Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
6gmoJJZr1e.dll

Overview

General Information

Sample name:6gmoJJZr1e.dll
(renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:ad0474f0d6021d0de97c77ca222a05777762aad59bda2be2f3b1a8f1a8022707.exe
Analysis ID:1562666
MD5:9ab72fbaf8da0474c38e5be5813384cf
SHA1:98038ca580f83893db070e9fabd28e7078003377
SHA256:ad0474f0d6021d0de97c77ca222a05777762aad59bda2be2f3b1a8f1a8022707
Tags:exeuser-nawhack
Infos:

Detection

CobaltStrike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected CobaltStrike
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 5732 cmdline: loaddll64.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 1792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6972 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 7180 cmdline: rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • WerFault.exe (PID: 7308 cmdline: C:\Windows\system32\WerFault.exe -u -p 7180 -s 352 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7172 cmdline: rundll32.exe C:\Users\user\Desktop\6gmoJJZr1e.dll,ReflectiveLoader MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7300 cmdline: C:\Windows\system32\WerFault.exe -u -p 7172 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7596 cmdline: rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",ReflectiveLoader MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7692 cmdline: C:\Windows\system32\WerFault.exe -u -p 7596 -s 344 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTP"], "Port": 8080, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "3.78.244.11,/en_US/all.js", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
6gmoJJZr1e.dllJoeSecurity_CobaltStrike_2Yara detected CobaltStrikeJoe Security
    6gmoJJZr1e.dllJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
      6gmoJJZr1e.dllJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
        6gmoJJZr1e.dllJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
          6gmoJJZr1e.dllWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
          • 0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
          • 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
          • 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes!
          • 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
          • 0x3136a:$a11: Could not open service control manager on %s: %d
          • 0x3189c:$a12: %d is an x64 process (can't inject x86 content)
          • 0x318cc:$a13: %d is an x86 process (can't inject x64 content)
          • 0x31bed:$a14: Failed to impersonate logged on user %d (%u)
          • 0x31855:$a15: could not create remote thread in %d: %d
          • 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31803:$a17: could not write to process memory: %d
          • 0x3139b:$a18: Could not create service %s on %s: %d
          • 0x31424:$a19: Could not delete service %s on %s: %d
          • 0x31289:$a20: Could not open process token: %d (%u)
          Click to see the 9 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
            00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
              00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
              • 0x9a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0xa1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0x1180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
              • 0x14b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
              • 0x1444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
              • 0x14b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
              • 0xa7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0xc0f:$a7: could not run command (w/ token) because of its length of %d bytes!
              • 0xac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0xb02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
              • 0x14fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
              • 0xd6a:$a11: Could not open service control manager on %s: %d
              • 0x129c:$a12: %d is an x64 process (can't inject x86 content)
              • 0x12cc:$a13: %d is an x86 process (can't inject x64 content)
              • 0x15ed:$a14: Failed to impersonate logged on user %d (%u)
              • 0x1255:$a15: could not create remote thread in %d: %d
              • 0xb38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0x1203:$a17: could not write to process memory: %d
              • 0xd9b:$a18: Could not create service %s on %s: %d
              • 0xe24:$a19: Could not delete service %s on %s: %d
              • 0xc89:$a20: Could not open process token: %d (%u)
              00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpCobaltStrike_Unmodifed_BeaconDetects unmodified CobaltStrike beacon DLLyara@s3c.za.net
              • 0xfbf1:$loader_export: ReflectiveLoader
              • 0x960:$exportname: beacon.dll
              00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpWiltedTulip_ReflectiveLoaderDetects reflective loader (Cobalt Strike) used in Operation Wilted TulipFlorian Roth
              • 0x14fc:$x1: powershell -nop -exec bypass -EncodedCommand "%s"
              • 0x12cc:$x2: %d is an x86 process (can't inject x64 content)
              • 0x14b2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
              • 0x1596:$x4: Failed to impersonate token from %d (%u)
              • 0x15ed:$x5: Failed to impersonate logged on user %d (%u)
              • 0x9a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
              Click to see the 73 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.2.rundll32.exe.218ab7a0000.0.unpackJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
                8.2.rundll32.exe.218ab7a0000.0.unpackJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
                  8.2.rundll32.exe.218ab7a0000.0.unpackWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
                  • 0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
                  • 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
                  • 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
                  • 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
                  • 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
                  • 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
                  • 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
                  • 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes!
                  • 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
                  • 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
                  • 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
                  • 0x32d6a:$a11: Could not open service control manager on %s: %d
                  • 0x3329c:$a12: %d is an x64 process (can't inject x86 content)
                  • 0x332cc:$a13: %d is an x86 process (can't inject x64 content)
                  • 0x335ed:$a14: Failed to impersonate logged on user %d (%u)
                  • 0x33255:$a15: could not create remote thread in %d: %d
                  • 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
                  • 0x33203:$a17: could not write to process memory: %d
                  • 0x32d9b:$a18: Could not create service %s on %s: %d
                  • 0x32e24:$a19: Could not delete service %s on %s: %d
                  • 0x32c89:$a20: Could not open process token: %d (%u)
                  8.2.rundll32.exe.218ab7a0000.0.unpackWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
                  • 0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
                  8.2.rundll32.exe.218ab7a0000.0.unpackWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
                  • 0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
                  • 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
                  Click to see the 97 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 6gmoJJZr1e.dllAvira: detected
                  Found malware configuration
                  Source: 6gmoJJZr1e.dllMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 8080, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "3.78.244.11,/en_US/all.js", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
                  Multi AV Scanner detection for submitted file
                  Source: 6gmoJJZr1e.dllReversingLabs: Detection: 76%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 84.0% probability
                  Machine Learning detection for sample
                  Source: 6gmoJJZr1e.dllJoe Sandbox ML: detected
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C651184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,7_2_00007FFB0C651184
                  Source: 6gmoJJZr1e.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C669220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,7_2_00007FFB0C669220
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C661C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,7_2_00007FFB0C661C30

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 3.78.244.11
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C66EE0C recv,7_2_00007FFB0C66EE0C
                  Source: 6gmoJJZr1e.dllString found in binary or memory: http://127.0.0.1:%u/
                  Source: Amcache.hve.12.drString found in binary or memory: http://upx.sf.net

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: unknown
                  Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: unknown
                  Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: unknown
                  Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C660F34 CreateProcessAsUserA,GetLastError,GetLastError,CreateProcessA,GetLastError,GetCurrentDirectoryW,GetCurrentDirectoryW,CreateProcessWithTokenW,GetLastError,GetLastError,GetLastError,GetLastError,7_2_00007FFB0C660F34
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C6765147_2_00007FFB0C676514
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C659D6C7_2_00007FFB0C659D6C
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C6725287_2_00007FFB0C672528
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C66867C7_2_00007FFB0C66867C
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C671E647_2_00007FFB0C671E64
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C67B6B07_2_00007FFB0C67B6B0
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C67CF977_2_00007FFB0C67CF97
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C670F747_2_00007FFB0C670F74
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C660F347_2_00007FFB0C660F34
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C672F9C7_2_00007FFB0C672F9C
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C67F2007_2_00007FFB0C67F200
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C6701A87_2_00007FFB0C6701A8
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C65A2807_2_00007FFB0C65A280
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C67D2807_2_00007FFB0C67D280
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C65DA3C7_2_00007FFB0C65DA3C
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C667B387_2_00007FFB0C667B38
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C67DBF07_2_00007FFB0C67DBF0
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C67C3B07_2_00007FFB0C67C3B0
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7172 -s 332
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 6gmoJJZr1e.dll, type: SAMPLEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
                  Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
                  Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
                  Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: classification engineClassification label: mal100.troj.evad.winDLL@13/13@0/0
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C660B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,7_2_00007FFB0C660B70
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C66867C TerminateProcess,GetLastError,GetCurrentProcess,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,Process32Next,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,htonl,htonl,GetLastError,OpenProcessToken,GetLastError,ImpersonateLoggedOnUser,GetLastError,DuplicateTokenEx,GetLastError,ImpersonateLoggedOnUser,GetLastError,7_2_00007FFB0C66867C
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7172
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7596
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1792:120:WilError_03
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7180
                  Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\f133e19a-9108-402a-831d-fb9a0f4e5746Jump to behavior
                  Source: 6gmoJJZr1e.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6gmoJJZr1e.dll,ReflectiveLoader
                  Source: 6gmoJJZr1e.dllReversingLabs: Detection: 76%
                  Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll"
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6gmoJJZr1e.dll,ReflectiveLoader
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7172 -s 332
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7180 -s 352
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",ReflectiveLoader
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7596 -s 344
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\6gmoJJZr1e.dll,ReflectiveLoaderJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",ReflectiveLoaderJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: 6gmoJJZr1e.dllStatic PE information: Image base 0x180000000 > 0x60000000
                  Source: 6gmoJJZr1e.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C679744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,7_2_00007FFB0C679744
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C6701A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,7_2_00007FFB0C6701A8
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Contains functionality to detect sleep reduction / modifications
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C6658547_2_00007FFB0C665854
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C65FA1C7_2_00007FFB0C65FA1C
                  Source: C:\Windows\System32\rundll32.exeAPI coverage: 0.1 %
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C65FA1C7_2_00007FFB0C65FA1C
                  Source: C:\Windows\System32\loaddll64.exe TID: 2892Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C669220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,7_2_00007FFB0C669220
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C661C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,7_2_00007FFB0C661C30
                  Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
                  Source: Amcache.hve.12.drBinary or memory string: VMware
                  Source: Amcache.hve.12.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.12.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.12.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.12.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.12.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.12.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.12.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.12.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.12.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.12.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.12.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.12.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.12.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.12.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.12.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.12.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.12.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.12.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.12.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.12.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.12.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.12.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.12.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.12.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.12.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                  Source: Amcache.hve.12.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C679744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,7_2_00007FFB0C679744
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C679744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,7_2_00007FFB0C679744
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C679744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,7_2_00007FFB0C679744
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C671D88 GetProcessHeap,7_2_00007FFB0C671D88
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C6744D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_00007FFB0C6744D0

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C66DF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,7_2_00007FFB0C66DF50
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1Jump to behavior
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C66DEC8 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,7_2_00007FFB0C66DEC8
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C660920 CreateNamedPipeA,7_2_00007FFB0C660920
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C67ECDC GetSystemTimeAsFileTime,7_2_00007FFB0C67ECDC
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C665E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,7_2_00007FFB0C665E28
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C665E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,7_2_00007FFB0C665E28
                  Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.12.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.12.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.12.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.12.drBinary or memory string: MsMpEng.exe

                  Remote Access Functionality

                  barindex
                  Yara detected CobaltStrike
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7172, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7180, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7596, type: MEMORYSTR
                  Source: Yara matchFile source: 6gmoJJZr1e.dll, type: SAMPLE
                  Source: Yara matchFile source: 8.2.rundll32.exe.218ab7a0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.rundll32.exe.1afb2a50000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.rundll32.exe.7ffb0c650000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 8.2.rundll32.exe.218ab7a0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.rundll32.exe.1c688500000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 16.2.rundll32.exe.1afb2a50000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 7.2.rundll32.exe.1c688500000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C66EE8C socket,closesocket,htons,bind,listen,7_2_00007FFB0C66EE8C
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C666670 htonl,htons,socket,closesocket,bind,ioctlsocket,7_2_00007FFB0C666670
                  Source: C:\Windows\System32\rundll32.exeCode function: 7_2_00007FFB0C666A78 socket,htons,ioctlsocket,closesocket,bind,listen,7_2_00007FFB0C666A78

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		1
                  Native API                  		2
                  Valid Accounts                  		2
                  Valid Accounts                  		2
                  Valid Accounts                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		21
                  Access Token Manipulation                  		11
                  Virtualization/Sandbox Evasion                  		LSASS Memory151
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
                  Process Injection                  		21
                  Access Token Manipulation                  		Security Account Manager11
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  DLL Side-Loading                  		12
                  Process Injection                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Rundll32                  		LSA Secrets1
                  Account Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials1
                  System Owner/User Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  File and Directory Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem3
                  System Information Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562666 Sample: 6gmoJJZr1e.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 27 Found malware configuration 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 Antivirus / Scanner detection for submitted sample 2->31 33 6 other signatures 2->33 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 conhost.exe 8->17         started        signatures5 35 Contains functionality to detect sleep reduction / modifications 10->35 19 WerFault.exe 20 16 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 16 15->23         started        process6 process7 25 WerFault.exe 18 21->25         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  6gmoJJZr1e.dll76%ReversingLabsWin64.Trojan.CobaltStrike
                  6gmoJJZr1e.dll100%AviraHEUR/AGEN.1302565
                  6gmoJJZr1e.dll100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  3.78.244.110%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  3.78.244.11true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://upx.sf.netAmcache.hve.12.drfalse
                    		high
                    http://127.0.0.1:%u/6gmoJJZr1e.dllfalse
                      		high

                      World Map of Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1562666
                      Start date and time:2024-11-25 21:00:06 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 41s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:24
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:6gmoJJZr1e.dll
                      (renamed file extension from exe to dll, renamed because original name is a hash value)
                      Original Sample Name:ad0474f0d6021d0de97c77ca222a05777762aad59bda2be2f3b1a8f1a8022707.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winDLL@13/13@0/0
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 1
                      • Number of non-executed functions: 100

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 52.168.117.173
                      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • VT rate limit hit for: 6gmoJJZr1e.dll

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      15:01:11API Interceptor1x Sleep call for process: loaddll64.exe modified
                      16:46:04API Interceptor3x Sleep call for process: WerFault.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6gm_9b1d9c974cdc3e984dfdab69b0a88852c0a1104e_548d04a3_3f19492b-0eed-400a-afd1-e598d38770c0\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7777425643048603
                      Encrypted:false
                      SSDEEP:96:+JFI2/ZMiEyKyVsjn4RvM7HfOQXIDcQKc6+cEJcw3fXaXz+HbHgSQgJjzZo8F3YW:2W2/eiEyVA006z7j5ZzuiFAZ24lO8C
                      MD5:BF1A496E45A09278BA2DF54FCE5C08D3
                      SHA1:1801431BABAEA4A51C9EBDAFD34D4154E3497C82
                      SHA-256:80135C7B2CEBD290B9199B9B58DCC53FA15AC5F40AA98F2C2E46166EA8CA3052
                      SHA-512:A890A189F69B36FBC9C54079FE2E75601C92B365A01BEFADB8FBB7F5D5D88C2FC68028AFAA1928B399D457F1A3080EA7BA6F2DC0D96C4FC703D4F9832EFF4EFC
                      Malicious:false
                      Reputation:low
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.3.8.4.7.0.6.7.5.9.2.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.3.8.4.7.1.9.5.7.1.7.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.f.1.9.4.9.2.b.-.0.e.e.d.-.4.0.0.a.-.a.f.d.1.-.e.5.9.8.d.3.8.7.7.0.c.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.f.4.e.2.7.5.f.-.a.5.a.8.-.4.1.a.a.-.a.a.6.8.-.8.3.7.f.3.a.b.4.7.b.e.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.6.g.m.o.J.J.Z.r.1.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.0.c.-.0.0.0.1.-.0.0.1.4.-.8.9.8.c.-.9.c.c.4.7.4.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6gm_9b1d9c974cdc3e984dfdab69b0a88852c0a1104e_548d04a3_563ae1a6-ee2b-4b5b-920d-2c39c7262e81\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7776782775450528
                      Encrypted:false
                      SSDEEP:96:ydv/FB+b4MiFyKy6Jsjn4RvM7HfOQXIDcQKc6+cEJcw3fXaXz+HbHgSQgJjzZo8L:mr+bDiFy6JA006z7j5ZzuiFAZ24lO8C
                      MD5:1C5D4AF4C119FE796BB30176458007EE
                      SHA1:ADCDB0DE8DF31DEBA5566B637B162E36387257F5
                      SHA-256:ADE90A3C53AFC4FAD0C93965CC83A1488A9E28ACF37F9ACD454C428F3E924696
                      SHA-512:4047C4A2FB8A82A3FE60E81E393791D9B08D38E690FC8FED43575DCE3D6CA9CEC189E14A8981CF353CCC696AC9263917FECF52A14BC40997DE200A23F9DE7966
                      Malicious:false
                      Reputation:low
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.3.8.4.7.2.0.7.6.0.1.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.3.8.4.7.2.4.5.1.0.2.5.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.6.3.a.e.1.a.6.-.e.e.2.b.-.4.b.5.b.-.9.2.0.d.-.2.c.3.9.c.7.2.6.2.e.8.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.0.3.8.c.4.4.5.-.1.d.f.f.-.4.d.5.f.-.a.c.f.5.-.5.b.d.b.7.8.d.8.d.c.7.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.6.g.m.o.J.J.Z.r.1.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.c.-.0.0.0.1.-.0.0.1.4.-.c.5.d.b.-.7.b.c.6.7.4.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_6gm_9b1d9c974cdc3e984dfdab69b0a88852c0a1104e_548d04a3_8abe9583-1d52-4e8c-8b02-0ee72f6ed599\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7780631756285876
                      Encrypted:false
                      SSDEEP:96:m7FnQMisyKyusjn4RvM7HfOQXIDcQKc6+cEJcw3fXaXz+HbHgSQgJjzZo8F3YFYG:A97isyuA006z7j5ZzuiFAZ24lO8C6
                      MD5:EF1C7FB5374EE66F250646123AAA74A7
                      SHA1:D87600ACC93D5EC66EF1A207BAB91F7FB1F5901C
                      SHA-256:15A7EEC131F8501DA027412B98A92AF22C19BD0798E7AF47845F8B59A29AFE10
                      SHA-512:055B1FE33B65E4BFB25AEF19152A424A701B0B9D39620DC5B687C91B03F9E67A79C44065DEC98F419EAA3F2371BE3713B6D5E4464301BCE96DACE95392C4A9C4
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.3.8.4.7.0.5.9.8.6.9.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.3.8.4.7.1.7.5.4.9.4.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.b.e.9.5.8.3.-.1.d.5.2.-.4.e.8.c.-.8.b.0.2.-.0.e.e.7.2.f.6.e.d.5.9.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.2.9.0.6.9.9.b.-.2.1.4.5.-.4.d.0.f.-.8.6.0.5.-.8.1.7.5.d.0.f.4.b.8.8.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.6.g.m.o.J.J.Z.r.1.e...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.0.4.-.0.0.0.1.-.0.0.1.4.-.2.e.0.9.-.9.8.c.4.7.4.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.1.1.c.6.7.b.d.8.6.8.2.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER72E6.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Mon Nov 25 20:01:11 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):47008
                      Entropy (8bit):1.5530847601383246
                      Encrypted:false
                      SSDEEP:96:5Y8GaqFOrP4Eme6eiPmJzXG9Vob287uWDOoi7MpCqCqKqHdjjj7jNLlKPzuWM17B:NKFOmSzW4OMXRpHdjjj7WihI11DrPy
                      MD5:07D42ED6F867DFDE73A85F3863D0FCE2
                      SHA1:7CECA6411C9298A0E45213B7C6738FAFC17F4B50
                      SHA-256:1B7B7FA1A9AEA07ED2E073EA995E5808C9EAF54387761F686E98C4B441765A52
                      SHA-512:D7EE06CD106EF7A3E7259CBA3FD3699B44841BA6597602E2B62E824B3DE498D4FD4B66DFF4E33CB9380CD04AFA09F4635E12C16FB4D260AE86B5E905D8F93259
                      Malicious:false
                      Preview:MDMP..a..... .........Dg........................$................*..........T.......8...........T......................................................................................................................eJ......D.......Lw......................T.............Dg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7382.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Mon Nov 25 20:01:11 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):49700
                      Entropy (8bit):1.4908041639723633
                      Encrypted:false
                      SSDEEP:96:5Y8GUYoW4Eme6eiPmJzXG9Vob28/WWH0MNoi7Mdqiqeq4VB+l0jjq0oWInXIBQxM:NOcSzWLOM4xNSBr81Gd
                      MD5:346EA3CDFF427DF207AAC08FCE954BFB
                      SHA1:57F2DAB96DB147BB2A96A028CDDBC39BF9E3B68A
                      SHA-256:AE24F60029058434C8A27B4D2679758D43B381E6037F721D0C03579471C93317
                      SHA-512:536DADFCCD11C0C33A370D672EB80E5108FF917D62C82054D634DD5AA16AE84464BA489EF86776A9D66AEAA6D6A094BD5EBC7348C49A2C01C000CF1A501DBF77
                      Malicious:false
                      Preview:MDMP..a..... .........Dg........................$................*..........T.......8...........T........... ...........................................................................................................eJ......D.......Lw......................T.............Dg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER75B6.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8768
                      Entropy (8bit):3.704948083921985
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJGoi6YSlBgmfJKvpD+89byYjfzGm:R6lXJRi6YYBgmfJKtyEfL
                      MD5:AD369B8B150B8E0D50FBCBB4150E56FA
                      SHA1:9123D67C92276837B942CBBF4E5A6E18BBDBFFF8
                      SHA-256:69BA586D7B7B59A14B5839E2833E1436E3495AD4918FB988CDDB2415A8BE73D3
                      SHA-512:CE045F3A96A45885C854CE473C1482A5007D4DC7431C08CDD5A2CD38CFE2FC215456613254B366820B1C5C2A3F6968D814619C247E9DD6E6FD6F29F9616F6F06
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.7.2.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7614.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4754
                      Entropy (8bit):4.489564759333439
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zspNJg771I9SVWpW8VYcYm8M4JCACumF/9yq85mvMptSTSFd:uIjfpnI7Jk7V0JiWpoOFd
                      MD5:F1E614C45C7DECB16AFE274E878263EE
                      SHA1:5F22D8A4E238FE31ED056115AE61430262168D60
                      SHA-256:11C6373A9914DF0238FC5F3867453BA24CDE8D2D2CA8C1DA85611FC08253AB4B
                      SHA-512:E2A141690D4C2BB22DD2DBCED17E85A1DA972E03147D8CDE1EF21ABE9DD7BAC9E39028C110E367C2998B7AFF9AD0478DEFB2A68EA8E647C058667B87A1B9BAB3
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604023" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7634.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8772
                      Entropy (8bit):3.7039070612315075
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJryH6YZG+5gmfJKvpDr89byOjfZ2AGm:R6lXJuH6YYogmfJKGyifZ2o
                      MD5:4CD3E8B2BF1313405488C0890CD4503C
                      SHA1:FDF923A431804898BE3E60C99A72ADC89A64752E
                      SHA-256:58EA565E5DD0A72BB9B358AD298D94E564B052FAEF9C390B3143BA3A4AB78945
                      SHA-512:2E102D5B5A7D22B2644D02D49EE7A512CA8A01D11EAB16B5DA050609A032BB67D05F831F8CF5AFAFB4C4C909D7B325864E930107635CEE0EA25F3733E8DD05A4
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.8.0.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER76E0.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4754
                      Entropy (8bit):4.486823806770259
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zspNJg771I9SVWpW8VYkcYm8M4JCACumF6jyq85mvJCptSTSOd:uIjfpnI7Jk7VXJ9jSpoOOd
                      MD5:4CCEBCD9AFEE10597102FB426252E8BC
                      SHA1:99AD51BBD0CF107F1F6305D3726FDCC8B3314317
                      SHA-256:8E24B5539F234E320AD840F32F6A25277F5BF7794EE7808D0248E4265A3BBBF2
                      SHA-512:5F1AB9EFE79C21E49C2D3D4EDD32804D06EEC78064DBDCA7DE588F4B0A9AF7CCC5D5FA81A4781EF018C539F33168D5D1208833FC58CC66769DAF12C28375E994
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604023" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7883.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Mon Nov 25 20:01:12 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):50464
                      Entropy (8bit):1.4674227938126678
                      Encrypted:false
                      SSDEEP:96:5v8G4Ii4Eme6eiPmJzXG9Vob28sG5GjsUMuoi7M0qlqw0q5TluGN3eWIFXIBQxbA:6S5SzW05GjOOM7QC5j38wl1
                      MD5:9490F96B74949CD750FE02807BBC098F
                      SHA1:7DDF13640506DE5E1BE6CF470AFDDC2E0E785674
                      SHA-256:E34306E172C8F9E4426920752CF9AAB5ED80D3C8D3CC394FB85E72B96136C9F6
                      SHA-512:2DD0A8E811F307578839F602449B68554E0AC60384B532B4EC7CB6D89A943DE1482DE839A18132E0AFABE20C71C4C0FE2A9A638E17F1AC31D2B14DE779E8F21D
                      Malicious:false
                      Preview:MDMP..a..... .........Dg........................$................*..........T.......8...........T...............P.......................................................................................................eJ......D.......Lw......................T.............Dg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER78E2.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8748
                      Entropy (8bit):3.7036161091778066
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJIJXNe6YxH+kMgmfJKvpDr89bJUrfK+bAjm:R6lXJWE6YhvMgmfJK2JQfXJ
                      MD5:B11D92318BBE8FC606158087F6930A03
                      SHA1:5AEF1AFCCF5A537F34F2BA1F79172231CCBB8CF2
                      SHA-256:80B22546E55A763476B131F7A594B34D5980F90A7D32D538094CFEBA19D8A821
                      SHA-512:12120904974AC7D59D7932654FE101D5AD394E3CBE548A3F59CC1838A41555CFD55004CF77202F0DECA88E8563B9784F5FE15007AD0E7B9BEAE842481C7341D4
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.9.6.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7912.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4754
                      Entropy (8bit):4.489745978481113
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zspNJg771I9SVWpW8VY3Ym8M4JCACumFvLhtyq85mvKAptSTSVd:uIjfpnI7Jk7VvJkLhtppoOVd
                      MD5:419A655D405D14D9901326D8E2E47980
                      SHA1:DE2A63145C45EC0A3F11217110219B497D39A6C9
                      SHA-256:810E8DBFF37FD0CB3C7433E0DCCAD9FF20F57C93822DB326ED81C32F7B036B3D
                      SHA-512:643382EF7992C070A93107B4BA58EF447525C7D88FAB380A021092347272FD19A45CFD07FB4EB7535534B0DED93161328B8723B6AD9CACD45F87957D30880614
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604023" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\Windows\appcompat\Programs\Amcache.hve

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:MS Windows registry file, NT/2000 or above
                      Category:dropped
                      Size (bytes):1835008
                      Entropy (8bit):4.417547020455153
                      Encrypted:false
                      SSDEEP:6144:Pcifpi6ceLPL9skLmb0mNSWSPtaJG8nAgex285i2MMhA20X4WABlGuN55+:0i58NSWIZBk2MM6AFBTo
                      MD5:BC4D29448F61E1F2A1C7D28093294C11
                      SHA1:BBCC6E67A4019E75A0F1AE64E92BA020E0E523BC
                      SHA-256:221F989C8C6D8F7734E5ACCB6A9F97FB8A4F8486DCE1E7D65B8F66D8480DDE90
                      SHA-512:74898FD04D1E247AE17662D9599D305CCFC9F1715CECDDB584CFD1DEDB54A86B356AE4265CA935191CCC0801E51F78DE3FF26B69339A5B04D049CFDCC9169862
                      Malicious:false
                      Preview:regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm~.5.t?................................................................................................................................................................................................................................................................................................................................................".........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Entropy (8bit):6.5519378162827095
                      TrID:
                      • Win64 Dynamic Link Library (generic) (102004/3) 87.93%
                      • Win64 Executable (generic) (12005/4) 10.35%
                      • DOS Executable Generic (2002/1) 1.73%
                      File name:6gmoJJZr1e.dll
                      File size:307'200 bytes
                      MD5:9ab72fbaf8da0474c38e5be5813384cf
                      SHA1:98038ca580f83893db070e9fabd28e7078003377
                      SHA256:ad0474f0d6021d0de97c77ca222a05777762aad59bda2be2f3b1a8f1a8022707
                      SHA512:b484d03c8791134b0f9119e14dd703c95aa198ba04748f4642286061938df541c43d56a66da98a088d540c4b640cb21f429f5dad896ce82c81c5bb86cc94f484
                      SSDEEP:6144:cj/7Qsrm8pU99tkS1eTbqrerocvFPrfi8krOY:cvLPw9tZU+OFPrFkyY
                      TLSH:5F647C5973A478F5E8A7C239CA57861BDFF27C154770D74F07640AAA2F233A1622E312
                      File Content Preview:MZARUH..H.. ...H......H..H........A....Vh....ZH.........................!..L.!This program cannot be run in DOS mode....$.........-...CO..CO..CO.).O..CO.(.OY.CO_g.O..CO0..O..CO0..OH.CO0..O..CO...O..CO..BO..CO.(.O..CO.).O..CO.).O..CO.).O..CORich..CO.......

                      File Icon

                      Icon Hash:7ae282899bbab082

                      Static PE Info

                      General

                      Entrypoint:0x180021b48
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x180000000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL, BYTES_REVERSED_HI
                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x64F88C7F [Wed Sep 6 14:28:15 2023 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:2
                      File Version Major:5
                      File Version Minor:2
                      Subsystem Version Major:5
                      Subsystem Version Minor:2
                      Import Hash:46551b97c1d63fc258acfca97bdbeb94

                      Entrypoint Preview

                      Instruction
                      dec eax
                      mov dword ptr [esp+08h], ebx
                      dec eax
                      mov dword ptr [esp+10h], esi
                      push edi
                      dec eax
                      sub esp, 20h
                      dec ecx
                      mov edi, eax
                      mov ebx, edx
                      dec eax
                      mov esi, ecx
                      cmp edx, 01h
                      jne 00007F391516E987h
                      call 00007F39151760ECh
                      dec esp
                      mov eax, edi
                      mov edx, ebx
                      dec eax
                      mov ecx, esi
                      dec eax
                      mov ebx, dword ptr [esp+30h]
                      dec eax
                      mov esi, dword ptr [esp+38h]
                      dec eax
                      add esp, 20h
                      pop edi
                      jmp 00007F391516E988h
                      int3
                      int3
                      int3
                      dec eax
                      mov eax, esp
                      dec eax
                      mov dword ptr [eax+20h], ebx
                      dec esp
                      mov dword ptr [eax+18h], eax
                      mov dword ptr [eax+10h], edx
                      dec eax
                      mov dword ptr [eax+08h], ecx
                      push esi
                      push edi
                      inc ecx
                      push esi
                      dec eax
                      sub esp, 50h
                      dec ecx
                      mov esi, eax
                      mov ebx, edx
                      dec esp
                      mov esi, ecx
                      mov edx, 00000001h
                      mov dword ptr [eax-48h], edx
                      test ebx, ebx
                      jne 00007F391516E991h
                      cmp dword ptr [0002BD6Ch], ebx
                      jne 00007F391516E989h
                      xor eax, eax
                      jmp 00007F391516EA57h
                      lea eax, dword ptr [ebx-01h]
                      cmp eax, 01h
                      jnbe 00007F391516E9BAh
                      dec eax
                      mov eax, dword ptr [00011E44h]
                      dec eax
                      test eax, eax
                      je 00007F391516E98Ch
                      mov edx, ebx
                      call eax
                      mov edx, eax
                      mov dword ptr [esp+20h], eax
                      test edx, edx
                      je 00007F391516E999h
                      dec esp
                      mov eax, esi
                      mov edx, ebx
                      dec ecx
                      mov ecx, esi
                      call 00007F391516E779h
                      mov edx, eax
                      mov dword ptr [esp+20h], eax
                      test eax, eax
                      jne 00007F391516E989h
                      xor eax, eax
                      jmp 00007F391516EA17h
                      dec esp
                      mov eax, esi
                      mov edx, ebx
                      dec ecx
                      mov ecx, esi
                      call 00007F3915176153h

                      Rich Headers

                      Programming Language:
                      • [ C ] VS2012 UPD4 build 61030
                      • [IMP] VS2008 SP1 build 30729
                      • [ASM] VS2012 UPD4 build 61030
                      • [EXP] VS2012 UPD4 build 61030
                      • [LNK] VS2012 UPD4 build 61030

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x41bb00x52.rdata
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x407140x64.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x540000x2454.pdata
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x570000x60c.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3eb000x70.rdata
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x320000x670.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x301820x30200d4765b4cdf8bb0a9feca2d1a2ebcaa06False0.5363484172077922data6.4002379289370745IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x320000xfc020xfe00f06c737c2a63d473f3582d00cc9477eaFalse0.44824987696850394data5.735990995390364IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x420000x118480x7600586727d974b98204999a922a99a6d24bFalse0.743412341101695data7.0108811813341IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .pdata0x540000x24540x26002e42b627cef8b93a9b56078fce16de59False0.47543174342105265data5.253297756368923IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x570000xfd00x10002c055c20145664ddc544d8b9a4ebfad8False0.263427734375data2.8619184639926245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Imports

                      DLLImport
                      KERNEL32.dllCreateNamedPipeA, TerminateProcess, CreateProcessA, GetCurrentDirectoryW, GetFullPathNameA, GetLogicalDrives, FindClose, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ExpandEnvironmentStringsA, GetFileAttributesA, FindFirstFileA, FindNextFileA, CopyFileA, MoveFileA, GetCurrentProcessId, CreateThread, CreateToolhelp32Snapshot, Thread32First, Thread32Next, Wow64GetThreadContext, Wow64SetThreadContext, VirtualAlloc, VirtualProtect, SetLastError, SetNamedPipeHandleState, PeekNamedPipe, CreateFileA, WaitNamedPipeA, GetModuleFileNameA, GetComputerNameA, GetVersionExA, GetACP, GetOEMCP, GetProcessHeap, InitializeProcThreadAttributeList, DeleteProcThreadAttributeList, SetErrorMode, UpdateProcThreadAttribute, ProcessIdToSessionId, Process32First, Process32Next, GetComputerNameExA, VirtualFree, VirtualQuery, VirtualAllocEx, VirtualProtectEx, OpenProcess, CreateRemoteThread, ConnectNamedPipe, ReadProcessMemory, WriteProcessMemory, GetThreadContext, SetThreadContext, ResumeThread, CloseHandle, DuplicateHandle, MapViewOfFile, UnmapViewOfFile, CreateFileMappingA, ExitProcess, ExitThread, ReadFile, GetCurrentThread, GetCurrentProcess, MultiByteToWideChar, GetCurrentDirectoryA, SetCurrentDirectoryA, GetStartupInfoA, DisconnectNamedPipe, CreatePipe, GetTickCount, GetLocalTime, FlushFileBuffers, WriteFile, WaitForSingleObject, Sleep, GetModuleHandleA, LoadLibraryA, GetLastError, HeapFree, RaiseException, SetEnvironmentVariableW, SetEnvironmentVariableA, HeapAlloc, HeapDestroy, HeapCreate, SetEndOfFile, CreateFileW, WriteConsoleW, SetStdHandle, GetStringTypeW, LCMapStringW, CompareStringW, HeapSize, LoadLibraryW, OutputDebugStringW, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, RemoveDirectoryW, CreateDirectoryW, DeleteFileW, GetFileType, SetFilePointerEx, SetFilePointer, ReadConsoleW, GetConsoleMode, GetConsoleCP, WideCharToMultiByte, GetCPInfo, IsValidCodePage, RtlUnwindEx, GetProcAddress, OpenThread, FreeLibrary, EncodePointer, DecodePointer, GetModuleHandleExW, AreFileApisANSI, GetSystemTimeAsFileTime, HeapReAlloc, GetCommandLineA, GetCurrentThreadId, GetStdHandle, GetModuleFileNameW, IsDebuggerPresent, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, LoadLibraryExW
                      ADVAPI32.dllGetTokenInformation, OpenProcessToken, CryptReleaseContext, CryptAcquireContextA, CryptGenRandom, CheckTokenMembership, DuplicateTokenEx, LogonUserA, LookupAccountSidA, FreeSid, AllocateAndInitializeSid, ImpersonateNamedPipeClient, RevertToSelf, GetUserNameA, CreateProcessWithTokenW, CreateProcessWithLogonW, CreateProcessAsUserA, ImpersonateLoggedOnUser, LookupPrivilegeValueA, AdjustTokenPrivileges, OpenThreadToken
                      WININET.dllInternetReadFile, InternetCloseHandle, InternetConnectA, InternetQueryDataAvailable, InternetQueryOptionA, InternetSetOptionA, InternetSetStatusCallback, HttpOpenRequestA, HttpAddRequestHeadersA, HttpSendRequestA, HttpQueryInfoA, InternetOpenA
                      WS2_32.dllntohs, gethostbyname, socket, send, connect, ioctlsocket, WSAIoctl, WSACleanup, WSAStartup, closesocket, ntohl, htons, htonl, recv, shutdown, WSAGetLastError, __WSAFDIsSet, accept, bind, inet_addr, listen, recvfrom, select, sendto, WSASocketA

                      Exports

                      NameOrdinalAddress
                      ReflectiveLoader10x1800194d4

                      Network Behavior

                      No network behavior found

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:4
                      Start time:15:01:07
                      Start date:25/11/2024
                      Path:C:\Windows\System32\loaddll64.exe
                      Wow64 process (32bit):false
                      Commandline:loaddll64.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll"
                      Imagebase:0x7ff788880000
                      File size:165'888 bytes
                      MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:5
                      Start time:15:01:08
                      Start date:25/11/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff75da10000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:6
                      Start time:15:01:08
                      Start date:25/11/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1
                      Imagebase:0x7ff673350000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:7
                      Start time:15:01:08
                      Start date:25/11/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\6gmoJJZr1e.dll,ReflectiveLoader
                      Imagebase:0x7ff748330000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: yara@s3c.za.net
                      • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                      • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                      • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000007.00000002.1771920311.000001C688500000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:8
                      Start time:15:01:08
                      Start date:25/11/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",#1
                      Imagebase:0x7ff748330000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: yara@s3c.za.net
                      • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000008.00000002.1772808168.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                      • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                      • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000008.00000002.1772609989.00000218AB7A0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000008.00000002.1772694422.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:12
                      Start time:15:01:09
                      Start date:25/11/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 7172 -s 332
                      Imagebase:0x7ff7c9870000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:13
                      Start time:15:01:09
                      Start date:25/11/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 7180 -s 352
                      Imagebase:0x7ff7c9870000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:16
                      Start time:15:01:11
                      Start date:25/11/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\6gmoJJZr1e.dll",ReflectiveLoader
                      Imagebase:0x7ff748330000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: yara@s3c.za.net
                      • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000010.00000002.1771741498.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                      • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000010.00000002.1771693350.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                      • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                      • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000010.00000002.1771588319.000001AFB2A50000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:19
                      Start time:15:01:11
                      Start date:25/11/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 7596 -s 344
                      Imagebase:0x7ff7c9870000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:0.2%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:7
                        Total number of Limit Nodes:0
                        execution_graph 16994 7ffb0c6694d4 16995 7ffb0c669561 16994->16995 16998 7ffb0c669f24 16995->16998 16997 7ffb0c669601 17001 7ffb0c669f5e 16998->17001 16999 7ffb0c66a079 16999->16997 17000 7ffb0c66a055 VirtualAlloc 17000->16999 17001->16999 17001->17000

                        Executed Functions

                        Function 00007FFB0C669F24 Relevance: 1.3, APIs: 1, Instructions: 87memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
                        • Instruction ID: 9d84d1a03858c666d3731222adf1b9d2b3e67c5a8851a39b13826322605f6ef2
                        • Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
                        • Instruction Fuzzy Hash: 1D41A972618B8587DB60CB19E44471AB7A1F7C9B94F104125FBDE83B68DF3CD8508B00

                        Non-executed Functions

                        Function 00007FFB0C676514 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 220 7ffb0c676514-7ffb0c67655c call 7ffb0c670ac0 223 7ffb0c67655e-7ffb0c676560 220->223 224 7ffb0c676565-7ffb0c676568 220->224 225 7ffb0c676c26-7ffb0c676c4f call 7ffb0c677e20 223->225 226 7ffb0c676589-7ffb0c6765bb 224->226 227 7ffb0c67656a-7ffb0c676584 call 7ffb0c671ca8 call 7ffb0c671d18 call 7ffb0c672340 224->227 228 7ffb0c6765bd-7ffb0c6765c4 226->228 229 7ffb0c6765c6-7ffb0c6765cc 226->229 227->225 228->227 228->229 232 7ffb0c6765ce-7ffb0c6765d6 call 7ffb0c677cec 229->232 233 7ffb0c6765db-7ffb0c6765e4 call 7ffb0c6799bc 229->233 232->233 241 7ffb0c6765ea-7ffb0c6765fb 233->241 242 7ffb0c6768a6-7ffb0c6768b7 233->242 241->242 246 7ffb0c676601-7ffb0c676635 call 7ffb0c675844 GetConsoleMode 241->246 244 7ffb0c6768bd-7ffb0c6768c9 242->244 245 7ffb0c676b88-7ffb0c676ba4 WriteFile 242->245 250 7ffb0c6768cf-7ffb0c6768d2 244->250 251 7ffb0c676997-7ffb0c67699b 244->251 248 7ffb0c676bae-7ffb0c676bb4 GetLastError 245->248 249 7ffb0c676ba6-7ffb0c676bac 245->249 246->242 266 7ffb0c67663b-7ffb0c67663d 246->266 253 7ffb0c676bb6-7ffb0c676bb8 248->253 249->253 256 7ffb0c6768d8 250->256 257 7ffb0c676be6-7ffb0c676bfc 250->257 254 7ffb0c6769a1-7ffb0c6769a4 251->254 255 7ffb0c676a76-7ffb0c676a79 251->255 262 7ffb0c676c20-7ffb0c676c24 253->262 263 7ffb0c676bba-7ffb0c676bbc 253->263 254->257 264 7ffb0c6769aa 254->264 255->257 259 7ffb0c676a7f 255->259 265 7ffb0c6768db-7ffb0c6768e6 256->265 260 7ffb0c676bfe-7ffb0c676c02 257->260 261 7ffb0c676c08-7ffb0c676c18 call 7ffb0c671d18 call 7ffb0c671ca8 257->261 267 7ffb0c676a85-7ffb0c676a8a 259->267 260->223 260->261 261->262 262->225 263->257 269 7ffb0c676bbe-7ffb0c676bc1 263->269 270 7ffb0c6769af-7ffb0c6769ba 264->270 271 7ffb0c6768e8-7ffb0c6768f1 265->271 272 7ffb0c67663f-7ffb0c676642 266->272 273 7ffb0c676648-7ffb0c67665c GetConsoleCP 266->273 274 7ffb0c676a8c-7ffb0c676a95 267->274 276 7ffb0c676bda-7ffb0c676be1 call 7ffb0c671cc8 269->276 277 7ffb0c676bc3-7ffb0c676bd3 call 7ffb0c671d18 call 7ffb0c671ca8 269->277 278 7ffb0c6769bc-7ffb0c6769c5 270->278 279 7ffb0c676919-7ffb0c67695c WriteFile 271->279 280 7ffb0c6768f3-7ffb0c6768fc 271->280 272->242 272->273 281 7ffb0c676662-7ffb0c676665 273->281 282 7ffb0c67689d-7ffb0c6768a1 273->282 286 7ffb0c676a97-7ffb0c676aa4 274->286 287 7ffb0c676ac6-7ffb0c676b0f WideCharToMultiByte 274->287 276->257 277->276 290 7ffb0c6769c7-7ffb0c6769d4 278->290 291 7ffb0c6769f8-7ffb0c676a3b WriteFile 278->291 279->248 285 7ffb0c676962-7ffb0c676978 279->285 293 7ffb0c6768fe-7ffb0c676905 280->293 294 7ffb0c676908-7ffb0c676917 280->294 283 7ffb0c6767ef-7ffb0c6767f4 281->283 284 7ffb0c67666b-7ffb0c67668a 281->284 282->263 300 7ffb0c6767f6-7ffb0c676812 283->300 301 7ffb0c676814 283->301 295 7ffb0c6766ac-7ffb0c6766b6 call 7ffb0c678738 284->295 296 7ffb0c67668c-7ffb0c6766aa 284->296 285->253 297 7ffb0c67697e-7ffb0c67698c 285->297 298 7ffb0c676ab2-7ffb0c676ac4 286->298 299 7ffb0c676aa6-7ffb0c676aae 286->299 287->248 303 7ffb0c676b15 287->303 305 7ffb0c6769d6-7ffb0c6769e0 290->305 306 7ffb0c6769e4-7ffb0c6769f6 290->306 291->248 307 7ffb0c676a41-7ffb0c676a57 291->307 293->294 294->271 294->279 325 7ffb0c6766ec-7ffb0c6766f2 295->325 326 7ffb0c6766b8-7ffb0c6766c5 295->326 309 7ffb0c6766f5-7ffb0c676702 call 7ffb0c67adec 296->309 297->265 312 7ffb0c676992 297->312 298->274 298->287 299->298 313 7ffb0c676819-7ffb0c67681e 300->313 301->313 311 7ffb0c676b17-7ffb0c676b51 WriteFile 303->311 305->306 306->278 306->291 307->253 315 7ffb0c676a5d-7ffb0c676a6b 307->315 332 7ffb0c676894-7ffb0c676898 309->332 337 7ffb0c676708-7ffb0c676745 WideCharToMultiByte 309->337 319 7ffb0c676b61-7ffb0c676b69 GetLastError 311->319 320 7ffb0c676b53-7ffb0c676b5d 311->320 312->253 317 7ffb0c67685f 313->317 318 7ffb0c676820-7ffb0c67682f call 7ffb0c67adf4 313->318 315->270 323 7ffb0c676a71 315->323 324 7ffb0c676864-7ffb0c67686c 317->324 318->248 341 7ffb0c676835-7ffb0c67683b 318->341 328 7ffb0c676b6d-7ffb0c676b6f 319->328 320->311 327 7ffb0c676b5f 320->327 323->253 331 7ffb0c67686e 324->331 324->332 325->309 333 7ffb0c6766cb-7ffb0c6766e1 call 7ffb0c67adec 326->333 334 7ffb0c676873-7ffb0c67688b 326->334 327->328 328->253 336 7ffb0c676b71-7ffb0c676b80 328->336 331->281 332->253 333->332 345 7ffb0c6766e7-7ffb0c6766ea 333->345 334->332 336->267 339 7ffb0c676b86 336->339 337->332 340 7ffb0c67674b-7ffb0c67677a WriteFile 337->340 339->253 340->248 342 7ffb0c676780-7ffb0c67678e 340->342 341->317 344 7ffb0c67683d-7ffb0c676853 call 7ffb0c67adf4 341->344 342->332 346 7ffb0c676794-7ffb0c67679e 342->346 344->248 350 7ffb0c676859-7ffb0c67685b 344->350 345->337 346->324 348 7ffb0c6767a4-7ffb0c6767d6 WriteFile 346->348 348->248 351 7ffb0c6767dc-7ffb0c6767e1 348->351 350->317 351->332 352 7ffb0c6767e7-7ffb0c6767ed 351->352 352->324
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: __doserrno_errno_invalid_parameter_noinfo
                        • String ID: U
                        • API String ID: 3902385426-4171548499
                        • Opcode ID: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                        • Instruction ID: 8252785c72e60ee78e0189facb6c0dad0506171afc0af60d9166e9e5b01e9bed
                        • Opcode Fuzzy Hash: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                        • Instruction Fuzzy Hash: 0112C5F2A18A4286EB328B34D848B7E67A0FF85744F648636FA4D43698DF3DE445C710
                        Function 00007FFB0C66867C Relevance: 46.6, APIs: 22, Strings: 4, Instructions: 1078processCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateCurrentFirstProcessProcess32SnapshotToolhelp32
                        • String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
                        • API String ID: 718051232-1833344708
                        • Opcode ID: 6ff8da223217ec475276693cf42c7d1c7355bbcbd1655dcef78ea65679358709
                        • Instruction ID: 8f4f7c4687eb4cf4e4ef5cd08bbf06a8daadbc7e7d3f61979cea3e702d8800c2
                        • Opcode Fuzzy Hash: 6ff8da223217ec475276693cf42c7d1c7355bbcbd1655dcef78ea65679358709
                        • Instruction Fuzzy Hash: 188290D1F0C6438AEA7A9B36DC58A7952D0AF8A784FA44135F90E837D5DF3CE9428740
                        Function 00007FFB0C672F9C Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                        • String ID: $@
                        • API String ID: 3318157856-1077428164
                        • Opcode ID: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                        • Instruction ID: cab434bd2f18ae3cf0b9a59fd10d4dd71c96315fed8a0a0a5ed1e86072340350
                        • Opcode Fuzzy Hash: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                        • Instruction Fuzzy Hash: 9952A6E2A0C65685FB768A34D94CA7D6AA0AF41754F348A35EA4D077ECDF3CE8409700
                        Function 00007FFB0C672528 Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 687COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                        • String ID:
                        • API String ID: 3318157856-3916222277
                        • Opcode ID: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                        • Instruction ID: ac04e2e3d7f1812d2c86a89485e2261026f50a9c6b9d9afc19acdf1e7a1219a4
                        • Opcode Fuzzy Hash: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                        • Instruction Fuzzy Hash: B952C5E2A0C686C5FB768A35D968B796BA0BF45744F349A35EA4D076DCDF3CE8408700
                        Function 00007FFB0C667B38 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 545COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1283 7ffb0c667b38-7ffb0c667bad call 7ffb0c66f530 call 7ffb0c66b454 call 7ffb0c666104 1290 7ffb0c667bb1-7ffb0c667bbf call 7ffb0c666114 1283->1290 1293 7ffb0c667f4a-7ffb0c667f4d 1290->1293 1294 7ffb0c667bc5 1290->1294 1297 7ffb0c668218-7ffb0c668250 call 7ffb0c66f530 call 7ffb0c666284 1293->1297 1298 7ffb0c667f53-7ffb0c667f55 1293->1298 1295 7ffb0c667bcb-7ffb0c667bcd 1294->1295 1296 7ffb0c667f29 1294->1296 1299 7ffb0c6682f5-7ffb0c6682f8 1295->1299 1300 7ffb0c667bd3-7ffb0c667bd5 1295->1300 1304 7ffb0c667f2b-7ffb0c667f3d call 7ffb0c660de0 1296->1304 1342 7ffb0c668252-7ffb0c668263 call 7ffb0c66f63c 1297->1342 1343 7ffb0c668265-7ffb0c668276 call 7ffb0c66f63c 1297->1343 1301 7ffb0c668162-7ffb0c6681bb call 7ffb0c66f530 call 7ffb0c666284 call 7ffb0c66f63c 1298->1301 1302 7ffb0c667f5b-7ffb0c667f5d 1298->1302 1310 7ffb0c6682fe-7ffb0c668301 1299->1310 1311 7ffb0c6683a3-7ffb0c6683c3 1299->1311 1305 7ffb0c667bdb-7ffb0c667bdd 1300->1305 1306 7ffb0c667ed6-7ffb0c667f16 call 7ffb0c66f530 call 7ffb0c666284 call 7ffb0c66f920 1300->1306 1358 7ffb0c6682e5 1301->1358 1380 7ffb0c6681c1-7ffb0c6681c4 1301->1380 1307 7ffb0c66815b-7ffb0c66815d 1302->1307 1308 7ffb0c667f63-7ffb0c667f65 1302->1308 1314 7ffb0c667f42-7ffb0c667f45 1304->1314 1315 7ffb0c667e4b-7ffb0c667e8b call 7ffb0c66f530 call 7ffb0c666284 call 7ffb0c66f920 1305->1315 1316 7ffb0c667be3-7ffb0c667be5 1305->1316 1397 7ffb0c667f19-7ffb0c667f20 1306->1397 1307->1304 1318 7ffb0c667f6b-7ffb0c667f6d 1308->1318 1319 7ffb0c6680cb-7ffb0c6680fe call 7ffb0c66f63c 1308->1319 1310->1311 1321 7ffb0c668307-7ffb0c66830f 1310->1321 1323 7ffb0c6680b4-7ffb0c6680c6 call 7ffb0c66f530 1314->1323 1412 7ffb0c667e8e-7ffb0c667e95 1315->1412 1326 7ffb0c667beb-7ffb0c667bed 1316->1326 1327 7ffb0c667e0e-7ffb0c667e2b call 7ffb0c651258 1316->1327 1329 7ffb0c66808c-7ffb0c6680a9 call 7ffb0c660d04 1318->1329 1330 7ffb0c667f73-7ffb0c667f76 1318->1330 1319->1358 1359 7ffb0c668104-7ffb0c668107 1319->1359 1321->1321 1332 7ffb0c668311-7ffb0c668314 1321->1332 1337 7ffb0c667bf3-7ffb0c667bf5 1326->1337 1338 7ffb0c667df6-7ffb0c667e09 call 7ffb0c66f920 1326->1338 1327->1311 1373 7ffb0c667e31-7ffb0c667e49 call 7ffb0c66f530 1327->1373 1329->1311 1372 7ffb0c6680af 1329->1372 1340 7ffb0c667f7c-7ffb0c667f7e 1330->1340 1341 7ffb0c668074-7ffb0c668087 call 7ffb0c660eac 1330->1341 1332->1311 1344 7ffb0c66831a-7ffb0c668349 call 7ffb0c66f63c 1332->1344 1348 7ffb0c667bfb-7ffb0c667bfd 1337->1348 1349 7ffb0c667d17-7ffb0c667d53 call 7ffb0c66f530 call 7ffb0c666284 1337->1349 1338->1290 1340->1290 1361 7ffb0c667f84-7ffb0c667fac call 7ffb0c66f530 call 7ffb0c666284 1340->1361 1341->1314 1371 7ffb0c66827b-7ffb0c66828c 1342->1371 1343->1371 1390 7ffb0c66839b-7ffb0c66839e call 7ffb0c66f920 1344->1390 1391 7ffb0c66834b 1344->1391 1365 7ffb0c667bff-7ffb0c667c01 1348->1365 1366 7ffb0c667c58-7ffb0c667cba call 7ffb0c66f530 call 7ffb0c666284 call 7ffb0c66f63c 1348->1366 1415 7ffb0c667d6d-7ffb0c667d83 call 7ffb0c66f63c 1349->1415 1416 7ffb0c667d55-7ffb0c667d6b call 7ffb0c66f63c 1349->1416 1374 7ffb0c6682eb-7ffb0c6682f0 call 7ffb0c66f920 1358->1374 1375 7ffb0c66810d-7ffb0c668154 1359->1375 1421 7ffb0c667fae 1361->1421 1422 7ffb0c667fe5-7ffb0c668002 call 7ffb0c66f63c 1361->1422 1365->1290 1381 7ffb0c667c03-7ffb0c667c13 call 7ffb0c666114 1365->1381 1366->1358 1443 7ffb0c667cc0-7ffb0c667cc3 1366->1443 1371->1358 1383 7ffb0c66828e-7ffb0c668291 1371->1383 1372->1323 1410 7ffb0c667ec9-7ffb0c667ed1 1373->1410 1374->1290 1375->1375 1387 7ffb0c668156 1375->1387 1395 7ffb0c6681ca-7ffb0c668211 1380->1395 1417 7ffb0c667c2d-7ffb0c667c30 1381->1417 1418 7ffb0c667c15-7ffb0c667c2b call 7ffb0c66f920 1381->1418 1398 7ffb0c668297-7ffb0c6682de 1383->1398 1387->1290 1390->1311 1404 7ffb0c668350-7ffb0c668397 1391->1404 1395->1395 1406 7ffb0c668213 1395->1406 1397->1397 1408 7ffb0c667f22-7ffb0c667f24 1397->1408 1398->1398 1409 7ffb0c6682e0 1398->1409 1404->1404 1414 7ffb0c668399 1404->1414 1406->1290 1408->1290 1409->1290 1410->1374 1412->1412 1420 7ffb0c667e97-7ffb0c667ea9 call 7ffb0c66f920 1412->1420 1414->1311 1433 7ffb0c667d88-7ffb0c667d99 1415->1433 1416->1433 1417->1290 1427 7ffb0c667c36-7ffb0c667c53 call 7ffb0c66f920 1417->1427 1418->1290 1444 7ffb0c667eac-7ffb0c667eb3 1420->1444 1430 7ffb0c667fb1-7ffb0c667fb9 1421->1430 1432 7ffb0c668007-7ffb0c668017 1422->1432 1427->1290 1430->1430 1438 7ffb0c667fbb-7ffb0c667fbe 1430->1438 1432->1358 1440 7ffb0c66801d-7ffb0c668020 1432->1440 1433->1358 1441 7ffb0c667d9f-7ffb0c667da2 1433->1441 1438->1422 1439 7ffb0c667fc0-7ffb0c667fe3 call 7ffb0c66f63c 1438->1439 1439->1432 1447 7ffb0c668026-7ffb0c66806d 1440->1447 1448 7ffb0c667da8-7ffb0c667def 1441->1448 1449 7ffb0c667cc9-7ffb0c667d10 1443->1449 1444->1444 1445 7ffb0c667eb5-7ffb0c667ec6 call 7ffb0c66f530 1444->1445 1445->1410 1447->1447 1452 7ffb0c66806f 1447->1452 1448->1448 1453 7ffb0c667df1 1448->1453 1449->1449 1454 7ffb0c667d12 1449->1454 1452->1290 1453->1290 1454->1290
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _snprintf$_errno_invalid_parameter_noinfo
                        • String ID: %s%s$%s%s$%s%s: %s$%s&%s$%s&%s=%s$?%s$?%s=%s
                        • API String ID: 3442832105-1222817042
                        • Opcode ID: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                        • Instruction ID: 282a77de3e52eba27ad4b4401b975de15d106c74f6688bcbda423c3abda4511c
                        • Opcode Fuzzy Hash: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                        • Instruction Fuzzy Hash: AD42FCE1A18E8595EB328B39E4056F8A3A0FF59759F045121EF8D17B61EF3CE1A6C340
                        Function 00007FFB0C661C30 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150filetimeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$FileFind_errno$ErrorHeapLastSystemfreemalloc$AllocCloseCurrentDirectoryFirstFreeLocalNextSpecific_callnewhhtonl
                        • String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
                        • API String ID: 723279517-1754256099
                        • Opcode ID: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                        • Instruction ID: 07db6af8d905f150cd43fa1176decf68c09c42a3ac0b6c3c7a926cafe3b716fa
                        • Opcode Fuzzy Hash: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                        • Instruction Fuzzy Hash: CD61AEF1A0874286EB21DB71E8589ADA3A1FF85B80F504135FA4D43B99DF7CD50ACB40
                        Function 00007FFB0C660F34 Relevance: 18.2, APIs: 12, Instructions: 163processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1672 7ffb0c660f34-7ffb0c660f49 1673 7ffb0c660f4f-7ffb0c660f53 1672->1673 1674 7ffb0c660fdb-7ffb0c66101b CreateProcessA 1672->1674 1673->1674 1675 7ffb0c660f59-7ffb0c660f97 CreateProcessAsUserA 1673->1675 1676 7ffb0c66101d-7ffb0c661028 GetLastError 1674->1676 1677 7ffb0c66102a 1674->1677 1675->1677 1679 7ffb0c660f9d-7ffb0c660fa8 GetLastError 1675->1679 1680 7ffb0c660fcc-7ffb0c660fd9 call 7ffb0c65e67c 1676->1680 1678 7ffb0c66102f-7ffb0c661034 1677->1678 1681 7ffb0c660fc1-7ffb0c660fc7 GetLastError 1679->1681 1682 7ffb0c660faa-7ffb0c660fb2 1679->1682 1680->1678 1681->1680 1682->1681 1684 7ffb0c660fb4-7ffb0c66135e call 7ffb0c670ac0 call 7ffb0c66f530 * 2 call 7ffb0c65fe54 1682->1684 1695 7ffb0c661370-7ffb0c66137c GetCurrentDirectoryW 1684->1695 1696 7ffb0c661360-7ffb0c66136b call 7ffb0c65e590 1684->1696 1698 7ffb0c66137e-7ffb0c66138e GetCurrentDirectoryW 1695->1698 1699 7ffb0c661396-7ffb0c6613e0 call 7ffb0c66e0fc CreateProcessWithTokenW call 7ffb0c66e0e0 1695->1699 1703 7ffb0c66145a 1696->1703 1698->1699 1707 7ffb0c6613e2-7ffb0c6613e7 1699->1707 1708 7ffb0c6613e9-7ffb0c6613f4 GetLastError 1699->1708 1705 7ffb0c66145c-7ffb0c661474 1703->1705 1707->1705 1709 7ffb0c66141a-7ffb0c661423 GetLastError 1708->1709 1710 7ffb0c6613f6-7ffb0c6613fd 1708->1710 1712 7ffb0c661444-7ffb0c66144a GetLastError 1709->1712 1713 7ffb0c661425-7ffb0c66142c 1709->1713 1710->1709 1711 7ffb0c6613ff-7ffb0c661406 1710->1711 1711->1709 1715 7ffb0c661408-7ffb0c661418 call 7ffb0c661268 1711->1715 1714 7ffb0c66144f-7ffb0c661455 call 7ffb0c65e67c 1712->1714 1713->1712 1716 7ffb0c66142e-7ffb0c661435 1713->1716 1714->1703 1715->1705 1716->1712 1719 7ffb0c661437-7ffb0c661442 GetLastError 1716->1719 1719->1714
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateErrorLastProcess$ByteCharCurrentDirectoryMultiWide$TokenUserWith
                        • String ID:
                        • API String ID: 3044875250-0
                        • Opcode ID: bd8628157e2bf0beea7f3f46e6f553db081dc7e69f3976c587d33e54da051543
                        • Instruction ID: 646a53f0146e4b71010250e46f08d5e903a4f0ded0b169979cb068fb677c70bd
                        • Opcode Fuzzy Hash: bd8628157e2bf0beea7f3f46e6f553db081dc7e69f3976c587d33e54da051543
                        • Instruction Fuzzy Hash: EB7160F2A08B428AE7318F31E858B6D63A1FF4AB84F104135FA4D43A95DF3CD4548744
                        Function 00007FFB0C669220 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$Find$FileHeap_snprintffreemalloc$AllocCloseErrorFirstFreeLastNext_callnewh_invalid_parameter_noinfo
                        • String ID: %s\*
                        • API String ID: 2620626937-766152087
                        • Opcode ID: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                        • Instruction ID: c0442f3b6c778ec108e3c2f2385082dcaf21f9f6b516e16f20e8b5bbce8116d6
                        • Opcode Fuzzy Hash: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                        • Instruction Fuzzy Hash: 7D3194E160C18249EA265B73AC18AB56B557F4AFD0F484131EEAD177D5CF3CE4468304
                        Function 00007FFB0C665E28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Name$ComputerFileModuleUserVersion_snprintfmallocstrrchr
                        • String ID: %s%s%s
                        • API String ID: 1671524875-1891519693
                        • Opcode ID: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                        • Instruction ID: abcf48d88fbd2be86553be9f1021e99ee9680e67b2c3ea6df5a614e908460319
                        • Opcode Fuzzy Hash: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                        • Instruction Fuzzy Hash: 984184F0A0C64246EA26EB32EC1997A6791BF86BD0F544130FE5E07B96CF3CE5468704
                        Function 00007FFB0C651184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39encryptionCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Crypt$Context$Acquire$RandomRelease
                        • String ID: ($Microsoft Base Cryptographic Provider v1.0
                        • API String ID: 685801729-4046902070
                        • Opcode ID: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                        • Instruction ID: a7653d84744540ebae22b6b0e724a6d26411f2c1c6fdc77e15810e0a84a0da8b
                        • Opcode Fuzzy Hash: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                        • Instruction Fuzzy Hash: BA01A1F5B08A4282E721CB65EC88B69A7A1FFC8B84F548131E60C83264CF7CD949C344
                        Function 00007FFB0C666A78 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: bindclosesockethtonsioctlsocketlistensocket
                        • String ID:
                        • API String ID: 1767165869-0
                        • Opcode ID: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                        • Instruction ID: 23010cbdf8123520f415b36ea7160ebdb2bdb225a7f22104961303b82390fd61
                        • Opcode Fuzzy Hash: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                        • Instruction Fuzzy Hash: 5A21AEF5A0865586E7358F26F828829A7A1FF88FA4F544634FE5E03794CF3CE8498705
                        Function 00007FFB0C666670 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: bindclosesockethtonlhtonsioctlsocketsocket
                        • String ID:
                        • API String ID: 3910169428-0
                        • Opcode ID: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                        • Instruction ID: fbc96a670a4dec2ba5a6389fde5154361f77cccfdb55eea6bae2ba2f3a954e46
                        • Opcode Fuzzy Hash: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                        • Instruction Fuzzy Hash: D121AEB5618A4186E7359F31F828AA92760BF89BA4F504234EE1E433D4DF3CD949C640
                        Function 00007FFB0C66DF50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharErrorLastMultiUserWidemalloc$ImpersonateLoggedLogonRevertSelf
                        • String ID: %s\%s
                        • API String ID: 3621627092-4073750446
                        • Opcode ID: 5de9f1acc7c944da019a1c91db6cd56726b723104b2f927a8a32be778dd2ea71
                        • Instruction ID: c50fdc6d1bdef68b4ca21551b988493eb299ed5fefe084d63d06a636c7c6e9d7
                        • Opcode Fuzzy Hash: 5de9f1acc7c944da019a1c91db6cd56726b723104b2f927a8a32be778dd2ea71
                        • Instruction Fuzzy Hash: 2F4150E0B18B4285FA22AB72FD58A7A63A5EF85B80F500035FA4D47797DF3CE5468740
                        Function 00007FFB0C65FA1C Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountSleepTick$closesocket
                        • String ID:
                        • API String ID: 2363407838-0
                        • Opcode ID: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                        • Instruction ID: 92a97f2e392e1bf515dfee372c0211eb5805e99cd504f6361937cae4d8c491a8
                        • Opcode Fuzzy Hash: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                        • Instruction Fuzzy Hash: DC21B6E1B0864282EA31A776FC588699390BF85BA0F544731FEAD437D6DF3CD9458701
                        Function 00007FFB0C66EE8C Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: bindclosesockethtonslistensocket
                        • String ID:
                        • API String ID: 564772725-0
                        • Opcode ID: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                        • Instruction ID: 65e63b6581577629d790334b541e391c109138a40db442ec55e681cc41cd5a5a
                        • Opcode Fuzzy Hash: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                        • Instruction Fuzzy Hash: BB11C0F9A0865686E6319F21E81982AB3A0FF85BA0F444235FA9D077D4CF7DE0098704
                        Function 00007FFB0C660B70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                        • String ID: %s
                        • API String ID: 4244140340-620797490
                        • Opcode ID: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                        • Instruction ID: 7a545d0d88dd1a5206f089cebe6e878e2450f1115bab399f079a34c3d8a99cd3
                        • Opcode Fuzzy Hash: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                        • Instruction Fuzzy Hash: 74215CB2B04B019AE7259B75D858BEC33A5AB58B88F444435EE4C93A89EF78D518C380
                        Function 00007FFB0C665854 Relevance: 6.1, APIs: 4, Instructions: 73sleepnetworkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$ErrorLastSleepioctlsocket
                        • String ID:
                        • API String ID: 1121440892-0
                        • Opcode ID: fcdb65340708f9b0e72f1d1b015c2b604b997b38f69e191681fce0415d28b530
                        • Instruction ID: f9ec159190e85248aaaaf30a9e184d6363c2d83edca2b37991fd705dbd2ceb1a
                        • Opcode Fuzzy Hash: fcdb65340708f9b0e72f1d1b015c2b604b997b38f69e191681fce0415d28b530
                        • Instruction Fuzzy Hash: 8E31B0B2B08B4186EB20DBB2E8585AC33B5FB89B90B500235EE5E93795CF38D505C340
                        Function 00007FFB0C65DA3C Relevance: 4.9, APIs: 3, Instructions: 374memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000000,00007FFB0C66227C), ref: 00007FFB0C65DD33
                          • Part of subcall function 00007FFB0C66CC00: GetCurrentProcess.KERNEL32 ref: 00007FFB0C66CC8D
                        • HeapCreate.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000000,00007FFB0C66227C), ref: 00007FFB0C65DCDA
                        • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000000,00007FFB0C66227C), ref: 00007FFB0C65DCF8
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocCreateCurrentErrorLastProcesshtonl
                        • String ID:
                        • API String ID: 3419463915-0
                        • Opcode ID: 09ac317b63605e0848025d9268b3ee17f6708c8c31475479f45a29ec1cc35a83
                        • Instruction ID: 99d0eb4278029fd72e5543ba51f040d2dc5c945886c59d6eaef3b094f94da708
                        • Opcode Fuzzy Hash: 09ac317b63605e0848025d9268b3ee17f6708c8c31475479f45a29ec1cc35a83
                        • Instruction Fuzzy Hash: AAE15BE2A1464287EB368B35ED49BBA63A1FF45784F144135EB8E87692EF3CF4458300
                        Function 00007FFB0C66DEC8 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateCheckFreeInitializeMembershipToken
                        • String ID:
                        • API String ID: 3429775523-0
                        • Opcode ID: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
                        • Instruction ID: 63c225cfc14006c6a8cfc5bdb52913252757c24811f87bfcb4c022174235dca3
                        • Opcode Fuzzy Hash: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
                        • Instruction Fuzzy Hash: 8D0140B3614A418FE7218F30E8597A933A0F75476EF010A29F64946A99CB7CC158CB44
                        Function 00007FFB0C67C3B0 Relevance: 3.4, Strings: 2, Instructions: 884COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $<
                        • API String ID: 0-428540627
                        • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                        • Instruction ID: b46590773385d387596ad2c23e3c0788283672b2a094b8716f7852029402dbbf
                        • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                        • Instruction Fuzzy Hash: 38920FB2328A4187DB58CB1DE4A573AB7A1F7C8B80F54513AE79B87798CE2CD451CB04
                        Function 00007FFB0C66EE0C Relevance: 1.5, APIs: 1, Instructions: 41networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: recv
                        • String ID:
                        • API String ID: 1507349165-0
                        • Opcode ID: 1e892dadbf3aa2bafa2cee981ce9c76ab84bf8e43c9e7412f93a3d9a0420389a
                        • Instruction ID: 898982691ba6b9fddc9a39366336ef88852327d22cdeeaa75ca3d982de8fd29a
                        • Opcode Fuzzy Hash: 1e892dadbf3aa2bafa2cee981ce9c76ab84bf8e43c9e7412f93a3d9a0420389a
                        • Instruction Fuzzy Hash: FA01F5B6F186828BE371CB36E888B6DB791AF45BD0F580134FB4943A95DB29D4828700
                        Function 00007FFB0C660920 Relevance: 1.5, APIs: 1, Instructions: 33pipeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateNamedPipe
                        • String ID:
                        • API String ID: 2489174969-0
                        • Opcode ID: ffc033c595a008210ccbf7715394fddec234f51f7fbc04560c83c088a3818f65
                        • Instruction ID: 0ee907d19a1115a2cfcb22dc45d9c2497967bd0da4901acdd6de4c4b85851735
                        • Opcode Fuzzy Hash: ffc033c595a008210ccbf7715394fddec234f51f7fbc04560c83c088a3818f65
                        • Instruction Fuzzy Hash: A601CBF1919B428AEB228B20E858B6977A1FF99364F104334E69C032D1DF3CD019C700
                        Function 00007FFB0C67DBF0 Relevance: .6, Instructions: 617COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                        • Instruction ID: d9cb64b9615b8583deb8d54531c6afb68fd872b5409774380c099bc427b7e8f0
                        • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                        • Instruction Fuzzy Hash: 04524DB221894187D718CB1CE4A173AB7A1F7C9B80F44863AE78B8B799CE3DD554CB44
                        Function 00007FFB0C67D280 Relevance: .6, Instructions: 592COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                        • Instruction ID: 7d50e10d77c7eddebd026e5a9b94f207f67f216e738eea6f94fe44bf859eba71
                        • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                        • Instruction Fuzzy Hash: DA5261B260858187D718CF1DE4A563AB7E1F7CDB80F44862AE78A8B799CB3DD544DB00
                        Function 00007FFB0C65A280 Relevance: .4, Instructions: 404COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free
                        • String ID:
                        • API String ID: 1294909896-0
                        • Opcode ID: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
                        • Instruction ID: 116b9efa24697b36890d016c76e882b3fccd6a463b9207aa5fa8b2b34c54b456
                        • Opcode Fuzzy Hash: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
                        • Instruction Fuzzy Hash: C0F186E6B0C64346EB328A75D8549BE63A1FF94784F600235FA4D87686EF3CDD059B40
                        Function 00007FFB0C659D6C Relevance: .4, Instructions: 367COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free
                        • String ID:
                        • API String ID: 1294909896-0
                        • Opcode ID: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
                        • Instruction ID: 11b629afeed83ecb6b22b211af3e114b098d13301769cfaf44d4882a2d5f3c4f
                        • Opcode Fuzzy Hash: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
                        • Instruction Fuzzy Hash: 92E1B5E2B0CA4391EB329A74D8559BE67A1FF94788F600131FA4D87685EF39ED06C740
                        Function 00007FFB0C67CF97 Relevance: .1, Instructions: 134COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                        • Instruction ID: 453653816994731aede1237d407e2605f2f2616bf85dc5138b1fa314943d5c4a
                        • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                        • Instruction Fuzzy Hash: 27613DF66146508BD724CB1CE4A4A2AB7E1F7CC784F84522AE38E87768CB3CE545CB54
                        Function 00007FFB0C666BE0 Relevance: 22.7, APIs: 15, Instructions: 195networkCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1505 7ffb0c666be0-7ffb0c666c20 1506 7ffb0c666f13-7ffb0c666f29 1505->1506 1507 7ffb0c666c26-7ffb0c666c2c 1505->1507 1508 7ffb0c666c31-7ffb0c666c35 1507->1508 1509 7ffb0c666efc-7ffb0c666f03 1508->1509 1510 7ffb0c666c3b-7ffb0c666cb9 htonl select 1508->1510 1509->1506 1511 7ffb0c666f05 1509->1511 1512 7ffb0c666cbf-7ffb0c666cca __WSAFDIsSet 1510->1512 1513 7ffb0c666d8d-7ffb0c666d91 1510->1513 1511->1508 1512->1509 1514 7ffb0c666cd0-7ffb0c666d01 accept ioctlsocket 1512->1514 1515 7ffb0c666d97-7ffb0c666da2 __WSAFDIsSet 1513->1515 1516 7ffb0c666e26-7ffb0c666e31 1513->1516 1520 7ffb0c666d07-7ffb0c666d88 call 7ffb0c666b7c call 7ffb0c6663e0 call 7ffb0c65d044 call 7ffb0c65d074 * 2 call 7ffb0c6661e4 call 7ffb0c65d1b8 call 7ffb0c65d020 1514->1520 1521 7ffb0c666f0a-7ffb0c666f0d closesocket 1514->1521 1515->1509 1517 7ffb0c666da8-7ffb0c666e21 accept call 7ffb0c665a20 call 7ffb0c6651b4 1515->1517 1518 7ffb0c666e67-7ffb0c666e6e call 7ffb0c67c3a4 1516->1518 1519 7ffb0c666e33-7ffb0c666e3a __WSAFDIsSet 1516->1519 1517->1509 1524 7ffb0c666ee9-7ffb0c666eed 1518->1524 1534 7ffb0c666e70-7ffb0c666e82 __WSAFDIsSet 1518->1534 1523 7ffb0c666e40-7ffb0c666e52 __WSAFDIsSet 1519->1523 1519->1524 1520->1509 1521->1506 1529 7ffb0c666edb-7ffb0c666ee7 GetTickCount 1523->1529 1530 7ffb0c666e58-7ffb0c666e62 1523->1530 1528 7ffb0c666ef0-7ffb0c666ef7 1524->1528 1528->1509 1529->1509 1529->1524 1530->1528 1534->1530 1537 7ffb0c666e84-7ffb0c666e93 __WSAFDIsSet 1534->1537 1537->1529 1540 7ffb0c666e95-7ffb0c666eb9 accept 1537->1540 1542 7ffb0c666ebb-7ffb0c666ec2 1540->1542 1543 7ffb0c666ec4-7ffb0c666ec8 1540->1543 1544 7ffb0c666ece-7ffb0c666ed9 closesocket 1542->1544 1543->1544 1544->1509
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: acceptioctlsocket$closesockethtonlselect
                        • String ID:
                        • API String ID: 2003300010-0
                        • Opcode ID: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                        • Instruction ID: 97e276f69cf0f2b6a64105e70e13870171287efde6fa20dbcae16e55d4d904d1
                        • Opcode Fuzzy Hash: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                        • Instruction Fuzzy Hash: 66915DF2A186929AEB31CF31E958AAD33A1FF84794F100135FA4D47A99DF38E565C700
                        Function 00007FFB0C65EC04 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165networksleepCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1557 7ffb0c65ec04-7ffb0c65ec7b call 7ffb0c66f530 * 3 1564 7ffb0c65ec81-7ffb0c65ec99 call 7ffb0c6683d0 1557->1564 1565 7ffb0c65eeba-7ffb0c65eed2 1557->1565 1568 7ffb0c65ec9b-7ffb0c65eca2 1564->1568 1569 7ffb0c65ece8-7ffb0c65ecfe call 7ffb0c66f63c 1564->1569 1571 7ffb0c65eca5-7ffb0c65ecac 1568->1571 1573 7ffb0c65ed03-7ffb0c65ed23 call 7ffb0c66f63c 1569->1573 1571->1571 1572 7ffb0c65ecae-7ffb0c65ecb1 1571->1572 1572->1569 1574 7ffb0c65ecb3-7ffb0c65ece6 call 7ffb0c6631f4 call 7ffb0c66f63c call 7ffb0c66f530 1572->1574 1579 7ffb0c65ed26-7ffb0c65ed2d 1573->1579 1574->1573 1579->1579 1581 7ffb0c65ed2f-7ffb0c65ed6d call 7ffb0c66b454 call 7ffb0c667b38 1579->1581 1589 7ffb0c65ed6f-7ffb0c65eda1 call 7ffb0c662d70 call 7ffb0c662c0c 1581->1589 1590 7ffb0c65eda6-7ffb0c65edab 1581->1590 1589->1590 1592 7ffb0c65edae-7ffb0c65edb5 1590->1592 1592->1592 1594 7ffb0c65edb7-7ffb0c65edc2 1592->1594 1596 7ffb0c65edc4-7ffb0c65edd4 call 7ffb0c66f63c 1594->1596 1597 7ffb0c65edd6-7ffb0c65ede6 call 7ffb0c66f63c 1594->1597 1601 7ffb0c65edeb-7ffb0c65edf0 call 7ffb0c66e0fc 1596->1601 1597->1601 1604 7ffb0c65edf2-7ffb0c65ee48 call 7ffb0c66b454 HttpOpenRequestA call 7ffb0c65e918 1601->1604 1609 7ffb0c65ee4b-7ffb0c65ee53 1604->1609 1609->1609 1610 7ffb0c65ee55-7ffb0c65ee78 HttpSendRequestA call 7ffb0c65efbc 1609->1610 1613 7ffb0c65ee98 InternetCloseHandle 1610->1613 1614 7ffb0c65ee7a-7ffb0c65ee90 InternetCloseHandle Sleep 1610->1614 1616 7ffb0c65ee9e-7ffb0c65eeb5 call 7ffb0c6683c4 call 7ffb0c66e12c 1613->1616 1614->1604 1615 7ffb0c65ee96 1614->1615 1615->1616 1616->1565
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _snprintf$CloseHandleHttpInternetRequest$OpenSendSleep
                        • String ID: %s%s$*/*
                        • API String ID: 3787158362-856325523
                        • Opcode ID: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                        • Instruction ID: d848d20f15ae2d1f7ff08e358ee4d1a57c58c2b3b82c080295686b7b2d099a27
                        • Opcode Fuzzy Hash: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                        • Instruction Fuzzy Hash: CC814EF2A08A468AEB229B71EC58BE963A0FF85744F500136FA4D43795DF3DE949C700
                        Function 00007FFB0C65E68C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 165networkfileCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _snprintf$Internet$CloseHandleHttpRequeststrchr$AvailableDataFileOpenQueryReadSend_errno_invalid_parameter_noinfo
                        • String ID: %s%s$*/*
                        • API String ID: 3536628738-856325523
                        • Opcode ID: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                        • Instruction ID: b40348c9b164eb89931143b52ae6d4bf58a17e07709907224b2099232f50f42c
                        • Opcode Fuzzy Hash: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                        • Instruction Fuzzy Hash: DC71A5F2B0868286EB219B71E858ABA67A5FF85B94F400131FE4D57B95DF3CE905C700
                        Function 00007FFB0C6653E4 Relevance: 18.1, APIs: 12, Instructions: 105pipesleepfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait
                        • String ID:
                        • API String ID: 34948862-0
                        • Opcode ID: 341130c136fd618ea16e4fd89061d9c08dc6fb9df6fe7754f90ebd89f48b5033
                        • Instruction ID: 4136374881330e81a9bd40e980f9fa6ee2fe2381943d6c8e8c529f9d83c621ea
                        • Opcode Fuzzy Hash: 341130c136fd618ea16e4fd89061d9c08dc6fb9df6fe7754f90ebd89f48b5033
                        • Instruction Fuzzy Hash: DE4141F1A08B028AE721DB71EC69A7D2765EF89BA4F504230EA5E477A4DF3CD445C704
                        Function 00007FFB0C66FE10 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: ApisByteCharErrorFileLastMultiPackagedWide__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 1138158220-0
                        • Opcode ID: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                        • Instruction ID: 85b76260890223b9fcb99c0d0f81700822dff8b16ebf24e6cbdc159ebdbc903b
                        • Opcode Fuzzy Hash: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                        • Instruction Fuzzy Hash: E83171E1A08B4286FB369B76EC18B3967E1AF85B94F144634EA4D437D6DF3CE4018701
                        Function 00007FFB0C66FF6C Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1776 7ffb0c66ff6c-7ffb0c66ff90 DecodePointer 1777 7ffb0c66ff92-7ffb0c66ff98 1776->1777 1778 7ffb0c66ffac-7ffb0c66ffc6 call 7ffb0c66f244 1776->1778 1780 7ffb0c66ff9a-7ffb0c66ffa3 call 7ffb0c66f244 1777->1780 1781 7ffb0c66ffa5 1777->1781 1784 7ffb0c66ffe2-7ffb0c670021 call 7ffb0c66f244 * 3 1778->1784 1785 7ffb0c66ffc8-7ffb0c66ffce 1778->1785 1780->1777 1780->1781 1781->1778 1797 7ffb0c670035-7ffb0c67004f EncodePointer 1784->1797 1798 7ffb0c670023-7ffb0c67002b 1784->1798 1787 7ffb0c66ffd0-7ffb0c66ffd9 call 7ffb0c66f244 1785->1787 1788 7ffb0c66ffdb 1785->1788 1787->1785 1787->1788 1788->1784 1800 7ffb0c670051-7ffb0c670056 call 7ffb0c66f244 1797->1800 1801 7ffb0c67005e-7ffb0c670068 1797->1801 1798->1797 1799 7ffb0c67002d-7ffb0c670030 call 7ffb0c66f244 1798->1799 1799->1797 1800->1801 1804 7ffb0c67006a-7ffb0c67006f call 7ffb0c66f244 1801->1804 1805 7ffb0c670077-7ffb0c670086 1801->1805 1804->1805 1808 7ffb0c6700a7-7ffb0c6700b1 1805->1808 1809 7ffb0c670088-7ffb0c670099 1805->1809 1809->1808 1811 7ffb0c67009b-7ffb0c6700a0 call 7ffb0c66f244 1809->1811 1811->1808
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
                        • String ID:
                        • API String ID: 4099253644-0
                        • Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                        • Instruction ID: 5aa44c29d756e983d3f981c1c3a1db2e858a76edb636bcffb6cf0923726e24af
                        • Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                        • Instruction Fuzzy Hash: BA3107E5E1D64285FE779BB1ED5CB7422A8AF46760F180635F90D072A2CF6CA4418611
                        Function 00007FFB0C667308 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73networkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
                        • String ID: d
                        • API String ID: 1257931466-2564639436
                        • Opcode ID: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                        • Instruction ID: 60324299fff4b0d6e534234b534cf2d8dfd752d5c90ad92064e31c8cb6a0b4ca
                        • Opcode Fuzzy Hash: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                        • Instruction Fuzzy Hash: 4C3185B2618B82C6E7218F21EC48A9A77A4FF88B88F005136FA8D47B58DF78D555C704
                        Function 00007FFB0C676E1C Relevance: 16.6, APIs: 11, Instructions: 81COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 388111225-0
                        • Opcode ID: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                        • Instruction ID: caa3a50e23539256e62c30f54bf4083c352f2c41130aa77a992aae1dd37c9304
                        • Opcode Fuzzy Hash: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                        • Instruction Fuzzy Hash: E731D1E1A1864286E7276F71DC4993D2651AF817A0F758B35F91D173CACF3CE4418710
                        Function 00007FFB0C6671FC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57networksleepCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$ErrorLastSleepselectsend
                        • String ID: d
                        • API String ID: 2152284305-2564639436
                        • Opcode ID: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                        • Instruction ID: d4a9e8bb4a627577cca7b70cdee962395e819d9bf3d8a9a8081eedb34fbf5ee5
                        • Opcode Fuzzy Hash: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                        • Instruction Fuzzy Hash: 8E2171F161CA8186E7718F31E8486997365FF84784F504235FB9D43A99CF3CD4588B44
                        Function 00007FFB0C65FB08 Relevance: 15.1, APIs: 10, Instructions: 91sleepfilepipeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
                        • String ID:
                        • API String ID: 3101085627-0
                        • Opcode ID: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                        • Instruction ID: 74b98a451c1c4529e960e128185e6bc86206b0325068df3a4e863027f9fa28f6
                        • Opcode Fuzzy Hash: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                        • Instruction Fuzzy Hash: D74174F2B089428AE7219FB5D8A8AAC2361FF44784F500131FE4D57A59DF3CD549C341
                        Function 00007FFB0C677A90 Relevance: 15.1, APIs: 10, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
                        • String ID:
                        • API String ID: 1078912150-0
                        • Opcode ID: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                        • Instruction ID: adc7e1f650423169f55020c381b11e211a2d3613064d5263a543110bd98b1630
                        • Opcode Fuzzy Hash: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                        • Instruction Fuzzy Hash: E421F1E1E0814245F7236F74DC49B7C6650AF81BA1F298B35FA1C072DACF3CA4419710
                        Function 00007FFB0C677C08 Relevance: 15.1, APIs: 10, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
                        • String ID:
                        • API String ID: 2644381645-0
                        • Opcode ID: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                        • Instruction ID: 62a105137202293174c8efc4fa7cfedf3239194389a6e20becef1b8a0448158e
                        • Opcode Fuzzy Hash: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                        • Instruction Fuzzy Hash: FB21E2E1A0810145E6275B35DC0AB7C2650AF44BB1F3A8B35FA3D073DACF3CA4418710
                        Function 00007FFB0C67FD50 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 1812809483-0
                        • Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                        • Instruction ID: 2105c20e2aef2443d6918119f075bbb6387e9fed986b2b93d7d1632afb69dc2f
                        • Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                        • Instruction Fuzzy Hash: 9341B7F1A1825285FB769B71D908DBD22D0EF54B94F708B31FA5C476CADF2DA8428702
                        Function 00007FFB0C666500 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
                        • String ID:
                        • API String ID: 3339321253-0
                        • Opcode ID: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                        • Instruction ID: 13e6dd6a7e7af821b2aeb0825b00e070df757cc19beb7cc0546988341b10c0cb
                        • Opcode Fuzzy Hash: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                        • Instruction Fuzzy Hash: 4031D0E161864296EB369B31EC68ABA6361FF44B98F400234FA0E476D8DF3CD549C704
                        Function 00007FFB0C666B98 Relevance: 13.6, APIs: 9, Instructions: 72COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$freehtonlshutdown$ErrorLastacceptclosesocketioctlsocketmallocrecvfromselect
                        • String ID:
                        • API String ID: 3610715900-0
                        • Opcode ID: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                        • Instruction ID: b5339eab3c4f55c01b881cdbddf99b08b6559b6b15e0c72a82e1f7ee1e0f22d4
                        • Opcode Fuzzy Hash: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                        • Instruction Fuzzy Hash: 12314EF1A086438AEB729F72EC5C93963A4EF45B88F184231EA4D47255DF3CE4948715
                        Function 00007FFB0C676434 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
                        • String ID:
                        • API String ID: 2464146582-0
                        • Opcode ID: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                        • Instruction ID: 56237f55bae1a584c446463e18be0bb66be8615bdabac56806146ab7bf2ceb0b
                        • Opcode Fuzzy Hash: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                        • Instruction Fuzzy Hash: 7921DCE2E0854242E727AB70DD4AA7C2650AF807A1F29CB35FA1C072DADF3CE4418711
                        Function 00007FFB0C67A73C Relevance: 13.6, APIs: 9, Instructions: 63COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
                        • String ID:
                        • API String ID: 2927645455-0
                        • Opcode ID: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                        • Instruction ID: b39eb1c73ec84f9539dddd4ac79b4b013d944d61ce81fbf6918fb621a767e6f9
                        • Opcode Fuzzy Hash: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                        • Instruction Fuzzy Hash: C42125E1A0C24245E6375BB4DC99A7D26609F80710F399B38F61D0B2DBCF3CA841A710
                        Function 00007FFB0C675C58 Relevance: 13.6, APIs: 9, Instructions: 57COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
                        • String ID:
                        • API String ID: 2140805544-0
                        • Opcode ID: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                        • Instruction ID: e9c4d472a2e6abddfdb15f3f8cd309780341a504562e2c8b5dbbea4b267328fb
                        • Opcode Fuzzy Hash: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                        • Instruction Fuzzy Hash: 7111F0E2A0824245F3276B34DD4DB7C2690AF81360F398B7AF91E072DACF3CA4404710
                        Function 00007FFB0C663A64 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113sleepprocesslibraryCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressCreateHandleModuleNextProcSleepSnapshotThread32Toolhelp32freemalloc
                        • String ID: NtQueueApcThread$ntdll
                        • API String ID: 1427994231-1374908105
                        • Opcode ID: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                        • Instruction ID: aac9191f339a2e4f4007dff8f1a678a730887ef3168342742482afcea1dee362
                        • Opcode Fuzzy Hash: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                        • Instruction Fuzzy Hash: DC418DF2B09B4299EB22CB71E848AAC73A4BF49B88F444135EE4C53B54EF38D545C740
                        Function 00007FFB0C67A348 Relevance: 12.1, APIs: 8, Instructions: 132COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$_lock$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
                        • String ID:
                        • API String ID: 854778215-0
                        • Opcode ID: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                        • Instruction ID: 48307493a0d25b6755b5c46af40a996e0124b172e954a4b1d0bca39480441f69
                        • Opcode Fuzzy Hash: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                        • Instruction Fuzzy Hash: 4C51D1F2A0864182EB328F60D84863DA3A5FF44B54F259A35EA4D477EADF3DE851D700
                        Function 00007FFB0C65460C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$malloc$_errno$_callnewh$AllocHeap
                        • String ID:
                        • API String ID: 3534990644-0
                        • Opcode ID: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                        • Instruction ID: 6299ef1ec7c3023489090c4e902aa24f39879aaa2129c6e748399f207d844793
                        • Opcode Fuzzy Hash: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                        • Instruction Fuzzy Hash: EA7109D2B0C68246EB329A75D858F7A6795BF85BC8F104134ED4E07B86DF3CD8458B00
                        Function 00007FFB0C66B47C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: malloc$Name$Computer_errno$AllocHeapSocketUser_callnewh
                        • String ID: VUUU
                        • API String ID: 632458648-2040033107
                        • Opcode ID: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                        • Instruction ID: e9a0cfbcf00243dce2715f48009ba0260c1bf19b6abc14b78cd5189b85a431b3
                        • Opcode Fuzzy Hash: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                        • Instruction Fuzzy Hash: B4A1B2E5F086928BEB26AB76DC19ABD1291BFC6780F804035F90E97796DF3CE4059700
                        Function 00007FFB0C661478 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128processCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCurrentDirectoryMultiWide$CreateErrorInfoLastLogonProcessStartupWithmalloc
                        • String ID: %s as %s\%s: %d
                        • API String ID: 3435635427-816037529
                        • Opcode ID: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                        • Instruction ID: 6fd974c5e633b05f60ddcf5780c48a9b8a5eacbac122d11dbb0d31022c42758b
                        • Opcode Fuzzy Hash: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                        • Instruction Fuzzy Hash: 21516FB2608B8286E661DF26F854B5AB7A5FB85B80F104135EF8D43B59DF3CD455CB00
                        Function 00007FFB0C66E98C Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$OpenProcessToken
                        • String ID:
                        • API String ID: 2009710997-0
                        • Opcode ID: 10fd636a6ff57dda84e789d1aa0c37ea0400f486ec7234268ec0d1e4ef0ac4b9
                        • Instruction ID: a2b3e46748bfc3322942aa473dce33d4de29be419c48e9ee2d7d9197c9a48af2
                        • Opcode Fuzzy Hash: 10fd636a6ff57dda84e789d1aa0c37ea0400f486ec7234268ec0d1e4ef0ac4b9
                        • Instruction Fuzzy Hash: 6B31C2F5B0C70246FB369B72EC68B7A6790AF8AB90F140134FA4D43695DF3DE4498644
                        Function 00007FFB0C67FBD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 3191669884-0
                        • Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                        • Instruction ID: ad6f3745e17c2641d553a2d9aa877ad75a934b508dff51f4b96796c953998960
                        • Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                        • Instruction Fuzzy Hash: 48315EF2A1874585E6329B61D849D6EA6A4FF44BE0F648631FE5C07B99CF38E841C701
                        Function 00007FFB0C66596C Relevance: 10.6, APIs: 7, Instructions: 52COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTickioctlsocket
                        • String ID:
                        • API String ID: 3686034022-0
                        • Opcode ID: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                        • Instruction ID: a7303d029ba05cbf3b5f950954491bcf32be0c64856adb1391228bcacffa73b5
                        • Opcode Fuzzy Hash: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                        • Instruction Fuzzy Hash: 9611B2F1A086C24BE7314B75EC599696360AF85B64F500330FA4F876E5DF7CE8898714
                        Function 00007FFB0C660AA0 Relevance: 10.5, APIs: 7, Instructions: 45pipethreadfileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken
                        • String ID:
                        • API String ID: 4232080776-0
                        • Opcode ID: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                        • Instruction ID: eaa1900cd20f6c82c1e5a0a6c0afadf53a2c847a14f8aa29e9e8c40f8f9f8c7b
                        • Opcode Fuzzy Hash: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                        • Instruction Fuzzy Hash: 9D2138E1A2D64289F7729B31EC68F792365FF84B44F884132E80E435A1CF2CE449C719
                        Function 00007FFB0C670B10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                        • String ID:
                        • API String ID: 2328795619-0
                        • Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                        • Instruction ID: 384650cdec71b25d8294dc538ae96f58e5df2fc90327e1cd9e33cc0e56c87978
                        • Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                        • Instruction Fuzzy Hash: 1051C4E1B0824186EA368A76DD089796691AF44BB4F34CB31FA3D43BD9CF3CE5918750
                        Function 00007FFB0C661694 Relevance: 9.1, APIs: 6, Instructions: 126COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$AllocFullHeapNamePath_callnewh_fseek_nolock_ftelli64fclosehtonl
                        • String ID:
                        • API String ID: 3587854850-0
                        • Opcode ID: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                        • Instruction ID: d55605dfec7ad5945f3a976977c71fea3b2c174b8df7051d22d376f9946f9e34
                        • Opcode Fuzzy Hash: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                        • Instruction Fuzzy Hash: 5F4192E1B0868146EA21EB32EC189BE6255BF89BD0F508235FE5E47BD6DF3CD5068740
                        Function 00007FFB0C665C60 Relevance: 9.1, APIs: 6, Instructions: 113COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetACP.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000001,00007FFB0C65CC89), ref: 00007FFB0C665C78
                        • GetOEMCP.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000001,00007FFB0C65CC89), ref: 00007FFB0C665C82
                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000001,00007FFB0C65CC89), ref: 00007FFB0C665CA8
                        • GetTickCount.KERNEL32 ref: 00007FFB0C665CB0
                        • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000001,00007FFB0C65CC89), ref: 00007FFB0C665CEC
                          • Part of subcall function 00007FFB0C660C64: GetModuleHandleA.KERNEL32 ref: 00007FFB0C660C79
                          • Part of subcall function 00007FFB0C660C64: GetProcAddress.KERNEL32 ref: 00007FFB0C660C89
                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000001,00007FFB0C65CC89), ref: 00007FFB0C665D5E
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CurrentProcess$AddressCountHandleModuleProcTick_getptd
                        • String ID:
                        • API String ID: 3426420785-0
                        • Opcode ID: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                        • Instruction ID: 35873c5095672a2cadb446d668bc8e3c3180f9fce632a13048c5c4fffbd5bace
                        • Opcode Fuzzy Hash: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                        • Instruction Fuzzy Hash: 4F417EE1B1861299FF22EB71DC599ED23A0AF89744F500431FE0D43A9AEF3DE50A8754
                        Function 00007FFB0C65EA48 Relevance: 9.1, APIs: 6, Instructions: 109networkCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$Option$ConnectOpenRevertSelf
                        • String ID:
                        • API String ID: 1513466045-0
                        • Opcode ID: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                        • Instruction ID: a0e16744506d5c39add4244e46fe826aa4559ef387643e3d2d37c0f273f08bb9
                        • Opcode Fuzzy Hash: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                        • Instruction Fuzzy Hash: EE419CF5A0874286EB369B31ECA8EB96355FF85B84F000039EA4E47B96DF3CE5058704
                        Function 00007FFB0C666F2C Relevance: 9.1, APIs: 6, Instructions: 99networkCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$AllocErrorHeapLast_callnewhhtonlmallocrecvfrom
                        • String ID:
                        • API String ID: 2310505145-0
                        • Opcode ID: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                        • Instruction ID: b5e191c37d1a62d5358cefd6c054b37b7d6d57fa288c71a04daa8b17406c47ad
                        • Opcode Fuzzy Hash: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                        • Instruction Fuzzy Hash: BC4175F1A0864286EB328F35EC58A2977A5FF95B98F144235FA8D477A4DF3CD4818B10
                        Function 00007FFB0C6679C4 Relevance: 9.1, APIs: 6, Instructions: 96threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CurrentProcess$ErrorLast$AttributeProcThreadUpdate
                        • String ID:
                        • API String ID: 1014270282-0
                        • Opcode ID: 0cb4279866ef29e982ae4f369d0c6812c9ca3a69e5fd7e451e0c486501f78930
                        • Instruction ID: 4d626c5c99fe99070132bccf9de990a4fb063c534e775edfaac7df05355048d9
                        • Opcode Fuzzy Hash: 0cb4279866ef29e982ae4f369d0c6812c9ca3a69e5fd7e451e0c486501f78930
                        • Instruction Fuzzy Hash: CD4162F2A187418AEB219F62D818B697791FF89BD8F084134FA8D43795DF3CE6058704
                        Function 00007FFB0C670620 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                        • String ID:
                        • API String ID: 1547050394-0
                        • Opcode ID: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                        • Instruction ID: 0d1c3ff41f0f6cad38fbcc4d146e0a21d6d147d9be96087e004111258cf84906
                        • Opcode Fuzzy Hash: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                        • Instruction Fuzzy Hash: CE2180E1A1C68381FB729B31DD09A7E6290AF45BC0F648A31FA4D87B8ADF2CD4005710
                        Function 00007FFB0C65FC64 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$ErrorHeapLastfree$AllocFree_callnewhfclosefwritemalloc
                        • String ID:
                        • API String ID: 1616846154-0
                        • Opcode ID: 8c7c721236fbcb9524ede4000f702344c776a949a9befbcc7880e8398d8c76ab
                        • Instruction ID: 5040f2538e8f0f1af0db4697f72102c661b21d6a0869172405dced5a2af6f3e1
                        • Opcode Fuzzy Hash: 8c7c721236fbcb9524ede4000f702344c776a949a9befbcc7880e8398d8c76ab
                        • Instruction Fuzzy Hash: 5711D5D1B0C64241E932E772E8189BE5380AF85BD0F544631FE6D47BCADF2CD5058741
                        Function 00007FFB0C664488 Relevance: 9.1, APIs: 6, Instructions: 51pipefileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: NamedPipe$ErrorLast$CreateDisconnectFileHandleStateWait
                        • String ID:
                        • API String ID: 3798860377-0
                        • Opcode ID: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                        • Instruction ID: 1f1ea68e8fa6e3449f408efdc6f26e16638620f0aa4c61e476b0b58a32e67024
                        • Opcode Fuzzy Hash: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                        • Instruction Fuzzy Hash: 1C1181F2A0865286F7219B35F92CB3A63A1EF85BA4F504230FB5D47A98DF7CD4498701
                        Function 00007FFB0C66EFEC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        • HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 00007FFB0C66F044
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errnomalloc$_callnewh$AllocHeap_invalid_parameter_noinfo_snprintf
                        • String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
                        • API String ID: 3518644649-2739389480
                        • Opcode ID: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                        • Instruction ID: 3dd040eeaf4c27af4d7a7d6e1b4b211351e16a5f506a3e1605d513996bf91cb9
                        • Opcode Fuzzy Hash: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                        • Instruction Fuzzy Hash: 2601C2B1A0879145EA55DBA2F808A69629DFF89BD0F045239FEAD437C6CF3CC0428740
                        Function 00007FFB0C6631F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: freemallocstrchr$rand
                        • String ID:
                        • API String ID: 1305919620-0
                        • Opcode ID: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                        • Instruction ID: ad324e74bf6b6c6c71064bd63ae09fbca48ac753f8ffba6a24936e0c6762f1d1
                        • Opcode Fuzzy Hash: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                        • Instruction Fuzzy Hash: 56712BD2A0CAC145FA379B79E8147FAA390EF56B84F045131EB8D177A6EF2DD1428300
                        Function 00007FFB0C654170 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$_callnewhmalloc$AllocHeap
                        • String ID:
                        • API String ID: 996410232-0
                        • Opcode ID: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                        • Instruction ID: 6561e4d991a1742583f234d8092ca56b8971baa499b3245f8c299675c3a4132f
                        • Opcode Fuzzy Hash: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                        • Instruction Fuzzy Hash: 8A41B2E1B0C7934BEA669AB6ED5897A2754BF45B80F504170EE0E07745DF7CE862CB00
                        Function 00007FFB0C65F274 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: htonl$freemalloc
                        • String ID: zyxwvutsrqponmlk
                        • API String ID: 1249573706-3884694604
                        • Opcode ID: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                        • Instruction ID: b240b323195c23b186bd2498f9bc80a018cd12cd66a5c9fd4b0da40781fc4d72
                        • Opcode Fuzzy Hash: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                        • Instruction Fuzzy Hash: 5C313CF2B0924146EB25DAB2EC59A7966819F85BC0F144034FE5D8779BDF3CE8068300
                        Function 00007FFB0C663FA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CurrentProcess$AddressErrorHandleLastModuleProc
                        • String ID: NtMapViewOfSection$ntdll.dll
                        • API String ID: 1006775078-3170647572
                        • Opcode ID: 868c7ab08dff2991da44dabb64f48b116913dc7f1fa1e2d31966cfe3fdcf82bf
                        • Instruction ID: b472d4bd24f3fcbf37768a0d858d289741860e075fc0acafe23dd0ae3ad76685
                        • Opcode Fuzzy Hash: 868c7ab08dff2991da44dabb64f48b116913dc7f1fa1e2d31966cfe3fdcf82bf
                        • Instruction Fuzzy Hash: C031BFF2A04B4186EB219B21E859B7A63A0FF89BA4F040335FAAD077D5DF3DD4458700
                        Function 00007FFB0C661FB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$remove$AllocHeap_callnewh_invalid_parameter_noinfo_snprintfmalloc
                        • String ID: %s\%s
                        • API String ID: 1896346573-4073750446
                        • Opcode ID: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                        • Instruction ID: 9b996df3fa2c014547cdfc3a5af32a20782cd33265e5e3230fc69fd7fc4ffd6b
                        • Opcode Fuzzy Hash: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                        • Instruction Fuzzy Hash: 1FF0AFE1A0C64189E3219B61FC1566AA360AF45BC0F584131FF8C57B8ACF3CD4018744
                        Function 00007FFB0C65CA74 Relevance: 7.8, APIs: 6, Instructions: 296COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: malloc$_snprintf$_errno_time64freehtonlstrtok$AllocExitHeapLocalSleepThreadTime_callnewhrealloc
                        • String ID:
                        • API String ID: 548016584-0
                        • Opcode ID: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                        • Instruction ID: f898319e574d2fdea3bb5759599f5c7eef48764212c316f79bf522c3efebb003
                        • Opcode Fuzzy Hash: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                        • Instruction Fuzzy Hash: 4FC17EE1B082835AFA36EB72DC59EB96295AF86780F504134FA5D876D7DF3CE8058700
                        Function 00007FFB0C6600F8 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                        • Instruction ID: 4e727cdf613640df844af2ec1e37a568472163d7406e56171436a4be6897325a
                        • Opcode Fuzzy Hash: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                        • Instruction Fuzzy Hash: E451EEE2F08A429AEB22EB74D844AFD6360BF46788F409131FE0E17696DF38E545C700
                        Function 00007FFB0C6554F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$_callnewhmalloc$AllocHeap
                        • String ID:
                        • API String ID: 996410232-0
                        • Opcode ID: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                        • Instruction ID: 2fb2ae4127bcb13399beb12e909314b5214b8608af371c19001edf99d6cb4bcf
                        • Opcode Fuzzy Hash: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                        • Instruction Fuzzy Hash: 6141A2E1A087C646EA27DBB6DC0C97A6699BF95B88F594030ED4E47791DF3CE806C700
                        Function 00007FFB0C67239C Relevance: 7.6, APIs: 5, Instructions: 114COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
                        • String ID:
                        • API String ID: 304646821-0
                        • Opcode ID: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
                        • Instruction ID: 6712b87a0ec3959194a1df635a21f3aa4634ccd7941393347412148deb1d9b93
                        • Opcode Fuzzy Hash: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
                        • Instruction Fuzzy Hash: 14418FE2A1864286EB3A9F35C865A7837A0EF44B54F248A35E65D473CDDF3CE851C740
                        Function 00007FFB0C662D70 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 94stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                        • String ID: %s&%s$?%s
                        • API String ID: 1095232423-1750478248
                        • Opcode ID: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                        • Instruction ID: 6a07982f050108f8f0a33e56e3f4371152d7f59e54f311cee62ad713d95f763e
                        • Opcode Fuzzy Hash: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                        • Instruction Fuzzy Hash: A541D9E2A04E8191EB229F39D5495F863A0FF99B84F045132EF4C17B11EF38E5B28340
                        Function 00007FFB0C67AC98 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
                        • String ID:
                        • API String ID: 2998201375-0
                        • Opcode ID: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                        • Instruction ID: e266c48913c8ce5edb95ac8388d820209dda45ae549ad6ae11be1ff63d72e88d
                        • Opcode Fuzzy Hash: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                        • Instruction Fuzzy Hash: E541B0F260878286E7718F64DA44A7D67A1EF44B80F249731FB8D57B9ADF38D8419700
                        Function 00007FFB0C67A5EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno_errno
                        • String ID:
                        • API String ID: 2964073243-0
                        • Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                        • Instruction ID: 58020fe2576045f478551714ef2e86c6b5a6fdb1a3f578453f24a776e8297b8d
                        • Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                        • Instruction Fuzzy Hash: 3E018BE2E0860285EE2B6BB4CD99B7C22509F51B21FB19B31E52D072DADF2C60415A11
                        Function 00007FFB0C65D83C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: %s!%s
                        • API String ID: 0-2935588013
                        • Opcode ID: 11c79b581c41a901bf94dbe351f3c8b8a36ef020f7db61bed265b6392c07ab58
                        • Instruction ID: 95c07dc0e9fe624b6566f5baebb1e03b375661762f7807fb4a42f51734db5452
                        • Opcode Fuzzy Hash: 11c79b581c41a901bf94dbe351f3c8b8a36ef020f7db61bed265b6392c07ab58
                        • Instruction Fuzzy Hash: 20513DE5A0864286EB319F61D9089B963A0EF88B94F644036FE8E477D5DF3CED42C704
                        Function 00007FFB0C662818 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93sleeppipeCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$CreateInfoPipeSleepStartup
                        • String ID: h
                        • API String ID: 1809008225-2439710439
                        • Opcode ID: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                        • Instruction ID: c55cc0502b3eabd2e68612a6d34035e643959fec550c52695edf4609663f8a2a
                        • Opcode Fuzzy Hash: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                        • Instruction Fuzzy Hash: 38418CB2A04B858AE320CF65E844A9DB7B5FB89798F100225FF9C53B98DF38D545CB40
                        Function 00007FFB0C66E1D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AccountInformationLookupToken_snprintf
                        • String ID: %s\%s
                        • API String ID: 2107350476-4073750446
                        • Opcode ID: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                        • Instruction ID: 480cf7044de69e1929c92ef2a4607d8447d0c39edbfad6cb6e992a8f3177ab86
                        • Opcode Fuzzy Hash: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                        • Instruction Fuzzy Hash: E63163B2608BC299EB35CF61E8046DA6364FB89788F444132FA8D57B58DF3CD605C700
                        Function 00007FFB0C664224 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFB0C6636B0), ref: 00007FFB0C66424E
                        • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFB0C6636B0), ref: 00007FFB0C66425E
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: RtlCreateUserThread$ntdll.dll
                        • API String ID: 1646373207-2935400652
                        • Opcode ID: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                        • Instruction ID: 4ff7a50c3fee3f0b2bfe447d68da4d614fd82d4fc29468cb39a09d37233d66b8
                        • Opcode Fuzzy Hash: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                        • Instruction Fuzzy Hash: 03115EB2608B4182DB20CF11F894959B7A8FF88B80F998135EA8D43B14DF38D599C704
                        Function 00007FFB0C663C0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(?,?,?,?,?,00007FFB0C6635E0,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFB0C663C30
                        • GetProcAddress.KERNEL32(?,?,?,?,?,00007FFB0C6635E0,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFB0C663C40
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: NtQueueApcThread$ntdll
                        • API String ID: 1646373207-1374908105
                        • Opcode ID: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                        • Instruction ID: 85ad26e8a17ac535b121ce50e2392f6d878f644a51b439f9706bca389cdc30b3
                        • Opcode Fuzzy Hash: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                        • Instruction Fuzzy Hash: F0017CF5A08B4286EA218B26FC5886AA3A0FF85BD0B944631FE5C43B65DF38E4558304
                        Function 00007FFB0C660C64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: IsWow64Process$kernel32
                        • API String ID: 1646373207-3789238822
                        • Opcode ID: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                        • Instruction ID: 93f83a0efb97f0335d352b67a6d66bb03b53984b0b1a408394c38e7e7d93bbfe
                        • Opcode Fuzzy Hash: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                        • Instruction Fuzzy Hash: C0E06DE0A2960282EE268B26ECA89356390AF84784F481030F94E07260EF2CD5898708
                        Function 00007FFB0C6620E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: Wow64RevertWow64FsRedirection$kernel32
                        • API String ID: 1646373207-3900151262
                        • Opcode ID: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                        • Instruction ID: 160a5bd75e03f736ce6dfd566f1811d003e274d65b641b66ccd03672d1a94021
                        • Opcode Fuzzy Hash: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                        • Instruction Fuzzy Hash: D0D067E0A5960781EE2A9BB2EC6D8745390AF5AB41B481135EA1E07360EF2CA59D8318
                        Function 00007FFB0C6620AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: Wow64DisableWow64FsRedirection$kernel32
                        • API String ID: 1646373207-736604160
                        • Opcode ID: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                        • Instruction ID: 4bd25a3503cc78642365554beffa8d83d40aebc90667941c88cebdd757d6c258
                        • Opcode Fuzzy Hash: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                        • Instruction Fuzzy Hash: D7D067E0A5560781EE2A9BB2EC6C8746390AF59B41B481135E91E07360EF2CA59E8318
                        Function 00007FFB0C66BFC0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                        • Instruction ID: 2019987d9a3313d529b349fd04c2dea972e219af66768fbca5022b871435e88d
                        • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                        • Instruction Fuzzy Hash: 8661CEF1A09A029AE7368B34DD4DA7872E4EF5AB54F244139FA5D473A1CF3DE4428B40
                        Function 00007FFB0C67062C Relevance: 6.1, APIs: 4, Instructions: 124COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 634798775-0
                        • Opcode ID: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                        • Instruction ID: 16f3a8129b10e989cfbee08161fb35556051dbaec7241eea3e21d656b600f717
                        • Opcode Fuzzy Hash: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                        • Instruction Fuzzy Hash: BF41F7E1B0824246EA769A32DD5897AA690BF44FE0F38CB30FE5D476D9DF7CE4418610
                        Function 00007FFB0C664A04 Relevance: 6.1, APIs: 4, Instructions: 80synchronizationCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00007FFB0C664A45
                          • Part of subcall function 00007FFB0C66F284: _FF_MSGBANNER.LIBCMT ref: 00007FFB0C66F2B4
                          • Part of subcall function 00007FFB0C66F284: _NMSG_WRITE.LIBCMT ref: 00007FFB0C66F2BE
                          • Part of subcall function 00007FFB0C66F284: HeapAlloc.KERNEL32(?,?,?,00007FFB0C66600D,?,?,?,00007FFB0C66B4A0,?,?,?,?,?,?,?,00000001), ref: 00007FFB0C66F2D9
                          • Part of subcall function 00007FFB0C66F284: _callnewh.LIBCMT ref: 00007FFB0C66F2F2
                          • Part of subcall function 00007FFB0C66F284: _errno.LIBCMT ref: 00007FFB0C66F2FD
                          • Part of subcall function 00007FFB0C66F284: _errno.LIBCMT ref: 00007FFB0C66F308
                        • htonl.WS2_32 ref: 00007FFB0C664A5B
                          • Part of subcall function 00007FFB0C664C44: PeekNamedPipe.KERNEL32 ref: 00007FFB0C664C7C
                        • WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00007FFB0C65CDE9,?,?,?,?,?,?,?,?,?,00000001,?,00007FFB0C6694B9), ref: 00007FFB0C664AB6
                        • free.LIBCMT ref: 00007FFB0C664AF2
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$AllocHeapNamedObjectPeekPipeSingleWait_callnewhfreehtonlmalloc
                        • String ID:
                        • API String ID: 2495333179-0
                        • Opcode ID: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                        • Instruction ID: c6838901fea90dee8df44c35bf23ca0aaf9199c78c2f7f4ff27f13b3f9037486
                        • Opcode Fuzzy Hash: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                        • Instruction Fuzzy Hash: C431F5E2A0864299E775DF72E94893963A8FF46B88F094534FE0C17699DF3CE881C344
                        Function 00007FFB0C66C230 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Timestrtok$FileSystem_getptd_time64malloc
                        • String ID:
                        • API String ID: 460628555-0
                        • Opcode ID: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                        • Instruction ID: 72281b7ccd7c6d288df9729b1be93d7e2a385d48c7a248adbf01c1a8330c4b14
                        • Opcode Fuzzy Hash: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                        • Instruction Fuzzy Hash: F421F5F2A18B9585EB21CFA1E4489AC37A8FF85B94B154236FE6E43785CF38D4418740
                        Function 00007FFB0C67F5D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                        • String ID:
                        • API String ID: 4151157258-0
                        • Opcode ID: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                        • Instruction ID: 6cb85152f90ffb563cb59efc02e07da30a421b5ae17b13f1aabeb32c36ac09fe
                        • Opcode Fuzzy Hash: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                        • Instruction Fuzzy Hash: F321A1D2A0C2A241EA725671D858D3D6690EF41BD4F38CB31FA9E0BAEDDF2CD4418712
                        Function 00007FFB0C6510D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: clock
                        • String ID:
                        • API String ID: 3195780754-0
                        • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                        • Instruction ID: 46114b367404a3b9b598d30b1b13a2598969432a1fcc93006e93887e47730640
                        • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                        • Instruction Fuzzy Hash: EB1104E690864649E372DE72EC44E3AB590BF45390F354171FE5C03645EF78EC858640
                        Function 00007FFB0C66EF5C Relevance: 6.0, APIs: 4, Instructions: 39networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$closesocketsend$accept
                        • String ID:
                        • API String ID: 47150829-0
                        • Opcode ID: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                        • Instruction ID: b4fa5e4098ca9baceeec56aded969ca2e96f780e96c7e225ecae406fe63fbeae
                        • Opcode Fuzzy Hash: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                        • Instruction Fuzzy Hash: B00184F5B0854242EB655B32ED69D392361EF4AFE4B045231ED19077C5CF2DD0854741
                        Function 00007FFB0C6653EC Relevance: 6.0, APIs: 4, Instructions: 34sleeppipeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$NamedPeekPipeSleep
                        • String ID:
                        • API String ID: 1593283408-0
                        • Opcode ID: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                        • Instruction ID: bc40c5cf7d99c685c4c29668a5798b0b0f67c5016f6f073a14d357055dbde6a1
                        • Opcode Fuzzy Hash: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                        • Instruction Fuzzy Hash: C0018FB1A1CA5286F7318B35FC18B2AA3A1EF85B81F644130FB8D43A64DF3CD4859705
                        Function 00007FFB0C6676F0 Relevance: 6.0, APIs: 4, Instructions: 32memorythreadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AttributeHeapInitializeListProcThread$AllocProcess
                        • String ID:
                        • API String ID: 1212816094-0
                        • Opcode ID: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                        • Instruction ID: c551b4ef0a70b17117f0b091d882b958711d9b558d583a7e59f8e14edfa30e3a
                        • Opcode Fuzzy Hash: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                        • Instruction Fuzzy Hash: E3F0A4B6B2864582E7658B35E858B6A57909F88B90F645435FB4E43754CF3CD4488600
                        Function 00007FFB0C6648D8 Relevance: 6.0, APIs: 4, Instructions: 32sleeppipeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$NamedPeekPipeSleep
                        • String ID:
                        • API String ID: 1593283408-0
                        • Opcode ID: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                        • Instruction ID: 1d1d7cdada0be759b5791f737cda4bdb69f826a836607c816a8303117a19bcef
                        • Opcode Fuzzy Hash: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                        • Instruction Fuzzy Hash: 0501A7B2A18A5286F3318724FC5873AB3A0EF85780F644230F78D03A64DF3CC8858708
                        Function 00007FFB0C66F098 Relevance: 6.0, APIs: 4, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$ErrorFreeHeapLast_errnoclosesocket
                        • String ID:
                        • API String ID: 1525665891-0
                        • Opcode ID: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                        • Instruction ID: cbb47462b6752b5024a09bf6193bca9f1655941a2280c4b5aba9162c3aa0eba7
                        • Opcode Fuzzy Hash: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                        • Instruction Fuzzy Hash: FDE0ECE5A1C44185EA25EFF2EC695781324BF89F44B140031EE0E472A28E58D4568705
                        Function 00007FFB0C66F860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                        • String ID: B
                        • API String ID: 1812809483-1255198513
                        • Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                        • Instruction ID: 6e05894130b3e9dc695b7748f107a64e12075df0d0ee478fecb9c42537c73644
                        • Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                        • Instruction Fuzzy Hash: 501170F2A18A4085EB219B62E8447A97660FF99BE4F648335EB5C07B99CF3CD540CB00
                        Function 00007FFB0C651CC4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$_calloc_implcalloc
                        • String ID:
                        • API String ID: 4000150058-0
                        • Opcode ID: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                        • Instruction ID: 1809fa0ae2d95bcf84b7b9834d41eee47a009d7a0e2ed71b6c0a56a94f761b41
                        • Opcode Fuzzy Hash: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                        • Instruction Fuzzy Hash: A1C11CB2608B858AE761CF65E8847AE77E4FB89784F10413AEB8D47B58DF38D455CB00
                        Function 00007FFB0C66AD44 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$AllocHeap_callnewhmalloc
                        • String ID:
                        • API String ID: 3531731211-0
                        • Opcode ID: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                        • Instruction ID: 4cffc6c59040e323c857fd922f78bb5c322afcc585441c21935e6ada9e918ed8
                        • Opcode Fuzzy Hash: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                        • Instruction Fuzzy Hash: DD5106E1A0824749EA36ABB1EC589BD6395FF81B80F140435FA0E27787DF7DE4119710
                        Function 00007FFB0C654300 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: malloc
                        • String ID:
                        • API String ID: 2803490479-0
                        • Opcode ID: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                        • Instruction ID: fb5df3a15e6e7534447c5738959a4ee4be934813c3713da7dc7130c42905ec52
                        • Opcode Fuzzy Hash: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                        • Instruction Fuzzy Hash: 384192E2A0868287EB66DB76E80897E63A4FF44B84F544474EE1E47745DF38EC45C700
                        Function 00007FFB0C661038 Relevance: 5.1, APIs: 4, Instructions: 109COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000007.00000002.1772028310.00007FFB0C651000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFB0C650000, based on PE: true
                        • Associated: 00000007.00000002.1772008100.00007FFB0C650000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772059605.00007FFB0C682000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772089164.00007FFB0C692000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772110772.00007FFB0C698000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772131701.00007FFB0C69E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772152849.00007FFB0C6A3000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000007.00000002.1772175233.00007FFB0C6A4000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_7_2_7ffb0c650000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$CurrentProcessfreemalloc
                        • String ID:
                        • API String ID: 1397824077-0
                        • Opcode ID: 0df9c81f0b9eec500472e39839fc2f1b129e603cc236899a7b86f6cba6f9b6ee
                        • Instruction ID: 1c9931535e8b601199bfe9be7b0bd69b9e6d4964eb5169d66e1a5a33d79cc269
                        • Opcode Fuzzy Hash: 0df9c81f0b9eec500472e39839fc2f1b129e603cc236899a7b86f6cba6f9b6ee
                        • Instruction Fuzzy Hash: 5C4168E1B1868286EB759B32E844BBE6351EF86784F005435FF8D4768AEF3DD5418700