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 4120058822-0
Opcode ID: bb35c1c3081a187dc7ea4c9bb1e8d409537dd499da4a5355220cb6d4718aca03
Instruction ID: 7970728941c0d6c2879baa506f29a8bf83e1481d8435024b6a221b44b6c6ec56
Opcode Fuzzy Hash: bb35c1c3081a187dc7ea4c9bb1e8d409537dd499da4a5355220cb6d4718aca03
Instruction Fuzzy Hash: 7F21D532338A43CDF7966FA59A803FF2650A784792F29022BDA15073D2FB788B418314

Function 000001D7C96B5EB0 Relevance: 10.6, APIs: 7, Instructions: 52COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001D7C96B5EC1
ioctlsocket.WS2_32 ref: 000001D7C96B5EE2
GetTickCount.KERNEL32 ref: 000001D7C96B5F27
ioctlsocket.WS2_32 ref: 000001D7C96B5F49

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CountTickioctlsocket
String ID:
API String ID: 3686034022-0
Opcode ID: 281274cc844dc5e923e57613abbe6310753b1957bf4a783b4767815e0a9cc52e
Instruction ID: 198451df74e561c9c28244c8b2fc7954c4d83c795341d41ea5e5322be33aecf3
Opcode Fuzzy Hash: 281274cc844dc5e923e57613abbe6310753b1957bf4a783b4767815e0a9cc52e
Instruction Fuzzy Hash: 2A11A7322287C24FF7A04B65E8443D9B360E784B66F900526EE65926E4FF7CC8999B01

Function 000001D7C96B0FE0 Relevance: 10.5, APIs: 7, Instructions: 45pipethreadfileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001D7C96B1006
ConnectNamedPipe.KERNEL32 ref: 000001D7C96B101C
ReadFile.KERNEL32 ref: 000001D7C96B1046
ImpersonateNamedPipeClient.ADVAPI32 ref: 000001D7C96B1057
GetCurrentThread.KERNEL32 ref: 000001D7C96B1061
OpenThreadToken.ADVAPI32 ref: 000001D7C96B1079
DisconnectNamedPipe.KERNEL32 ref: 000001D7C96B108F

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken
String ID:
API String ID: 4232080776-0
Opcode ID: 0754179369273f79daf0d6d2aa5a1039e41815e75cacc39aee7067dac08f6d43
Instruction ID: fa8d4598e322805870a698b34f3edf44b3a8731df182380289fb370635079511
Opcode Fuzzy Hash: 0754179369273f79daf0d6d2aa5a1039e41815e75cacc39aee7067dac08f6d43
Instruction Fuzzy Hash: 19216D3263C5868DF7D09B11E8447E93362BB94B83F804017D809625E1FF3DC658D750

Function 000001D7C96C13D0 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C96C140C

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

_invalid_parameter_noinfo.LIBCMT ref: 000001D7C96C1417
memcpy_s.LIBCMT ref: 000001D7C96C14DC
_fileno.LIBCMT ref: 000001D7C96C1547
_filbuf.LIBCMT ref: 000001D7C96C1575
_errno.LIBCMT ref: 000001D7C96C15C5

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 1883a83fe9fb3c6b32c9ddde723964e878399be9b0446074aba1a882fd44dded
Instruction ID: 4c6ae933f2d42cb13415a643d88713e88a09a6de132199b9d6c1512c00ac5530
Opcode Fuzzy Hash: 1883a83fe9fb3c6b32c9ddde723964e878399be9b0446074aba1a882fd44dded
Instruction Fuzzy Hash: C3517D7133C2428AFAE48A6655007E97690B341BF6F558723FE3A63BD4FB34D6918740

Function 000001D7C94107D0 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C941080C

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

_invalid_parameter_noinfo.LIBCMT ref: 000001D7C9410817
memcpy_s.LIBCMT ref: 000001D7C94108DC
_fileno.LIBCMT ref: 000001D7C9410947
_filbuf.LIBCMT ref: 000001D7C9410975
_errno.LIBCMT ref: 000001D7C94109C5

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: ad7a31e985663c658b3bbe63a5eea60a53fcbfadd365fda81ec0176febafd1ae
Instruction ID: f008d9718872abbb45ebe623c5a715e882c2e9071cf57c0c40ea7436e7805362
Opcode Fuzzy Hash: ad7a31e985663c658b3bbe63a5eea60a53fcbfadd365fda81ec0176febafd1ae
Instruction Fuzzy Hash: 0C51153173D242CAFAA48A2655107EB6791B744BF3F348713AA7843BD5FB34C691A780

Function 000001D7C9401570 Relevance: 9.2, APIs: 3, Strings: 3, Instructions: 150COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C94015A3

Part of subcall function 000001D7C940EB84: _FF_MSGBANNER.LIBCMT ref: 000001D7C940EBB4
Part of subcall function 000001D7C940EB84: _NMSG_WRITE.LIBCMT ref: 000001D7C940EBBE
Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EBF2
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EBFD
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC08

Part of subcall function 000001D7C93FC444: malloc.LIBCMT ref: 000001D7C93FC457

free.LIBCMT ref: 000001D7C940169E
free.LIBCMT ref: 000001D7C94016AB

Part of subcall function 000001D7C940EB44: _errno.LIBCMT ref: 000001D7C940EB64

Strings

ate service %s on %s: %d, xrefs: 000001D7C9401769
service control manager on %s: %d, xrefs: 000001D7C94015FF
pload file: %d, xrefs: 000001D7C9401639

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$freemalloc$_callnewh
String ID: service control manager on %s: %d$ate service %s on %s: %d$pload file: %d
API String ID: 2029259483-3833084645
Opcode ID: 710583e1b977a0193c736e01f29ebc10fffcb32042546934caec26029c3814ca
Instruction ID: 9d674150e342228df5667df460de9642802acdfe00a0bdd70202ff63b2aec039
Opcode Fuzzy Hash: 710583e1b977a0193c736e01f29ebc10fffcb32042546934caec26029c3814ca
Instruction Fuzzy Hash: 9E6181713287528AEB90DB62E4406DEA7A1F788B95F405017EE4A43BD9FF78C709CB40

Function 000001D7C96CB1F4 Relevance: 9.1, APIs: 6, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 000001D7C96CB221

Part of subcall function 000001D7C96C55AC: _FF_MSGBANNER.LIBCMT ref: 000001D7C96C55C9
Part of subcall function 000001D7C96C55AC: _NMSG_WRITE.LIBCMT ref: 000001D7C96C55D3

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000001D7C96CB2A4
EnterCriticalSection.KERNEL32 ref: 000001D7C96CB2C0
LeaveCriticalSection.KERNEL32 ref: 000001D7C96CB2D0
_calloc_crt.LIBCMT ref: 000001D7C96CB346
__lock_fhandle.LIBCMT ref: 000001D7C96CB3AE

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CriticalSection$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
String ID:
API String ID: 445582508-0
Opcode ID: 96c7b832abb9eb222e8fbbc3902b7c68f8bc3b5bd4adb682223ec1f8004d710a
Instruction ID: f32d609789c96fc80b6f23e7a3f4b7c72e0fe067a160ad94bf510bbe7edbea5e
Opcode Fuzzy Hash: 96c7b832abb9eb222e8fbbc3902b7c68f8bc3b5bd4adb682223ec1f8004d710a
Instruction Fuzzy Hash: C35104323287418AEBA08F31D8443ADB7A5F794B5AF594517EE5D673E4EB38C842C700

Function 000001D7C96B1BD4 Relevance: 9.1, APIs: 6, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 000001D7C96B652C: malloc.LIBCMT ref: 000001D7C96B6548

Part of subcall function 000001D7C96C0EE8: _errno.LIBCMT ref: 000001D7C96C0E3F
Part of subcall function 000001D7C96C0EE8: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C96C0E4A

fseek.LIBCMT ref: 000001D7C96B1C70

Part of subcall function 000001D7C96C1764: _errno.LIBCMT ref: 000001D7C96C178C
Part of subcall function 000001D7C96C1764: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C96C1797

_ftelli64.LIBCMT ref: 000001D7C96B1C78

Part of subcall function 000001D7C96C17D8: _errno.LIBCMT ref: 000001D7C96C17F6
Part of subcall function 000001D7C96C17D8: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C96C1801

fseek.LIBCMT ref: 000001D7C96B1C88

Part of subcall function 000001D7C96C1764: _fseek_nolock.LIBCMT ref: 000001D7C96C17B5

GetFullPathNameA.KERNEL32 ref: 000001D7C96B1CAB
malloc.LIBCMT ref: 000001D7C96B1CC8

Part of subcall function 000001D7C96BF784: _FF_MSGBANNER.LIBCMT ref: 000001D7C96BF7B4
Part of subcall function 000001D7C96BF784: _NMSG_WRITE.LIBCMT ref: 000001D7C96BF7BE
Part of subcall function 000001D7C96BF784: HeapAlloc.KERNEL32 ref: 000001D7C96BF7D9
Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF7F2
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF7FD
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF808

Part of subcall function 000001D7C96AD044: malloc.LIBCMT ref: 000001D7C96AD057

Part of subcall function 000001D7C96AD074: htonl.WS2_32 ref: 000001D7C96AD07F

fclose.LIBCMT ref: 000001D7C96B1D85

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfomalloc$fseek$AllocFullHeapNamePath_callnewh_fseek_nolock_ftelli64fclosehtonl
String ID:
API String ID: 3587854850-0
Opcode ID: 25af98a453896b9d172d361cbc0631ad6241024d210941bb3165ffd36e74c0e6
Instruction ID: 4fd17954626fea59b65f0d4b606a0744b5d93213e47d14811d7550646c670ac2
Opcode Fuzzy Hash: 25af98a453896b9d172d361cbc0631ad6241024d210941bb3165ffd36e74c0e6
Instruction Fuzzy Hash: 6441B3323286825AEB90EB12E4643E97251B7C9BD1F408123EE5E67BD6FF38C601C700

Function 000001D7C96B61A0 Relevance: 9.1, APIs: 6, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32 ref: 000001D7C96B61B8
GetOEMCP.KERNEL32 ref: 000001D7C96B61C2
GetCurrentProcessId.KERNEL32 ref: 000001D7C96B61E8
GetTickCount.KERNEL32 ref: 000001D7C96B61F0

Part of subcall function 000001D7C96C0D14: _getptd.LIBCMT ref: 000001D7C96C0D1C

GetCurrentProcess.KERNEL32 ref: 000001D7C96B622C

Part of subcall function 000001D7C96B11A4: GetModuleHandleA.KERNEL32 ref: 000001D7C96B11B9
Part of subcall function 000001D7C96B11A4: GetProcAddress.KERNEL32 ref: 000001D7C96B11C9

GetCurrentProcessId.KERNEL32 ref: 000001D7C96B629E

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CurrentProcess$AddressCountHandleModuleProcTick_getptd
String ID:
API String ID: 3426420785-0
Opcode ID: cfd2f283dbca8df902668045d906c9abbd5030530a596ad4b40536c340505995
Instruction ID: 6eb576954f9e6e4358bbdea21c7960c256f93672850914d095fca6c46dc8e415
Opcode Fuzzy Hash: cfd2f283dbca8df902668045d906c9abbd5030530a596ad4b40536c340505995
Instruction Fuzzy Hash: 2C417F327386529DFF90EB71D8417DD32A0AB89796F404013EE0963AE6FF38C50A9750

Function 000001D7C96B7468 Relevance: 9.1, APIs: 6, Instructions: 99networkCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C96B749A

Part of subcall function 000001D7C96BF784: _FF_MSGBANNER.LIBCMT ref: 000001D7C96BF7B4
Part of subcall function 000001D7C96BF784: _NMSG_WRITE.LIBCMT ref: 000001D7C96BF7BE
Part of subcall function 000001D7C96BF784: HeapAlloc.KERNEL32 ref: 000001D7C96BF7D9
Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF7F2
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF7FD
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF808

htonl.WS2_32 ref: 000001D7C96B74CD
recvfrom.WS2_32 ref: 000001D7C96B7511
WSAGetLastError.WS2_32 ref: 000001D7C96B751E

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$AllocErrorHeapLast_callnewhhtonlmallocrecvfrom
String ID:
API String ID: 2310505145-0
Opcode ID: a872e1ec185157b0f40067ef4975255c0c5558b41c1ff36f1823d1a9e43bff05
Instruction ID: 81faaccdd0377177f79da9644af8ea6f73c172055afeb5296254947977cc91b0
Opcode Fuzzy Hash: a872e1ec185157b0f40067ef4975255c0c5558b41c1ff36f1823d1a9e43bff05
Instruction Fuzzy Hash: F541C872228782CBFB908F25E44479AB7A0F784B96F145112DD8967BE4FF38C491DB50

Function 000001D7C96B7F00 Relevance: 9.1, APIs: 6, Instructions: 96threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001D7C96B7F3B
UpdateProcThreadAttribute.KERNEL32 ref: 000001D7C96B7F7B
GetLastError.KERNEL32 ref: 000001D7C96B7F85
GetCurrentProcess.KERNEL32 ref: 000001D7C96B7FBA
GetCurrentProcess.KERNEL32 ref: 000001D7C96B7FFA
GetCurrentProcess.KERNEL32 ref: 000001D7C96B802B

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ErrorLast$AttributeProcThreadUpdate
String ID:
API String ID: 1014270282-0
Opcode ID: 60c5642cf9d1a24d13382d529420ce49e89d3ee3769af8e3f310f28140125189
Instruction ID: cb9b87063874f1db29a0b7d62057629c01dd8020875ba9c238b7dadb69c81350
Opcode Fuzzy Hash: 60c5642cf9d1a24d13382d529420ce49e89d3ee3769af8e3f310f28140125189
Instruction Fuzzy Hash: AF4181322287818AEBA08F62D4443D9A7A5F788BD9F084126EF4967BD9FF3CC5059744

Function 000001D7C96C0EE8 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C96C0E3F

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

_invalid_parameter_noinfo.LIBCMT ref: 000001D7C96C0E4A
_getstream.LIBCMT ref: 000001D7C96C0E6A
_errno.LIBCMT ref: 000001D7C96C0E7C
_errno.LIBCMT ref: 000001D7C96C0E8E
_openfile.LIBCMT ref: 000001D7C96C0EBC

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: dcacbdf09ee3395c7399352474765e9b1ac4db17464df6fdf53de82e1655b2db
Instruction ID: a7fadcde529b2bbb47abe2a28a70a11d1793e9f385259f62de58ddfded4a8ae6
Opcode Fuzzy Hash: dcacbdf09ee3395c7399352474765e9b1ac4db17464df6fdf53de82e1655b2db
Instruction Fuzzy Hash: 1521933126D7938DFFA15B61A80139AA691BB48BC1F844423FD89A7BD6FB3CC5418704

Function 000001D7C94102E8 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C941023F

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

_invalid_parameter_noinfo.LIBCMT ref: 000001D7C941024A
_getstream.LIBCMT ref: 000001D7C941026A
_errno.LIBCMT ref: 000001D7C941027C
_errno.LIBCMT ref: 000001D7C941028E
_openfile.LIBCMT ref: 000001D7C94102BC

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 342e6eb9700879c5b25170bec061c8a374cb3783ea06d0574645602b0305d7f4
Instruction ID: 161f32d87282e55eab6e40a437634354724a7a3f3f83b3e6f5b991a04e2ddc9d
Opcode Fuzzy Hash: 342e6eb9700879c5b25170bec061c8a374cb3783ea06d0574645602b0305d7f4
Instruction Fuzzy Hash: AC21503123D683CDFBE15B2199013DB6295A7497C2F244423A98987BD5FB3CCA419704

Function 000001D7C96B01A4 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C96B01C5

Part of subcall function 000001D7C96BF784: _FF_MSGBANNER.LIBCMT ref: 000001D7C96BF7B4
Part of subcall function 000001D7C96BF784: _NMSG_WRITE.LIBCMT ref: 000001D7C96BF7BE
Part of subcall function 000001D7C96BF784: HeapAlloc.KERNEL32 ref: 000001D7C96BF7D9
Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF7F2
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF7FD
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF808

free.LIBCMT ref: 000001D7C96B0200
fwrite.LIBCMT ref: 000001D7C96B0241
fclose.LIBCMT ref: 000001D7C96B0249
free.LIBCMT ref: 000001D7C96B0256

Part of subcall function 000001D7C96BF744: HeapFree.KERNEL32 ref: 000001D7C96BF75A
Part of subcall function 000001D7C96BF744: _errno.LIBCMT ref: 000001D7C96BF764
Part of subcall function 000001D7C96BF744: GetLastError.KERNEL32 ref: 000001D7C96BF76C

GetLastError.KERNEL32 ref: 000001D7C96B025B

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$ErrorHeapLastfree$AllocFree_callnewhfclosefwritemalloc
String ID:
API String ID: 1616846154-0
Opcode ID: 331888d7d777c1ea6c938d60486225b34a51eef7fcf3f8b32cc6b582a7922759
Instruction ID: 0404b36af8ec6b81673210a8a5744bca7da75bdef6ceb1aca189ac3e33b0a755
Opcode Fuzzy Hash: 331888d7d777c1ea6c938d60486225b34a51eef7fcf3f8b32cc6b582a7922759
Instruction Fuzzy Hash: 0D11B73272C68289E990E712A0513ED5751AB85BE5F444122EE9D277CAFF3CC5059740

Function 000001D7C96B49C8 Relevance: 9.1, APIs: 6, Instructions: 51pipefileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000001D7C96B49E6
WaitNamedPipeA.KERNEL32 ref: 000001D7C96B49FB
CreateFileA.KERNEL32 ref: 000001D7C96B4A25
SetNamedPipeHandleState.KERNEL32 ref: 000001D7C96B4A47
DisconnectNamedPipe.KERNEL32 ref: 000001D7C96B4A54
SetLastError.KERNEL32 ref: 000001D7C96B4A69

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: NamedPipe$ErrorLast$CreateDisconnectFileHandleStateWait
String ID:
API String ID: 3798860377-0
Opcode ID: 432096a6c4bb618bc65166ca7127fbaba4eb2b3faa958be4bbe042c6831f1e5d
Instruction ID: 7756336d9d2162759247673448beeb4918bb2763fab95e57d9734e266874f8cc
Opcode Fuzzy Hash: 432096a6c4bb618bc65166ca7127fbaba4eb2b3faa958be4bbe042c6831f1e5d
Instruction Fuzzy Hash: B311E63362C69286FB909B25E48439E6351F784BE6F408216EE6967AD8FF7CC8548700

Function 000001D7C96BF4F8 Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C96BF51B

Part of subcall function 000001D7C96BF784: _FF_MSGBANNER.LIBCMT ref: 000001D7C96BF7B4
Part of subcall function 000001D7C96BF784: _NMSG_WRITE.LIBCMT ref: 000001D7C96BF7BE
Part of subcall function 000001D7C96BF784: HeapAlloc.KERNEL32 ref: 000001D7C96BF7D9
Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF7F2
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF7FD
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF808

malloc.LIBCMT ref: 000001D7C96BF529

Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF818
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF81D

malloc.LIBCMT ref: 000001D7C96BF54B
_snprintf.LIBCMT ref: 000001D7C96BF566

Part of subcall function 000001D7C96BFB3C: _errno.LIBCMT ref: 000001D7C96BFB73
Part of subcall function 000001D7C96BFB3C: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C96BFB7E

malloc.LIBCMT ref: 000001D7C96BF581

Strings

HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 000001D7C96BF550

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$AllocHeap_invalid_parameter_noinfo_snprintf
String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
API String ID: 3518644649-2739389480
Opcode ID: 690a89ffa644baba67d4226f664b922cd7954317687ab58a8b6b34ec798ca1a4
Instruction ID: 0e654d7cb4139dca368a3abd85e2b41f4b06cf7b2ba01b20b53c4ea2c2b7d3d8
Opcode Fuzzy Hash: 690a89ffa644baba67d4226f664b922cd7954317687ab58a8b6b34ec798ca1a4
Instruction Fuzzy Hash: 4801E13261879145EA84EF12B8006997699E38CFE1F14422AEE68577D6FF78C0218740

Function 000001D7C940E8F8 Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C940E91B

Part of subcall function 000001D7C940EB84: _FF_MSGBANNER.LIBCMT ref: 000001D7C940EBB4
Part of subcall function 000001D7C940EB84: _NMSG_WRITE.LIBCMT ref: 000001D7C940EBBE
Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EBF2
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EBFD
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC08

malloc.LIBCMT ref: 000001D7C940E929

Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EC18
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC1D

malloc.LIBCMT ref: 000001D7C940E94B
_snprintf.LIBCMT ref: 000001D7C940E966

Part of subcall function 000001D7C940EF3C: _errno.LIBCMT ref: 000001D7C940EF73
Part of subcall function 000001D7C940EF3C: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C940EF7E

malloc.LIBCMT ref: 000001D7C940E981

Strings

R6027- not enough space for lowio initialization, xrefs: 000001D7C940E950

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID: R6027- not enough space for lowio initialization
API String ID: 2026495703-4001527136
Opcode ID: f1cae3d74f9cf5499507d497864d740e535253f3ac25bc132dc9c61d8ffde134
Instruction ID: ddb2c2f7b19fea1851575c8d54dac52d4816b18e4d1279bd289e6d12b519c9a8
Opcode Fuzzy Hash: f1cae3d74f9cf5499507d497864d740e535253f3ac25bc132dc9c61d8ffde134
Instruction Fuzzy Hash: 3F01C83172879145E6C4DB52B404B9B66A9F788FE1F04521AEE69477C6EF38C1518740

Function 000001D7C96B3734 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 000001D7C96B376E
strchr.LIBCMT ref: 000001D7C96B378C
malloc.LIBCMT ref: 000001D7C96B37A4
malloc.LIBCMT ref: 000001D7C96B37B1
rand.LIBCMT ref: 000001D7C96B387D
free.LIBCMT ref: 000001D7C96B399B
free.LIBCMT ref: 000001D7C96B39A3

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$rand
String ID:
API String ID: 1305919620-0
Opcode ID: a5644949901ebf40378b124b04eb4f54f85e47ea4aa3d4ce2fefb85e004cc7b1
Instruction ID: dbdb5a9a5ae5ecabefbd0d28a9bcf882c8fc921329c43ef20c2e5f1b7d04a06e
Opcode Fuzzy Hash: a5644949901ebf40378b124b04eb4f54f85e47ea4aa3d4ce2fefb85e004cc7b1
Instruction Fuzzy Hash: 04712D7172DAC149FAA5AF29A4103EAA390EF85B85F044112DF8927BD6FF2DC157D300

Function 000001D7C9402B34 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 000001D7C9402B6E
strchr.LIBCMT ref: 000001D7C9402B8C
malloc.LIBCMT ref: 000001D7C9402BA4
malloc.LIBCMT ref: 000001D7C9402BB1
rand.LIBCMT ref: 000001D7C9402C7D
free.LIBCMT ref: 000001D7C9402D9B
free.LIBCMT ref: 000001D7C9402DA3

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$rand
String ID:
API String ID: 1305919620-0
Opcode ID: 4f3bb4adb3b322cb13169a62b978638d9ff37c533b793a73b3063810de663598
Instruction ID: a666249463435ee547d2c43a34ce439277d92d2e8c710b8d48dfa2cc2a17ebf1
Opcode Fuzzy Hash: 4f3bb4adb3b322cb13169a62b978638d9ff37c533b793a73b3063810de663598
Instruction Fuzzy Hash: F2712A7162CAC549FAE59B29A0103EBA7A0EF95B85F086116DF89177D6FF2DC2528300

Function 000001D7C96A4170 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C96A41BD

Part of subcall function 000001D7C96BF784: _FF_MSGBANNER.LIBCMT ref: 000001D7C96BF7B4
Part of subcall function 000001D7C96BF784: _NMSG_WRITE.LIBCMT ref: 000001D7C96BF7BE
Part of subcall function 000001D7C96BF784: HeapAlloc.KERNEL32 ref: 000001D7C96BF7D9
Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF7F2
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF7FD
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF808

malloc.LIBCMT ref: 000001D7C96A41C8

Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF818
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF81D

free.LIBCMT ref: 000001D7C96A42AF
free.LIBCMT ref: 000001D7C96A42B7
free.LIBCMT ref: 000001D7C96A42BF
free.LIBCMT ref: 000001D7C96A42CB
free.LIBCMT ref: 000001D7C96A42D8

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc$AllocHeap
String ID:
API String ID: 996410232-0
Opcode ID: 944fe457b00a16f6bc8c978b0e9f4d7957d55bd2ab3a4d853e2366663c9013e5
Instruction ID: a8264cbf9b8bf79dd3dff977b830d8c09ee8ed333b8e3dc0af4bee1f8d85a1a2
Opcode Fuzzy Hash: 944fe457b00a16f6bc8c978b0e9f4d7957d55bd2ab3a4d853e2366663c9013e5
Instruction Fuzzy Hash: A441E1363287838FEA95DB66A9543E92790BB49B82F504126DE462B7D5FF34D822D300

Function 000001D7C93F3570 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C93F35BD

Part of subcall function 000001D7C940EB84: _FF_MSGBANNER.LIBCMT ref: 000001D7C940EBB4
Part of subcall function 000001D7C940EB84: _NMSG_WRITE.LIBCMT ref: 000001D7C940EBBE
Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EBF2
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EBFD
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC08

malloc.LIBCMT ref: 000001D7C93F35C8

Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EC18
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC1D

free.LIBCMT ref: 000001D7C93F36AF
free.LIBCMT ref: 000001D7C93F36B7
free.LIBCMT ref: 000001D7C93F36BF
free.LIBCMT ref: 000001D7C93F36CB
free.LIBCMT ref: 000001D7C93F36D8

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 6c849c0ca28a81ccfa0af3d4d8d64ee3ef4844567f60827c11a0bbd335077ef0
Instruction ID: 3aa52a3f9c46b9db44b761ac41a7297c2f22f81e10c3c05e56d15bded5f01bb1
Opcode Fuzzy Hash: 6c849c0ca28a81ccfa0af3d4d8d64ee3ef4844567f60827c11a0bbd335077ef0
Instruction Fuzzy Hash: 5C41C132328B939FEE98DB2695907EA6760B744BC2F440062DE164BB91FF34D526C700

Function 000001D7C96AF7B4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

htonl.WS2_32 ref: 000001D7C96AF82D
htonl.WS2_32 ref: 000001D7C96AF837
malloc.LIBCMT ref: 000001D7C96AF850
free.LIBCMT ref: 000001D7C96AF8BD

Strings

zyxwvutsrqponmlk, xrefs: 000001D7C96AF88C

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: htonl$freemalloc
String ID: zyxwvutsrqponmlk
API String ID: 1249573706-3884694604
Opcode ID: 93d6c50653c102381ca2afabed609a70f29cce66ab51092ef5ede55ee2b9cb33
Instruction ID: e45358504610a595bf3a1e3088b31de052f97d085b2c39f7521d1a321125557e
Opcode Fuzzy Hash: 93d6c50653c102381ca2afabed609a70f29cce66ab51092ef5ede55ee2b9cb33
Instruction Fuzzy Hash: 0031F5323282824AEB94EF76A5513E976D1A784BD1F444036EE59A77EBFF3CC4128340

Function 000001D7C96B44E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001D7C96B4527
GetProcAddress.KERNEL32 ref: 000001D7C96B4537
GetLastError.KERNEL32 ref: 000001D7C96B45FF

Part of subcall function 000001D7C96BD10C: GetCurrentProcess.KERNEL32 ref: 000001D7C96BD199

Part of subcall function 000001D7C96BD640: GetCurrentProcess.KERNEL32 ref: 000001D7C96BD66D

Strings

NtMapViewOfSection, xrefs: 000001D7C96B452D
ntdll.dll, xrefs: 000001D7C96B4519

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CurrentProcess$AddressErrorHandleLastModuleProc
String ID: NtMapViewOfSection$ntdll.dll
API String ID: 1006775078-3170647572
Opcode ID: f8a4e15c03baeafcb302875327fe40b43d52d2d9cd1185525a0f43e9bbc19db1
Instruction ID: 856477f2356b5e578d0f0f69e955abafb6cc3c042fa4ef092aa289dd4326ff1a
Opcode Fuzzy Hash: f8a4e15c03baeafcb302875327fe40b43d52d2d9cd1185525a0f43e9bbc19db1
Instruction Fuzzy Hash: AD31E432724B468AEB909B21E4557AA7390F788BB5F040326EE69177D5FF7CC4058740

Function 000001D7C940BB3C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_time64.LIBCMT ref: 000001D7C940BB60

Part of subcall function 000001D7C9410114: _getptd.LIBCMT ref: 000001D7C941011C

malloc.LIBCMT ref: 000001D7C940BBA8
strtok.LIBCMT ref: 000001D7C940BC0C
strtok.LIBCMT ref: 000001D7C940BC1D

Strings

stdio initialization, xrefs: 000001D7C940BBE6

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: strtok$_getptd_time64malloc
String ID: stdio initialization
API String ID: 1522986614-3352209894
Opcode ID: 20b272d5e67e3818beba124345a55b816070deeec536b6a6fc28362feac34d4a
Instruction ID: b4af10aa438ad208b9cba788a8f0351abba463a6a2e09b7b97e450147b235736
Opcode Fuzzy Hash: 20b272d5e67e3818beba124345a55b816070deeec536b6a6fc28362feac34d4a
Instruction Fuzzy Hash: 08210472624B958AEB84CF51E0446EA37A8F349BD5F165267EE1A437C6EB30C241C340

Function 000001D7C96B24F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C96B2512

Part of subcall function 000001D7C96BF784: _FF_MSGBANNER.LIBCMT ref: 000001D7C96BF7B4
Part of subcall function 000001D7C96BF784: _NMSG_WRITE.LIBCMT ref: 000001D7C96BF7BE
Part of subcall function 000001D7C96BF784: HeapAlloc.KERNEL32 ref: 000001D7C96BF7D9
Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF7F2
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF7FD
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF808

_snprintf.LIBCMT ref: 000001D7C96B2531

Part of subcall function 000001D7C96BFB3C: _errno.LIBCMT ref: 000001D7C96BFB73
Part of subcall function 000001D7C96BFB3C: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C96BFB7E

remove.LIBCMT ref: 000001D7C96B253D

Part of subcall function 000001D7C96C1C48: __copy_path_to_wide_string.LIBCMT ref: 000001D7C96C1C5F

remove.LIBCMT ref: 000001D7C96B2544

Strings

%s\%s, xrefs: 000001D7C96B2517

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$remove$AllocHeap__copy_path_to_wide_string_callnewh_invalid_parameter_noinfo_snprintfmalloc
String ID: %s\%s
API String ID: 2063819003-4073750446
Opcode ID: cc23da6e95c9f4d05934b545fb4c9ca09cee95774d1c9a8f38f30f6e4cba2b0f
Instruction ID: 7f52cef097bb9d7843708debe617479b5199920188d2f112a86d5fa22924e70a
Opcode Fuzzy Hash: cc23da6e95c9f4d05934b545fb4c9ca09cee95774d1c9a8f38f30f6e4cba2b0f
Instruction Fuzzy Hash: C8F0967222C7818DE250AB41B4213DAB350E784BC1F584032FF5927BDAFF38C5215744

Function 000001D7C94018F0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C9401912

Part of subcall function 000001D7C940EB84: _FF_MSGBANNER.LIBCMT ref: 000001D7C940EBB4
Part of subcall function 000001D7C940EB84: _NMSG_WRITE.LIBCMT ref: 000001D7C940EBBE
Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EBF2
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EBFD
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC08

_snprintf.LIBCMT ref: 000001D7C9401931

Part of subcall function 000001D7C940EF3C: _errno.LIBCMT ref: 000001D7C940EF73
Part of subcall function 000001D7C940EF3C: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C940EF7E

remove.LIBCMT ref: 000001D7C940193D

Part of subcall function 000001D7C9411048: __copy_path_to_wide_string.LIBCMT ref: 000001D7C941105F

remove.LIBCMT ref: 000001D7C9401944

Strings

not open service control manager on %s: %d, xrefs: 000001D7C9401917

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$remove$__copy_path_to_wide_string_callnewh_invalid_parameter_noinfo_snprintfmalloc
String ID: not open service control manager on %s: %d
API String ID: 1078080488-1673644724
Opcode ID: b9d8fb700c48650ea431670bd861b2b6ec015ae959caf29f59ed5de7415ac537
Instruction ID: d9c1dfa7ed593a1319d95fad0aa8611acc123ea58d6bca57763951695e0c3746
Opcode Fuzzy Hash: b9d8fb700c48650ea431670bd861b2b6ec015ae959caf29f59ed5de7415ac537
Instruction Fuzzy Hash: 96F0903162CA82CEE2D09B11B4117EFA320A788BD1F585422BF8917BD6EF38C7118744

Function 000001D7C93FDABC Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 270COMMON

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001D7C93FDB63

Part of subcall function 000001D7C940EF3C: _errno.LIBCMT ref: 000001D7C940EF73
Part of subcall function 000001D7C940EF3C: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C940EF7E

Part of subcall function 000001D7C9407474: _snprintf.LIBCMT ref: 000001D7C94075E1

_snprintf.LIBCMT ref: 000001D7C93FDBFA

Part of subcall function 000001D7C94026B0: strchr.LIBCMT ref: 000001D7C9402716
Part of subcall function 000001D7C94026B0: _snprintf.LIBCMT ref: 000001D7C940274C

Part of subcall function 000001D7C940254C: strchr.LIBCMT ref: 000001D7C94025A9
Part of subcall function 000001D7C940254C: _snprintf.LIBCMT ref: 000001D7C94025F3

_snprintf.LIBCMT ref: 000001D7C93FDC11

Strings

d file: %d, xrefs: 000001D7C93FDB56, 000001D7C93FDBEF
ould not open %s: %d, xrefs: 000001D7C93FDAED

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _snprintf$strchr$_errno_invalid_parameter_noinfo
String ID: d file: %d$ould not open %s: %d
API String ID: 199363273-1708695814
Opcode ID: 7393462b936688876856f6d4099ab9690f02b62a0015a8229f8b87d22975d01e
Instruction ID: 3510207792ff17e2488cf0b27a5915828569bc7415d021fc41f8a345b1c70fda
Opcode Fuzzy Hash: 7393462b936688876856f6d4099ab9690f02b62a0015a8229f8b87d22975d01e
Instruction Fuzzy Hash: C8C1BF71628A428AEBE4DF25E8043DB77A1F798B86F005127EA5A477D8FF38C645C740

Function 000001D7C940A250 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 137COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001D7C940A2B3

Part of subcall function 000001D7C940EF3C: _errno.LIBCMT ref: 000001D7C940EF73
Part of subcall function 000001D7C940EF3C: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C940EF7E

_snprintf.LIBCMT ref: 000001D7C940A2C9

Strings

uld not open service control manager on %s: %d, xrefs: 000001D7C940A27D
rPrivilege, xrefs: 000001D7C940A374
open %s: %d, xrefs: 000001D7C940A2B8

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID: open %s: %d$rPrivilege$uld not open service control manager on %s: %d
API String ID: 3442832105-3851863454
Opcode ID: d318c63aeb3d56c69e576bb9a32d6fdf8e2491828173bdf9193dd8e1fb88d264
Instruction ID: 9e514167a19fcb7dc604198776ca9c67cb9814576ce1ea39b62aae749862819e
Opcode Fuzzy Hash: d318c63aeb3d56c69e576bb9a32d6fdf8e2491828173bdf9193dd8e1fb88d264
Instruction Fuzzy Hash: 56518572325B82EDEB809F6498447D937A8E748789F814527AA4D53BCAFF38C619C340

Function 000001D7C96B0638 Relevance: 7.6, APIs: 5, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3780ae5061e3cd987303246071dff413e7aa083650f04dfb46401c4fcac6139
Instruction ID: 2fd23b062f98db154384f9b422debab15a31cfc84713fe04b4f967779560e5dc
Opcode Fuzzy Hash: f3780ae5061e3cd987303246071dff413e7aa083650f04dfb46401c4fcac6139
Instruction Fuzzy Hash: F251DE32B28A4299EB90EF64C4513ED2760F784B8AF809122EE49376DAFF38C545D740

Function 000001D7C941A5F4 Relevance: 7.6, APIs: 5, Instructions: 132COMMONLIBRARYCODE

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 000001D7C941A621

Part of subcall function 000001D7C94149AC: _FF_MSGBANNER.LIBCMT ref: 000001D7C94149C9
Part of subcall function 000001D7C94149AC: _NMSG_WRITE.LIBCMT ref: 000001D7C94149D3

_lock.LIBCMT ref: 000001D7C941A634
_lock.LIBCMT ref: 000001D7C941A68F
_calloc_crt.LIBCMT ref: 000001D7C941A746
__lock_fhandle.LIBCMT ref: 000001D7C941A7AE

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _lock$__lock_fhandle_calloc_crt_mtinitlocknum
String ID:
API String ID: 2139160410-0
Opcode ID: f7add8fcf36b82343b41d81ae9f352fe1fd1590782343b494d70447f037b1835
Instruction ID: def70ceab900c4947923dcfc8fcd12d3fbb852b44708bb60cbe9a5b73c5e023f
Opcode Fuzzy Hash: f7add8fcf36b82343b41d81ae9f352fe1fd1590782343b494d70447f037b1835
Instruction Fuzzy Hash: FC51D333228781CAEB909F21D4443AAA7A5F794B95F294517DE5D473D4EB38CB46C700

Function 000001D7C9400FD4 Relevance: 7.6, APIs: 5, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 000001D7C940592C: malloc.LIBCMT ref: 000001D7C9405948

Part of subcall function 000001D7C94102E8: _errno.LIBCMT ref: 000001D7C941023F
Part of subcall function 000001D7C94102E8: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C941024A

fseek.LIBCMT ref: 000001D7C9401070

Part of subcall function 000001D7C9410B64: _errno.LIBCMT ref: 000001D7C9410B8C
Part of subcall function 000001D7C9410B64: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C9410B97

_ftelli64.LIBCMT ref: 000001D7C9401078

Part of subcall function 000001D7C9410BD8: _errno.LIBCMT ref: 000001D7C9410BF6
Part of subcall function 000001D7C9410BD8: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C9410C01

fseek.LIBCMT ref: 000001D7C9401088

Part of subcall function 000001D7C9410B64: _fseek_nolock.LIBCMT ref: 000001D7C9410BB5

malloc.LIBCMT ref: 000001D7C94010C8

Part of subcall function 000001D7C940EB84: _FF_MSGBANNER.LIBCMT ref: 000001D7C940EBB4
Part of subcall function 000001D7C940EB84: _NMSG_WRITE.LIBCMT ref: 000001D7C940EBBE
Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EBF2
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EBFD
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC08

Part of subcall function 000001D7C93FC444: malloc.LIBCMT ref: 000001D7C93FC457

fclose.LIBCMT ref: 000001D7C9401185

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfomalloc$fseek$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 1756087678-0
Opcode ID: a5fe7b4ab7cdb62168c61f893439d0a26b40b5480d9409c4e7f2545fa7cba353
Instruction ID: e00c4fec5b97015e9881cf545484bf1b071bb16047e15668ba11a3640c55b8ce
Opcode Fuzzy Hash: a5fe7b4ab7cdb62168c61f893439d0a26b40b5480d9409c4e7f2545fa7cba353
Instruction Fuzzy Hash: 7E41A33132868189EA94EB12A4557EB6351F7C9BD1F405127AE5A47BD6FF3CC7018700

Function 000001D7C96C0EF4 Relevance: 7.6, APIs: 5, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C96C0F2C

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

_invalid_parameter_noinfo.LIBCMT ref: 000001D7C96C0F37
_flush.LIBCMT ref: 000001D7C96C0FE9
_fileno.LIBCMT ref: 000001D7C96C100A
_flsbuf.LIBCMT ref: 000001D7C96C104D

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flsbuf_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 1640621425-0
Opcode ID: 0e201a766284448b7ed02b1b0103a6347d2264006829d540288bdc788ef00e01
Instruction ID: 42fcb0a22365c1a4247e0cf24c90b3f4f8b1fc95c1be45c0b007b32c9339bca1
Opcode Fuzzy Hash: 0e201a766284448b7ed02b1b0103a6347d2264006829d540288bdc788ef00e01
Instruction Fuzzy Hash: B041493132C3828EFEE44E2255443DAB691B704FE6F584226FEA5677C1FB38C5828240

Function 000001D7C96A54F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C96A553A

Part of subcall function 000001D7C96BF784: _FF_MSGBANNER.LIBCMT ref: 000001D7C96BF7B4
Part of subcall function 000001D7C96BF784: _NMSG_WRITE.LIBCMT ref: 000001D7C96BF7BE
Part of subcall function 000001D7C96BF784: HeapAlloc.KERNEL32 ref: 000001D7C96BF7D9
Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF7F2
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF7FD
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF808

malloc.LIBCMT ref: 000001D7C96A5545

Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF818
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF81D

free.LIBCMT ref: 000001D7C96A562C
free.LIBCMT ref: 000001D7C96A5634
free.LIBCMT ref: 000001D7C96A5640
free.LIBCMT ref: 000001D7C96A564D

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc$AllocHeap
String ID:
API String ID: 996410232-0
Opcode ID: 241447826085a86a25232a6c6267bde6180671278bc9ec3a11bd394b35bdebd6
Instruction ID: bf27b0a98e469e9610de75cbaf610c9f9812891fdaa5390ff00ec251b1e8dd53
Opcode Fuzzy Hash: 241447826085a86a25232a6c6267bde6180671278bc9ec3a11bd394b35bdebd6
Instruction Fuzzy Hash: C54106322283874EEA95DB2A69147ED6794B795BC9F185022DD455B7E1FF38C406C300

Function 000001D7C93F48F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C93F493A

Part of subcall function 000001D7C940EB84: _FF_MSGBANNER.LIBCMT ref: 000001D7C940EBB4
Part of subcall function 000001D7C940EB84: _NMSG_WRITE.LIBCMT ref: 000001D7C940EBBE
Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EBF2
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EBFD
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC08

malloc.LIBCMT ref: 000001D7C93F4945

Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EC18
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC1D

free.LIBCMT ref: 000001D7C93F4A2C
free.LIBCMT ref: 000001D7C93F4A34
free.LIBCMT ref: 000001D7C93F4A40
free.LIBCMT ref: 000001D7C93F4A4D

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 0cd1d7ceb7dc16c6b7acb441625fc6a3e3f734f8aaeeb69b87d11a7bb25a83ed
Instruction ID: ffb6cf2cfd906054f8d100fd77cd8db8478bcf3014cf00a2e918195be842baea
Opcode Fuzzy Hash: 0cd1d7ceb7dc16c6b7acb441625fc6a3e3f734f8aaeeb69b87d11a7bb25a83ed
Instruction Fuzzy Hash: CB4116323283834AFF95DB2A544879A6794F794BCAF094062DD168B7D2FF38C516C709

Function 000001D7C9411FC0 Relevance: 7.6, APIs: 5, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 000001D7C9411FDD

Part of subcall function 000001D7C9415950: _errno.LIBCMT ref: 000001D7C9415959
Part of subcall function 000001D7C9415950: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C9415964

_errno.LIBCMT ref: 000001D7C9411FED

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

_errno.LIBCMT ref: 000001D7C9412009
_isatty.LIBCMT ref: 000001D7C941206A
_getbuf.LIBCMT ref: 000001D7C9412076

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
String ID:
API String ID: 304646821-0
Opcode ID: 2a921d882178450f838b5fc32708d556e41fdae3db61d31b138c6ba5e7fb76e4
Instruction ID: 7d447a8d3ee64bf0f0da1cd7acd6f2da3fbbc03eb668b707059b90be5fee8bd8
Opcode Fuzzy Hash: 2a921d882178450f838b5fc32708d556e41fdae3db61d31b138c6ba5e7fb76e4
Instruction Fuzzy Hash: 0341E572228B86CEEBA89F28D4513AE37B0E744B95F244217DB65873D6FB74CA41C740

Function 000001D7C96B32B0 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 94stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001D7C96B3734: strchr.LIBCMT ref: 000001D7C96B376E
Part of subcall function 000001D7C96B3734: strchr.LIBCMT ref: 000001D7C96B378C
Part of subcall function 000001D7C96B3734: malloc.LIBCMT ref: 000001D7C96B37A4
Part of subcall function 000001D7C96B3734: malloc.LIBCMT ref: 000001D7C96B37B1
Part of subcall function 000001D7C96B3734: rand.LIBCMT ref: 000001D7C96B387D

strchr.LIBCMT ref: 000001D7C96B3316
_snprintf.LIBCMT ref: 000001D7C96B334C

Part of subcall function 000001D7C96BFB3C: _errno.LIBCMT ref: 000001D7C96BFB73
Part of subcall function 000001D7C96BFB3C: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C96BFB7E

_snprintf.LIBCMT ref: 000001D7C96B3363

Strings

%s&%s, xrefs: 000001D7C96B335C
?%s, xrefs: 000001D7C96B3345

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
String ID: %s&%s$?%s
API String ID: 1095232423-1750478248
Opcode ID: 8f2046143a2d31402dffabc9ee83099ff8a146bfe8155c39ccff42cfbc2c31ec
Instruction ID: bf9765f132bc1c1fcc6e02fc81c8914fd00f53f3d3b9c4aad399ee0740c8377a
Opcode Fuzzy Hash: 8f2046143a2d31402dffabc9ee83099ff8a146bfe8155c39ccff42cfbc2c31ec
Instruction Fuzzy Hash: 08419272318EC295EA519B2AD1412E9A3A0FF98B96F045112DF4967BE1FF34D1B2D340

Function 000001D7C96CBB44 Relevance: 7.6, APIs: 5, Instructions: 93COMMON

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001D7C96CBBA6
_isleadbyte_l.LIBCMT ref: 000001D7C96CBBD6
MultiByteToWideChar.KERNEL32 ref: 000001D7C96CBC15
MultiByteToWideChar.KERNEL32 ref: 000001D7C96CBC63
_errno.LIBCMT ref: 000001D7C96CBC6D

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
String ID:
API String ID: 2998201375-0
Opcode ID: b9ead49a5b53b10c6423ef7464e667957a75670434e7081c764598f130a89437
Instruction ID: dbef789031380109b036a2490e1f6d80dd309aa4063bb4c3c6d0d9f98e40effd
Opcode Fuzzy Hash: b9ead49a5b53b10c6423ef7464e667957a75670434e7081c764598f130a89437
Instruction Fuzzy Hash: B04194723287828AE7A08F3591807A977A5F744F96F144127FB8967BD9EB38C441C700

Function 000001D7C96C1ECC Relevance: 7.6, APIs: 5, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001D7C96C1EE5

Part of subcall function 000001D7C96C0304: _getptd.LIBCMT ref: 000001D7C96C031A
Part of subcall function 000001D7C96C0304: __updatetlocinfo.LIBCMT ref: 000001D7C96C034F
Part of subcall function 000001D7C96C0304: __updatetmbcinfo.LIBCMT ref: 000001D7C96C0376

_isctype_l.LIBCMT ref: 000001D7C96C1F0A

Part of subcall function 000001D7C96C8FE0: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001D7C96C8FFD

_isleadbyte_l.LIBCMT ref: 000001D7C96C1F6B
_errno.LIBCMT ref: 000001D7C96C1F87

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

__crtLCMapStringA.LIBCMT ref: 000001D7C96C1FDC

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::_$String__crt__updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_isctype_l_isleadbyte_l
String ID:
API String ID: 3721319420-0
Opcode ID: 4c206037a2c65070021aa6dcbeb63d2cd1f08d672734077a3c8159bdefc3986a
Instruction ID: 6646ee9a003fe47c4831136cd25838bd8aac5eab9b9a0885cc0845a8ddaa43d6
Opcode Fuzzy Hash: 4c206037a2c65070021aa6dcbeb63d2cd1f08d672734077a3c8159bdefc3986a
Instruction Fuzzy Hash: B6418B726286808EF7A18B25C8403ED3BF1F345789F150227FAAA67BC9DB78C640C750

Function 000001D7C94112CC Relevance: 7.6, APIs: 5, Instructions: 84COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001D7C94112E5

Part of subcall function 000001D7C940F704: _getptd.LIBCMT ref: 000001D7C940F71A
Part of subcall function 000001D7C940F704: __updatetlocinfo.LIBCMT ref: 000001D7C940F74F
Part of subcall function 000001D7C940F704: __updatetmbcinfo.LIBCMT ref: 000001D7C940F776

_isctype_l.LIBCMT ref: 000001D7C941130A

Part of subcall function 000001D7C94183E0: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001D7C94183FD

_isleadbyte_l.LIBCMT ref: 000001D7C941136B
_errno.LIBCMT ref: 000001D7C9411387

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

__crtLCMapStringA.LIBCMT ref: 000001D7C94113DC

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::_$String__crt__updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_isctype_l_isleadbyte_l
String ID:
API String ID: 3721319420-0
Opcode ID: f33022685bd855af6cdd268e5eb5a79ab22a6eaede37df24c70010dfb18ca3b1
Instruction ID: 620e2a32773a32697e048aaf2b228351fa15f344cf759caf6351dc76022b9497
Opcode Fuzzy Hash: f33022685bd855af6cdd268e5eb5a79ab22a6eaede37df24c70010dfb18ca3b1
Instruction Fuzzy Hash: 0241BF72628785CDF7A18B25C8403EE3BB1F349789F280226EA9957BC9DB78C750C750

Function 000001D7C93FF5A4 Relevance: 7.6, APIs: 5, Instructions: 58fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C93FF5C5

Part of subcall function 000001D7C940EB84: _FF_MSGBANNER.LIBCMT ref: 000001D7C940EBB4
Part of subcall function 000001D7C940EB84: _NMSG_WRITE.LIBCMT ref: 000001D7C940EBBE
Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EBF2
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EBFD
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC08

free.LIBCMT ref: 000001D7C93FF600
fwrite.LIBCMT ref: 000001D7C93FF641
fclose.LIBCMT ref: 000001D7C93FF649
free.LIBCMT ref: 000001D7C93FF656

Part of subcall function 000001D7C940EB44: _errno.LIBCMT ref: 000001D7C940EB64

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$free$_callnewhfclosefwritemalloc
String ID:
API String ID: 1696598829-0
Opcode ID: 859c10a2ddcd9e949748fd51d2f35da715609dd525501abc889d0a4fd4cf1536
Instruction ID: a32ebc24b804fee47e402d4c4350687f97bfbfe4c67bee10de857331cb5005c4
Opcode Fuzzy Hash: 859c10a2ddcd9e949748fd51d2f35da715609dd525501abc889d0a4fd4cf1536
Instruction Fuzzy Hash: 3E11B73132CA4289EE90E712A4513EF5351A7C5BE2F544222EE5E1BBCBFF2CC6118740

Function 000001D7C96CB498 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C96CB4A9

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

__doserrno.LIBCMT ref: 000001D7C96CB4A1

Part of subcall function 000001D7C96C24CC: _getptd_noexit.LIBCMT ref: 000001D7C96C24D0

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: d94b5ad953bd0cf70c69b25e4c4daabb42b17d7697afb2b070f44a89317073a9
Instruction ID: 41cf0cae0da22f30ed3e3e83c7fd9f56fa0a55e19a503ccc2a61f20ae61d6db6
Opcode Fuzzy Hash: d94b5ad953bd0cf70c69b25e4c4daabb42b17d7697afb2b070f44a89317073a9
Instruction Fuzzy Hash: 6101F47233CB824DEA99AF78C4D03EC75509B50B37F908303F92A263D6E7388405C611

Function 000001D7C941A898 Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C941A8A9

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

__doserrno.LIBCMT ref: 000001D7C941A8A1

Part of subcall function 000001D7C94118CC: _getptd_noexit.LIBCMT ref: 000001D7C94118D0

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: c93c2135cac45a652223676b9f5215ed2e458c18d63490c02264c71ea5771a44
Instruction ID: 837d4b5a55f38164665953427b220c797085aa3950aa393157d55317342f9616
Opcode Fuzzy Hash: c93c2135cac45a652223676b9f5215ed2e458c18d63490c02264c71ea5771a44
Instruction Fuzzy Hash: 25018176638A46CCEE852B25C9813EE36905B94B73FB18303D52A063D2F7384746C211

Function 000001D7C9405768 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001D7C940592C: malloc.LIBCMT ref: 000001D7C9405948

strrchr.LIBCMT ref: 000001D7C940582D
_snprintf.LIBCMT ref: 000001D7C94058DB

Strings

08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s, xrefs: 000001D7C9405885, 000001D7C94058A6
ockMemoryPrivilege, xrefs: 000001D7C940583F

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _snprintfmallocstrrchr
String ID: 08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s$ockMemoryPrivilege
API String ID: 3587327836-1985250465
Opcode ID: 3fcc9734dfb008eb330924bec949316915ae8132a5d43751b4f12920707a76c7
Instruction ID: 8d687ac8f3c5c57e00f9ed457f721355956b8715c3f773cacefeafbfb5444d5c
Opcode Fuzzy Hash: 3fcc9734dfb008eb330924bec949316915ae8132a5d43751b4f12920707a76c7
Instruction Fuzzy Hash: 5B41B3357286828AEF84EB22A8557EB6391B789BD5F445122ED560B7D6FF3CC6028700

Function 000001D7C96B2D58 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93sleeppipeCOMMON

Download Yara Rule

APIs

CreatePipe.KERNEL32 ref: 000001D7C96B2DE3
GetStartupInfoA.KERNEL32 ref: 000001D7C96B2DED
Sleep.KERNEL32 ref: 000001D7C96B2E34

Part of subcall function 000001D7C96B4E18: GetTickCount.KERNEL32 ref: 000001D7C96B4E31
Part of subcall function 000001D7C96B4E18: GetTickCount.KERNEL32 ref: 000001D7C96B4E72

Strings

h, xrefs: 000001D7C96B2D8D

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CountTick$CreateInfoPipeSleepStartup
String ID: h
API String ID: 1809008225-2439710439
Opcode ID: 9446fe41871a93edcaee59f27dfaa12ce5a5dadec32f1146d52345f1e33fd091
Instruction ID: 9c7fea0cd207387e267a50c53d5c3181d6a7d8dfbcbccb557f269980aa18ffbd
Opcode Fuzzy Hash: 9446fe41871a93edcaee59f27dfaa12ce5a5dadec32f1146d52345f1e33fd091
Instruction Fuzzy Hash: 3E419C32614B858AE750CF65E8406CE77B5F388798F100116EF9C63BA8EF38D545CB40

Function 000001D7C96BE6E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32 ref: 000001D7C96BE779
LookupAccountSidA.ADVAPI32 ref: 000001D7C96BE7BE
_snprintf.LIBCMT ref: 000001D7C96BE7E6

Strings

%s\%s, xrefs: 000001D7C96BE7D4

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: AccountInformationLookupToken_snprintf
String ID: %s\%s
API String ID: 2107350476-4073750446
Opcode ID: c2b47e83a0482d8b2621095f0919b51e837755e759b11db3c4bc7ba49cc1c996
Instruction ID: 6b84dd25314556f4af0c2d1ac7649589e13299364b75e3ca0b45d0dc980911df
Opcode Fuzzy Hash: c2b47e83a0482d8b2621095f0919b51e837755e759b11db3c4bc7ba49cc1c996
Instruction Fuzzy Hash: CD314636218BC29AE734DF51E8447D97364F788789F448126EE8D67B98EF38C215C740

Function 000001D7C96B4764 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001D7C96B478E
GetProcAddress.KERNEL32 ref: 000001D7C96B479E

Strings

RtlCreateUserThread, xrefs: 000001D7C96B4794
ntdll.dll, xrefs: 000001D7C96B477B

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: RtlCreateUserThread$ntdll.dll
API String ID: 1646373207-2935400652
Opcode ID: 8110136ac632eb1e22ec8f207063e20c56566fa35b8183284a85cf6f62174ec5
Instruction ID: 533ddf73fbd9767fbb43095f35b70becd7d71e7b70eac72c5aa17d2a76e1b56c
Opcode Fuzzy Hash: 8110136ac632eb1e22ec8f207063e20c56566fa35b8183284a85cf6f62174ec5
Instruction Fuzzy Hash: E3116132214B8186D750CF01F880589B7A8F788BD0F998136EA9D43B54DF38C5A9C700

Function 000001D7C96B414C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001D7C96B4170
GetProcAddress.KERNEL32 ref: 000001D7C96B4180

Strings

ntdll, xrefs: 000001D7C96B4163
NtQueueApcThread, xrefs: 000001D7C96B4176

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: NtQueueApcThread$ntdll
API String ID: 1646373207-1374908105
Opcode ID: 659c8f9d338a8264809e67b0aa0445abb9f3ae48ca7513855bd25dfc65aa8549
Instruction ID: c46f55b9b1c950e6bf4a1897a39e49a4e92dccaedad02a30f68a52fb70f36566
Opcode Fuzzy Hash: 659c8f9d338a8264809e67b0aa0445abb9f3ae48ca7513855bd25dfc65aa8549
Instruction Fuzzy Hash: DE012B32728B8385EB508F12F8401A973A0F788BD1F444522DF6957BD4FF34C1658300

Function 000001D7C96B11A4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001D7C96B11B9
GetProcAddress.KERNEL32 ref: 000001D7C96B11C9

Strings

kernel32, xrefs: 000001D7C96B11B2
IsWow64Process, xrefs: 000001D7C96B11BF

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: IsWow64Process$kernel32
API String ID: 1646373207-3789238822
Opcode ID: ec9a7b1ec5a1b5ed0352c998c098303745164b2d824357a88d083aa4862c4267
Instruction ID: 42ba66487418c1fa4627887a82abdfe6fc29bccdd1a777a1c373f097068467e1
Opcode Fuzzy Hash: ec9a7b1ec5a1b5ed0352c998c098303745164b2d824357a88d083aa4862c4267
Instruction Fuzzy Hash: 9FE092322396828AEE948B91E8903E423A0DB48792F442012D91B166E4FF28C3E9C700

Function 000001D7C96B2624 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001D7C96B2634
GetProcAddress.KERNEL32 ref: 000001D7C96B2644

Strings

kernel32, xrefs: 000001D7C96B262D
Wow64RevertWow64FsRedirection, xrefs: 000001D7C96B263A

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64RevertWow64FsRedirection$kernel32
API String ID: 1646373207-3900151262
Opcode ID: bb3725ba0ad6329d8c293bda6ea14c35acd4ab83fc96bea4959977af8bf368b6
Instruction ID: 3e48f1a15583ace38e970154f9d9a2b9d16677f6efa7cd78c425ed7913affddf
Opcode Fuzzy Hash: bb3725ba0ad6329d8c293bda6ea14c35acd4ab83fc96bea4959977af8bf368b6
Instruction Fuzzy Hash: 12D05E7172568786FE999B91F8852E413909B59B53F082022CC3E163E0FF2CC1EEC340

Function 000001D7C96B25EC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000001D7C96B25FC
GetProcAddress.KERNEL32 ref: 000001D7C96B260C

Strings

kernel32, xrefs: 000001D7C96B25F5
Wow64DisableWow64FsRedirection, xrefs: 000001D7C96B2602

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: Wow64DisableWow64FsRedirection$kernel32
API String ID: 1646373207-736604160
Opcode ID: d8c29a9c2b08e3a1e1b4acd617f0f0ff06b2e1a1df096612c54c74897329ba7b
Instruction ID: e060db9ee6e82945814bfdcded101136ad106757e4e9164601e018c93abe7406
Opcode Fuzzy Hash: d8c29a9c2b08e3a1e1b4acd617f0f0ff06b2e1a1df096612c54c74897329ba7b
Instruction Fuzzy Hash: B7D09E7176968786FE999B92F8542E423909B59B53F482026CC3A163E0FF2CC5EAC344

Function 000001D7C96BC4CC Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2747f0ee6ef39f9df4f2c94970de86c948a544e49ff24555b4fcd241b4b6e1e
Instruction ID: aae9030be5b16c1c94df05a9392d268df023d0bd9adaf6396487eb185188aa7c
Opcode Fuzzy Hash: c2747f0ee6ef39f9df4f2c94970de86c948a544e49ff24555b4fcd241b4b6e1e
Instruction Fuzzy Hash: EE61F172269606CEE7D48F18E5557E933E0E368B5AF24412BDD156B3E0FB3DC9029B80

Function 000001D7C940B8CC Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8f692c15e45a396c0fdc96bf52adf05f93ea9e5651b978868e1fccbd79cad49
Instruction ID: 509621d9b99cc4d9054f163d8c6f31559fec6e3e526468812028eb341ca08d50
Opcode Fuzzy Hash: e8f692c15e45a396c0fdc96bf52adf05f93ea9e5651b978868e1fccbd79cad49
Instruction Fuzzy Hash: 4B61B132269642CEEBE48B35E5553EE33A0F758B97F24522BCA15473E1FB38C6418B44

Function 000001D7C94102F4 Relevance: 6.1, APIs: 4, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C941032C

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

_invalid_parameter_noinfo.LIBCMT ref: 000001D7C9410337
_flush.LIBCMT ref: 000001D7C94103E9
_fileno.LIBCMT ref: 000001D7C941040A

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 634798775-0
Opcode ID: f6a8478b5ebd09ae642e143e4d33be07056f579bb42980118e9fa87f4e7f6543
Instruction ID: ef66bcbf9d7eb012c753770ce95fc750091649e3486620dfa309fbe2bc94deca
Opcode Fuzzy Hash: f6a8478b5ebd09ae642e143e4d33be07056f579bb42980118e9fa87f4e7f6543
Instruction Fuzzy Hash: 1341243132864ACEEAF48A2256803EFB791B744FE3F6842269E5547BD5F738C6429304

Function 000001D7C94026B0 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 94stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000001D7C9402B34: strchr.LIBCMT ref: 000001D7C9402B6E
Part of subcall function 000001D7C9402B34: strchr.LIBCMT ref: 000001D7C9402B8C
Part of subcall function 000001D7C9402B34: malloc.LIBCMT ref: 000001D7C9402BA4
Part of subcall function 000001D7C9402B34: malloc.LIBCMT ref: 000001D7C9402BB1
Part of subcall function 000001D7C9402B34: rand.LIBCMT ref: 000001D7C9402C7D

strchr.LIBCMT ref: 000001D7C9402716
_snprintf.LIBCMT ref: 000001D7C940274C

Part of subcall function 000001D7C940EF3C: _errno.LIBCMT ref: 000001D7C940EF73
Part of subcall function 000001D7C940EF3C: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C940EF7E

_snprintf.LIBCMT ref: 000001D7C9402763

Strings

s on %s: %d, xrefs: 000001D7C9402745

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
String ID: s on %s: %d
API String ID: 1095232423-653813431
Opcode ID: a9a69ddd5baf4d2b1af909bb1685e7a9c090affbfd0e355dfad7c3d1b8bc0488
Instruction ID: 6ee0af69b7b51e10fbd960a5afbdb264a54b954be246ee460c9ae388f7a1b1f3
Opcode Fuzzy Hash: a9a69ddd5baf4d2b1af909bb1685e7a9c090affbfd0e355dfad7c3d1b8bc0488
Instruction Fuzzy Hash: 8241BA76218EC595EA919B29D1452EAA3B0FF88B85F046113DF4C17B91FF34D2B2C340

Function 000001D7C96B4F44 Relevance: 6.1, APIs: 4, Instructions: 80synchronizationCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C96B4F85

Part of subcall function 000001D7C96BF784: _FF_MSGBANNER.LIBCMT ref: 000001D7C96BF7B4
Part of subcall function 000001D7C96BF784: _NMSG_WRITE.LIBCMT ref: 000001D7C96BF7BE
Part of subcall function 000001D7C96BF784: HeapAlloc.KERNEL32 ref: 000001D7C96BF7D9
Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF7F2
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF7FD
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF808

htonl.WS2_32 ref: 000001D7C96B4F9B

Part of subcall function 000001D7C96B5184: PeekNamedPipe.KERNEL32 ref: 000001D7C96B51BC

WaitForSingleObject.KERNEL32 ref: 000001D7C96B4FF6
free.LIBCMT ref: 000001D7C96B5032

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno$AllocHeapNamedObjectPeekPipeSingleWait_callnewhfreehtonlmalloc
String ID:
API String ID: 2495333179-0
Opcode ID: 39f1cc4d6a7c2550ae6f6326bb9fe7571e5f65ede3864b861af6a681c231860f
Instruction ID: 69c2e9733de5c472dae5fdbef99331146328ae06e9f5726f2ada28e9cc96908a
Opcode Fuzzy Hash: 39f1cc4d6a7c2550ae6f6326bb9fe7571e5f65ede3864b861af6a681c231860f
Instruction Fuzzy Hash: 7031E83222864289E7E4EF22A5403ED73A4FB89BDAF084517DF05276D5FB34C891D740

Function 000001D7C96BC73C Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_time64.LIBCMT ref: 000001D7C96BC760

Part of subcall function 000001D7C96C1D1C: GetSystemTimeAsFileTime.KERNEL32 ref: 000001D7C96C1D2A

Part of subcall function 000001D7C96C0D14: _getptd.LIBCMT ref: 000001D7C96C0D1C

malloc.LIBCMT ref: 000001D7C96BC7A8
strtok.LIBCMT ref: 000001D7C96BC80C
strtok.LIBCMT ref: 000001D7C96BC81D

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Timestrtok$FileSystem_getptd_time64malloc
String ID:
API String ID: 460628555-0
Opcode ID: 90672211a3b060b0a79cbae0dc372e6028ba002d7902671009858f063e522272
Instruction ID: 50735b7fc88981d2c280c360d96679966febbe2ce2cc6ec9a572a5c90608b7da
Opcode Fuzzy Hash: 90672211a3b060b0a79cbae0dc372e6028ba002d7902671009858f063e522272
Instruction Fuzzy Hash: 3621F27362479189EB80DF11E0446E937A8F398BE9F164227EE1A537C1FB34C041C380

Function 000001D7C96AEB04 Relevance: 6.1, APIs: 4, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

WinHttpSetOption.WINHTTP ref: 000001D7C96AEB41
WinHttpSetOption.WINHTTP ref: 000001D7C96AEB6A
WinHttpSetCredentials.WINHTTP ref: 000001D7C96AEBD2
WinHttpSetStatusCallback.WINHTTP ref: 000001D7C96AEBF8

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Http$Option$CallbackCredentialsStatus
String ID:
API String ID: 1377688715-0
Opcode ID: 665abb6602a7bbcd0c03a1d15e361484f1dced40c1fcf443288df22ff2a2282f
Instruction ID: 18eacf78059d9da46d4b2e0808f23b7657b5b7777950f062f94b50279d582b15
Opcode Fuzzy Hash: 665abb6602a7bbcd0c03a1d15e361484f1dced40c1fcf443288df22ff2a2282f
Instruction Fuzzy Hash: 6A21BF322286428AFA84EB25E4547E977A0F785B82F400127DF49237D1FF7CC4568740

Function 000001D7C96A10D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 000001D7C96A1117
clock.LIBCMT ref: 000001D7C96A1124
clock.LIBCMT ref: 000001D7C96A112D
clock.LIBCMT ref: 000001D7C96A113A

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: c4e77ee51d987536696473e1be4945446edf660c958442e0d90e313c2ac94608
Instruction ID: 85f25f98db165fbb0d2ff0d411dc70b69184a6d624762d70c656039a5b2eb02f
Opcode Fuzzy Hash: c4e77ee51d987536696473e1be4945446edf660c958442e0d90e313c2ac94608
Instruction Fuzzy Hash: 5B11363221878649F3F09E6264802BBF690F7A5395F1A0027EE44632C5FF70CD818700

Function 000001D7C96CFE08 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001D7C96CFE2C

Part of subcall function 000001D7C96C0304: _getptd.LIBCMT ref: 000001D7C96C031A
Part of subcall function 000001D7C96C0304: __updatetlocinfo.LIBCMT ref: 000001D7C96C034F
Part of subcall function 000001D7C96C0304: __updatetmbcinfo.LIBCMT ref: 000001D7C96C0376

_errno.LIBCMT ref: 000001D7C96CFE38

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

_invalid_parameter_noinfo.LIBCMT ref: 000001D7C96CFE43
strchr.LIBCMT ref: 000001D7C96CFE59

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 5f204c8c5c70fe050a18db26808186844cc6623bf05668486f7209cbbe06316f
Instruction ID: fb01580bb90637b28cb720af3367322b246bb16bd8ebdf116d38dbecb4be10a2
Opcode Fuzzy Hash: 5f204c8c5c70fe050a18db26808186844cc6623bf05668486f7209cbbe06316f
Instruction Fuzzy Hash: 3A21EB7213C2E669EBE44E1190503FD6AD1E38CBD7F984523FA8667AC7EB28C5618710

Function 000001D7C941F208 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 000001D7C941F22C

Part of subcall function 000001D7C940F704: _getptd.LIBCMT ref: 000001D7C940F71A
Part of subcall function 000001D7C940F704: __updatetlocinfo.LIBCMT ref: 000001D7C940F74F
Part of subcall function 000001D7C940F704: __updatetmbcinfo.LIBCMT ref: 000001D7C940F776

_errno.LIBCMT ref: 000001D7C941F238

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

_invalid_parameter_noinfo.LIBCMT ref: 000001D7C941F243
strchr.LIBCMT ref: 000001D7C941F259

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
String ID:
API String ID: 4151157258-0
Opcode ID: 86c93e1637163f5c628d818083f4ea90627915c4c858cc11b9ab207d18aaaf4b
Instruction ID: 75631605d1ee63fdf66cd9ca793d478c6171044f5682d80b813e52956d0c6732
Opcode Fuzzy Hash: 86c93e1637163f5c628d818083f4ea90627915c4c858cc11b9ab207d18aaaf4b
Instruction Fuzzy Hash: 0021F67653C2A2C8EBE04651D0503FF66D0E384BD7FB84163AA8A07EC5EB29C6528600

Function 000001D7C93F04D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 000001D7C93F0517
clock.LIBCMT ref: 000001D7C93F0524
clock.LIBCMT ref: 000001D7C93F052D
clock.LIBCMT ref: 000001D7C93F053A

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: c4e77ee51d987536696473e1be4945446edf660c958442e0d90e313c2ac94608
Instruction ID: 9df08d2f2b9789dcc608ab361bb7fd0a9b4c170435fae87645cd973db47b2aeb
Opcode Fuzzy Hash: c4e77ee51d987536696473e1be4945446edf660c958442e0d90e313c2ac94608
Instruction Fuzzy Hash: F6110A3212C78AC9FBF49E6AA4407ABB690F784391F190067EE59032C1FBB8C8818600

Function 000001D7C96BF468 Relevance: 6.0, APIs: 4, Instructions: 39networkCOMMON

Download Yara Rule

APIs

accept.WS2_32 ref: 000001D7C96BF47D
send.WS2_32 ref: 000001D7C96BF4BB
send.WS2_32 ref: 000001D7C96BF4CF
closesocket.WS2_32 ref: 000001D7C96BF4E0

Part of subcall function 000001D7C96BF5A4: closesocket.WS2_32 ref: 000001D7C96BF5B0
Part of subcall function 000001D7C96BF5A4: free.LIBCMT ref: 000001D7C96BF5BA
Part of subcall function 000001D7C96BF5A4: free.LIBCMT ref: 000001D7C96BF5C3
Part of subcall function 000001D7C96BF5A4: free.LIBCMT ref: 000001D7C96BF5CC

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free$closesocketsend$accept
String ID:
API String ID: 47150829-0
Opcode ID: baf418f056afca9f34f726d8dbf140d99c9ed3dfac575d02e6f2df7287a51630
Instruction ID: b773101fed1336873e63af8314016604cf21345ed79d04bb7a323d30c41bf02d
Opcode Fuzzy Hash: baf418f056afca9f34f726d8dbf140d99c9ed3dfac575d02e6f2df7287a51630
Instruction Fuzzy Hash: 4301D8323385828AEB94AF33F655BA92361E789FF5F045202CE25177D6EF38C0608700

Function 000001D7C96B592C Relevance: 6.0, APIs: 4, Instructions: 34sleeppipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001D7C96B5940
PeekNamedPipe.KERNEL32 ref: 000001D7C96B5965
Sleep.KERNEL32 ref: 000001D7C96B597B
GetTickCount.KERNEL32 ref: 000001D7C96B5981

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CountTick$NamedPeekPipeSleep
String ID:
API String ID: 1593283408-0
Opcode ID: 5420705a8c1173dfb1b7c8bfce346b675e7830b17d3930eec25743f27680dc16
Instruction ID: 19c1fe64c6b997c66ce8e87639c6e6ebca9c2db890db5eecda5836568e5842d0
Opcode Fuzzy Hash: 5420705a8c1173dfb1b7c8bfce346b675e7830b17d3930eec25743f27680dc16
Instruction Fuzzy Hash: 9901FE3262C6928AF7509B25F84438AA3A1E784BD1F244021DF5D52AE4FF38C491D705

Function 000001D7C96B7C2C Relevance: 6.0, APIs: 4, Instructions: 32memorythreadCOMMON

Download Yara Rule

APIs

InitializeProcThreadAttributeList.KERNEL32 ref: 000001D7C96B7C4A
GetProcessHeap.KERNEL32 ref: 000001D7C96B7C50
HeapAlloc.KERNEL32 ref: 000001D7C96B7C60
InitializeProcThreadAttributeList.KERNEL32 ref: 000001D7C96B7C7B

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: AttributeHeapInitializeListProcThread$AllocProcess
String ID:
API String ID: 1212816094-0
Opcode ID: 0a1206fb48167bb9cddb967d198fafb506277e0f5fffadbd29d67e9f5194ec05
Instruction ID: 3127662e466fb7a51545a97be9697db29b2555a775a43be6207c48888bf6e5c5
Opcode Fuzzy Hash: 0a1206fb48167bb9cddb967d198fafb506277e0f5fffadbd29d67e9f5194ec05
Instruction Fuzzy Hash: 2FF0C83733868146EBD48B25E8507AAA2A0DB88F81F54543AEF0B42BD4FF38C4459A00

Function 000001D7C96B4E18 Relevance: 6.0, APIs: 4, Instructions: 32sleeppipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 000001D7C96B4E31
PeekNamedPipe.KERNEL32 ref: 000001D7C96B4E56
Sleep.KERNEL32 ref: 000001D7C96B4E6C
GetTickCount.KERNEL32 ref: 000001D7C96B4E72

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CountTick$NamedPeekPipeSleep
String ID:
API String ID: 1593283408-0
Opcode ID: 9d4282c39ee7073411b92c2317b61294b1188d656b35fdf117f6fa6106421b70
Instruction ID: 5dce00eb57eceff2c190f3b3ccd2754b0732a027a1dcd5b35c4e61a2395d2754
Opcode Fuzzy Hash: 9d4282c39ee7073411b92c2317b61294b1188d656b35fdf117f6fa6106421b70
Instruction Fuzzy Hash: 5001F93262CA428AF7608B14F84434AB360F784792F644121EB9552AF4FF3CC4918B04

Function 000001D7C940A490 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000001D7C940A4A8

Part of subcall function 000001D7C940EF3C: _errno.LIBCMT ref: 000001D7C940EF73
Part of subcall function 000001D7C940EF3C: _invalid_parameter_noinfo.LIBCMT ref: 000001D7C940EF7E

_snprintf.LIBCMT ref: 000001D7C940A4F3

Strings

uld not open service control manager on %s: %d, xrefs: 000001D7C940A497
eSystemProfilePrivilege, xrefs: 000001D7C940A4C7

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID: eSystemProfilePrivilege$uld not open service control manager on %s: %d
API String ID: 3442832105-52215161
Opcode ID: 579e3c085f42f4d6dd80fea40699443715198ac63b1b4583567b0c61d7667a94
Instruction ID: f5d915a3df88d0235499325b09b1a7f9c15e8abf017464b30b98c08e2d8fab73
Opcode Fuzzy Hash: 579e3c085f42f4d6dd80fea40699443715198ac63b1b4583567b0c61d7667a94
Instruction Fuzzy Hash: 13F06D7652CAC499D7919B20A4502DBBE60F3D6326FA41257E6A952AD9E73CC205CB00

Function 000001D7C96BF5A4 Relevance: 6.0, APIs: 4, Instructions: 15COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 000001D7C96BF5B0
free.LIBCMT ref: 000001D7C96BF5BA

Part of subcall function 000001D7C96BF744: HeapFree.KERNEL32 ref: 000001D7C96BF75A
Part of subcall function 000001D7C96BF744: _errno.LIBCMT ref: 000001D7C96BF764
Part of subcall function 000001D7C96BF744: GetLastError.KERNEL32 ref: 000001D7C96BF76C

free.LIBCMT ref: 000001D7C96BF5C3
free.LIBCMT ref: 000001D7C96BF5CC

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free$ErrorFreeHeapLast_errnoclosesocket
String ID:
API String ID: 1525665891-0
Opcode ID: d3923ff323e0b7386992457e00609398511eece2b1c7c7dbe30eef2692ac70b2
Instruction ID: a916fda08819e6d36304d12f422b56e8bdf95d51ddb8e219bb11c1a98dfad52c
Opcode Fuzzy Hash: d3923ff323e0b7386992457e00609398511eece2b1c7c7dbe30eef2692ac70b2
Instruction Fuzzy Hash: F3E04C2762844585EA54FF62E8751A82220A798F55F240072DE1E562F6AE14C465A344

Function 000001D7C941E200 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 159COMMON

Download Yara Rule

APIs

_RTC_CheckStackVars.LIBCMT ref: 000001D7C941E512

Strings

\Wow6432Node\Microsoft\VisualStudio\11.0\Setup\VC, xrefs: 000001D7C941E50B
iable, xrefs: 000001D7C941E276, 000001D7C941E289, 000001D7C941E2E9, 000001D7C941E33D, 000001D7C941E378

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CheckStackVars
String ID: \Wow6432Node\Microsoft\VisualStudio\11.0\Setup\VC$iable
API String ID: 3047416515-2254769023
Opcode ID: 3290bde6f91cd8c578f5ce2b2834e68bd4618f449fbe61e8a30e0de3e1197bb8
Instruction ID: 58bc25ce25055736d07c3ce6c1ecce0e7857fc07e18fd0e7cf0e482f463e0423
Opcode Fuzzy Hash: 3290bde6f91cd8c578f5ce2b2834e68bd4618f449fbe61e8a30e0de3e1197bb8
Instruction Fuzzy Hash: 4A8130752186C2C9EB74CB14E0557EBA3A5E388756F640037D78E87BD8EB78C285CB00

Function 000001D7C96BFD60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C96BFDB1

Part of subcall function 000001D7C96C253C: _getptd_noexit.LIBCMT ref: 000001D7C96C2540

_invalid_parameter_noinfo.LIBCMT ref: 000001D7C96BFDBC

Strings

B, xrefs: 000001D7C96BFDE8

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: 652427abb501405940a32c3bc4432a8781f04873e2138117f46c0c22163100d5
Instruction ID: 00b5520065d7109a47aaf412a9eaa97c181ea29af1cbf28c1419ed30b2a09100
Opcode Fuzzy Hash: 652427abb501405940a32c3bc4432a8781f04873e2138117f46c0c22163100d5
Instruction Fuzzy Hash: 5B11C872624B408AE7509F12E4403D9B660F798FE4F544312EF5817BE5EF38C145CB00

Function 000001D7C940F160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000001D7C940F1B1

Part of subcall function 000001D7C941193C: _getptd_noexit.LIBCMT ref: 000001D7C9411940

_invalid_parameter_noinfo.LIBCMT ref: 000001D7C940F1BC

Strings

B, xrefs: 000001D7C940F1E8

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: ec50c8b478ea55a2c985ad46140b81500511849f26fd5c0827da99242af3de16
Instruction ID: b2ffb0cd699783968335b030810c9b3582f3cbc1e7def6f13c2d585eb93dcf6e
Opcode Fuzzy Hash: ec50c8b478ea55a2c985ad46140b81500511849f26fd5c0827da99242af3de16
Instruction Fuzzy Hash: 80118272624B80C9EB509B12D54479AB661F798FE4F644322AB58077E5EF38C645CB00

Function 000001D7C941E23D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

_RTC_CheckStackVars.LIBCMT ref: 000001D7C941E512

Strings

\Wow6432Node\Microsoft\VisualStudio\11.0\Setup\VC, xrefs: 000001D7C941E50B
iable, xrefs: 000001D7C941E276, 000001D7C941E289

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: CheckStackVars
String ID: \Wow6432Node\Microsoft\VisualStudio\11.0\Setup\VC$iable
API String ID: 3047416515-2254769023
Opcode ID: a16f5b5c21cd11eb97e28061feec478be61a880c455401feaf65051303d4dd72
Instruction ID: ac8e8f70e73a15ca54bab57bc4d6c68324e89a8213f296b6d83dd4dbb65943c9
Opcode Fuzzy Hash: a16f5b5c21cd11eb97e28061feec478be61a880c455401feaf65051303d4dd72
Instruction Fuzzy Hash: F6112176218AC5CADB78DB14E5857DBB3A1F788386F914113E68947A99FB38C605CB00

Function 00007FF7F72D2B80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F72D2C00

Strings

Unknown error, xrefs: 00007FF7F72D2C6C
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F72D2BE7

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 8efc95ffd7d094d1c55f2c83651e4cf95bf71ace6618daba1ef9382a31ce3abe
Instruction ID: 67c3049b66c59f59aac5727581af3c0ff94973eab0c68749014aeb68ca68508c
Opcode Fuzzy Hash: 8efc95ffd7d094d1c55f2c83651e4cf95bf71ace6618daba1ef9382a31ce3abe
Instruction Fuzzy Hash: E4017067D18F8482E7019F28D8401BAB330FF5E749F659325EA8C26565DF28E582C750

Function 00007FF7F72D2C50 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F72D2C00

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F72D2BE7
The result is too small to be represented (UNDERFLOW), xrefs: 00007FF7F72D2C50

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: fprintf
String ID: The result is too small to be represented (UNDERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2187435201
Opcode ID: 83fe417ba23f7c760ff7640a9f7ce77f3b2d6c9b6213163451e97cf2ba7ae610
Instruction ID: 48288c8844dee9a7f3f6e88f93c7ed22871f08df48cb2384b26c35cfd3d92430
Opcode Fuzzy Hash: 83fe417ba23f7c760ff7640a9f7ce77f3b2d6c9b6213163451e97cf2ba7ae610
Instruction Fuzzy Hash: 0FF0FF57D18E8482D3429F28A4401AAB370FF5E798F645329EA8D2A596DF28E583C750

Function 00007FF7F72D2C40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F72D2C00

Strings

Overflow range error (OVERFLOW), xrefs: 00007FF7F72D2C40
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F72D2BE7

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: fprintf
String ID: Overflow range error (OVERFLOW)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4064033741
Opcode ID: 74e09aa575fd0eb09efd5c65a1ab8721fd1e1bbf019f3c7c3870be295d840a01
Instruction ID: 2749f8066be9d901cd6c77186aa756f0de82984ea1e8a2046f268eeb91fa05d8
Opcode Fuzzy Hash: 74e09aa575fd0eb09efd5c65a1ab8721fd1e1bbf019f3c7c3870be295d840a01
Instruction Fuzzy Hash: 7FF0FF57918E8482D3429F28A4401AAB330FF5E798F645329EA8D26596DF28E583D750

Function 00007FF7F72D2C30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F72D2C00

Strings

Partial loss of significance (PLOSS), xrefs: 00007FF7F72D2C30
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F72D2BE7

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: fprintf
String ID: Partial loss of significance (PLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4283191376
Opcode ID: 3faf0962be28f07c1c00cef48ed72810d495cf090cb8ca7c876e21a0f2c70bc3
Instruction ID: 7e1e27d499c57b6e23ce567cde86f0e2ab7cd05e6ff6fbe4bcdf781eeb8d85bc
Opcode Fuzzy Hash: 3faf0962be28f07c1c00cef48ed72810d495cf090cb8ca7c876e21a0f2c70bc3
Instruction Fuzzy Hash: 5BF0FF57918E8482D3429F28A4401AAB330FF5E798F649329EE8D26596DF28E583C750

Function 00007FF7F72D2C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F72D2C00

Strings

Argument domain error (DOMAIN), xrefs: 00007FF7F72D2C20
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F72D2BE7

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: fprintf
String ID: Argument domain error (DOMAIN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2713391170
Opcode ID: cb07598e139970ad81351c1d338f46eaf70ef9053e127c7390882103bd99d184
Instruction ID: 35692a6b8ea2ced73ca31d918eacd5f31f17ccfe15f041a790b9a3bbb8a7cdec
Opcode Fuzzy Hash: cb07598e139970ad81351c1d338f46eaf70ef9053e127c7390882103bd99d184
Instruction Fuzzy Hash: C4F0FF57918E8482D3429F28A4401AAB330FF5E798F645329EA8D66596DF28E583C750

Function 00007FF7F72D2C60 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F72D2C00

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F72D2BE7
Total loss of significance (TLOSS), xrefs: 00007FF7F72D2C60

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: fprintf
String ID: Total loss of significance (TLOSS)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-4273532761
Opcode ID: e6fc0f3e3cd5116f5424484a03ff70adc84f4fd6dee3a721e6e4a6d8abded98b
Instruction ID: eaaee307284a783d19b6478d8c1f8ddf7592fe702c42040c818045f7a6fbc6b9
Opcode Fuzzy Hash: e6fc0f3e3cd5116f5424484a03ff70adc84f4fd6dee3a721e6e4a6d8abded98b
Instruction Fuzzy Hash: 90F0FF57918E8482D342AF28A4401AAB330FF5E799F645329EE8D26556DF28E583C750

Function 00007FF7F72D2BB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00007FF7F72D2C00

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00007FF7F72D2BE7
Argument singularity (SIGN), xrefs: 00007FF7F72D2BB8

Memory Dump Source

Source File: 00000000.00000002.2734961484.00007FF7F72D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7F72D0000, based on PE: true

Associated: 00000000.00000002.2734942513.00007FF7F72D0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2734977524.00007FF7F72D4000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735013278.00007FF7F732D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7330000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735028961.00007FF7F7333000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2735058295.00007FF7F7336000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7f72d0000_VBqmdl6ttr.jbxd

Similarity

API ID: fprintf
String ID: Argument singularity (SIGN)$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-2468659920
Opcode ID: 17e46e00d7f73161f78a66af6e90ec561b2c72189f82bad60ae8b1828b6dcdb6
Instruction ID: f93f5f87382f2f853a61f4ac8e8e5494de032f3fb8b10a11eac3bbebfc0c516c
Opcode Fuzzy Hash: 17e46e00d7f73161f78a66af6e90ec561b2c72189f82bad60ae8b1828b6dcdb6
Instruction Fuzzy Hash: 26F01257918E8482D3029F28E4401ABB330FF5E799F645326EE8D2A556DF28E583C750

Function 000001D7C96A1CC4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE

Download Yara Rule

APIs

calloc.LIBCMT ref: 000001D7C96A1D6A

Part of subcall function 000001D7C96CF638: _calloc_impl.LIBCMT ref: 000001D7C96CF648
Part of subcall function 000001D7C96CF638: _errno.LIBCMT ref: 000001D7C96CF65B
Part of subcall function 000001D7C96CF638: _errno.LIBCMT ref: 000001D7C96CF665

free.LIBCMT ref: 000001D7C96A1EF3
free.LIBCMT ref: 000001D7C96A1EFD
free.LIBCMT ref: 000001D7C96A1F0F

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free$_errno$_calloc_implcalloc
String ID:
API String ID: 4000150058-0
Opcode ID: a575e1418ae6a571a703f5f39e6e2085f8c54469556e42d0d6d1e8b056cbb476
Instruction ID: 4e13ae69b2915db773bef2e51871da62072bb62ca8a7260a3ffa40640e31088c
Opcode Fuzzy Hash: a575e1418ae6a571a703f5f39e6e2085f8c54469556e42d0d6d1e8b056cbb476
Instruction Fuzzy Hash: D5C12F32618B858AE7A4CF65E48079E77F4F788B84F50412AEB8D57B98EF38C555CB00

Function 000001D7C93F10C4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE

Download Yara Rule

APIs

calloc.LIBCMT ref: 000001D7C93F116A

Part of subcall function 000001D7C941EA38: _calloc_impl.LIBCMT ref: 000001D7C941EA48
Part of subcall function 000001D7C941EA38: _errno.LIBCMT ref: 000001D7C941EA5B
Part of subcall function 000001D7C941EA38: _errno.LIBCMT ref: 000001D7C941EA65

free.LIBCMT ref: 000001D7C93F12F3
free.LIBCMT ref: 000001D7C93F12FD
free.LIBCMT ref: 000001D7C93F130F

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free$_errno$_calloc_implcalloc
String ID:
API String ID: 4000150058-0
Opcode ID: d84aa5e04b37108adab596ebadfe2cf9aae166379f6037c341f53534cc3ffeb7
Instruction ID: 0d8098c02ebd7750bc3cb1fe8af6e6ab289086ff7e806ea78a99eb8dc70d811e
Opcode Fuzzy Hash: d84aa5e04b37108adab596ebadfe2cf9aae166379f6037c341f53534cc3ffeb7
Instruction Fuzzy Hash: 53C10B36618B858AEBA4CF55F48479E77B4F788788F10412AEB8D47B98EB38C555CB00

Function 000001D7C96BB280 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C96BB2B4

Part of subcall function 000001D7C96BF784: _FF_MSGBANNER.LIBCMT ref: 000001D7C96BF7B4
Part of subcall function 000001D7C96BF784: _NMSG_WRITE.LIBCMT ref: 000001D7C96BF7BE
Part of subcall function 000001D7C96BF784: HeapAlloc.KERNEL32 ref: 000001D7C96BF7D9
Part of subcall function 000001D7C96BF784: _callnewh.LIBCMT ref: 000001D7C96BF7F2
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF7FD
Part of subcall function 000001D7C96BF784: _errno.LIBCMT ref: 000001D7C96BF808

free.LIBCMT ref: 000001D7C96BB3FB
free.LIBCMT ref: 000001D7C96BB45F
free.LIBCMT ref: 000001D7C96BB46B

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free$_errno$AllocHeap_callnewhmalloc
String ID:
API String ID: 3531731211-0
Opcode ID: d2076e99c8f89d3733dc9ab9f8170b372adbb92b38447cfce38a5a9f696ae487
Instruction ID: ae175a66aae487055af49cb57a20c436e5157056bdca1b6e5b50571f6b497992
Opcode Fuzzy Hash: d2076e99c8f89d3733dc9ab9f8170b372adbb92b38447cfce38a5a9f696ae487
Instruction Fuzzy Hash: 8B51D2323287078EEA98AB3294507ED7391B784B96F540427EE4A37BDAFF79C5059700

Function 000001D7C940A680 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C940A6B4

Part of subcall function 000001D7C940EB84: _FF_MSGBANNER.LIBCMT ref: 000001D7C940EBB4
Part of subcall function 000001D7C940EB84: _NMSG_WRITE.LIBCMT ref: 000001D7C940EBBE
Part of subcall function 000001D7C940EB84: _callnewh.LIBCMT ref: 000001D7C940EBF2
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EBFD
Part of subcall function 000001D7C940EB84: _errno.LIBCMT ref: 000001D7C940EC08

free.LIBCMT ref: 000001D7C940A7FB
free.LIBCMT ref: 000001D7C940A85F
free.LIBCMT ref: 000001D7C940A86B

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 5cd478ebb021d6f1ec6714b4c4519633142b810916dc2b14976b9b95a7247be3
Instruction ID: 0ebf6b6539b27451b0924267cf14cbe62894742bd8c9ac7e2ed392147dee8180
Opcode Fuzzy Hash: 5cd478ebb021d6f1ec6714b4c4519633142b810916dc2b14976b9b95a7247be3
Instruction Fuzzy Hash: E651D532238207CDFAD8AB2294557EF63A1F7847D2F5415279A4A177D6FF38C6168700

Function 000001D7C96A4300 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C96A4363

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 2c200482576514213d09e2b55c1e1245e026408cca5fa046a79efd198cad0cdf
Instruction ID: e1cc9b9fa7beb0fcd22b62647e49906198cab803c357ba5cd920dc485eb93ffe
Opcode Fuzzy Hash: 2c200482576514213d09e2b55c1e1245e026408cca5fa046a79efd198cad0cdf
Instruction Fuzzy Hash: B141C3323286828BEB98DF26A8107ED73A1F784B8AF544426DE5A677D5FF34D805C700

Function 000001D7C93F3700 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000001D7C93F3763

Memory Dump Source

Source File: 00000000.00000002.2734346887.000001D7C93F0000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001D7C93F0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c93f0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: d54adfa5c0b871b97f9d1800f4a75e0a856b28047bb12ff7246f43b421d37691
Instruction ID: fed682fb7d257a037ac32a2f511b0fea9ba3db5a8aeb2e669cab161c6de5c166
Opcode Fuzzy Hash: d54adfa5c0b871b97f9d1800f4a75e0a856b28047bb12ff7246f43b421d37691
Instruction Fuzzy Hash: 414162726286828BEBD8DB2694106EE67A1F744BC5F444466DE1A4BBC5FF38DD09C700

Function 000001D7C96B1578 Relevance: 5.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 000001D7C96B96AC: GetCurrentProcess.KERNEL32 ref: 000001D7C96B96C4

GetLastError.KERNEL32 ref: 000001D7C96B15E7
malloc.LIBCMT ref: 000001D7C96B167C
free.LIBCMT ref: 000001D7C96B16C5
GetLastError.KERNEL32 ref: 000001D7C96B16F5

Memory Dump Source

Source File: 00000000.00000002.2734809483.000001D7C96A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D7C96A0000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d7c96a0000_VBqmdl6ttr.jbxd

Yara matches

Similarity

API ID: ErrorLast$CurrentProcessfreemalloc
String ID:
API String ID: 1397824077-0
Opcode ID: fd5d700035e862f7e67a9ed788e2edfcef7b382f53d0a4122711c3752312c0b7
Instruction ID: 183c400652c0b2fab85ff0fc4948912f93309558d7485ace09f93bcd67f39797
Opcode Fuzzy Hash: fd5d700035e862f7e67a9ed788e2edfcef7b382f53d0a4122711c3752312c0b7
Instruction Fuzzy Hash: 5941A9B233864289E7A49F22E5407EF6790EB84786F015427EE8A57BC6FF38C5419700

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VBqmdl6ttr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Windows Analysis Report
VBqmdl6ttr.exe

Function 000001D7C96B6368 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116
stringCOMMONLIBRARYCODE

Function 00007FF7F72D1180 Relevance: 10.6, APIs: 7, Instructions: 138
sleepstringCOMMON

Function 000001D7C96A1184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
encryptionCOMMONLIBRARYCODE

Function 00007FF7F72D14D8 Relevance: 4.6, APIs: 3, Instructions: 82
COMMON

Function 00007FF7F72D1C97 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29
COMMON

Function 00007FF7F72D16CA Relevance: 3.1, APIs: 2, Instructions: 68
COMMON

Function 000001D7C96AE6BC Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 270
COMMON

Function 000001D7C96ACA74 Relevance: 7.8, APIs: 6, Instructions: 296
COMMONLIBRARYCODE

Function 000001D7C96AEC94 Relevance: 6.1, APIs: 4, Instructions: 140
COMMONLIBRARYCODE

Function 00007FF7F72D161F Relevance: 6.0, APIs: 4, Instructions: 32
threadCOMMON

Function 000001D7C96AF554 Relevance: 4.6, APIs: 3, Instructions: 66
networkCOMMONLIBRARYCODE

Function 00007FF7F72D2900 Relevance: 4.6, APIs: 3, Instructions: 58
COMMON

Function 000001D7C9408E10 Relevance: 3.7, APIs: 2, Instructions: 671
memorylibraryCOMMON

Function 000001D7C96AF658 Relevance: 3.0, APIs: 2, Instructions: 42
networkCOMMONLIBRARYCODE

Function 000001D7C96AEC58 Relevance: 3.0, APIs: 2, Instructions: 13
COMMONLIBRARYCODE