Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
extracted_payload.dll.dll

Overview

General Information

Sample name:extracted_payload.dll.dll
(renamed file extension from exe to dll)
Original sample name:extracted_payload.dll.exe
Analysis ID:1562721
MD5:178ccafbf32465d483887e491b016fb1
SHA1:70be3864b1ae3fdd2c0be6684fea6bf51c829125
SHA256:0ee6bc20a7f855d881cce962de09c77960ea5c85ca013e3d123fce61109ff8c5
Tags:exeuser-nawhack
Infos:

Detection

CobaltStrike
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected CobaltStrike
Yara detected Powershell download and execute
C2 URLs / IPs found in malware configuration
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 7512 cmdline: loaddll64.exe "C:\Users\user\Desktop\extracted_payload.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 7520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7564 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 7588 cmdline: rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • WerFault.exe (PID: 7712 cmdline: C:\Windows\system32\WerFault.exe -u -p 7588 -s 352 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7572 cmdline: rundll32.exe C:\Users\user\Desktop\extracted_payload.dll.dll,ReflectiveLoader MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7692 cmdline: C:\Windows\system32\WerFault.exe -u -p 7572 -s 332 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
    • rundll32.exe (PID: 7852 cmdline: rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",ReflectiveLoader MD5: EF3179D498793BF4234F708D3BE28633)
      • WerFault.exe (PID: 7888 cmdline: C:\Windows\system32\WerFault.exe -u -p 7852 -s 352 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cobalt Strike, CobaltStrikeCobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.
  • APT 29
  • APT32
  • APT41
  • AQUATIC PANDA
  • Anunak
  • Cobalt
  • Codoso
  • CopyKittens
  • DarkHydrus
  • Earth Baxia
  • FIN6
  • FIN7
  • Leviathan
  • Mustang Panda
  • Shell Crew
  • Stone Panda
  • TianWu
  • UNC1878
  • UNC2452
  • Winnti Umbrella
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTP"], "Port": 8080, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "3.78.244.11,/dot.gif", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
extracted_payload.dll.dllJoeSecurity_CobaltStrike_2Yara detected CobaltStrikeJoe Security
    extracted_payload.dll.dllJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
      extracted_payload.dll.dllJoeSecurity_CobaltStrike_4Yara detected CobaltStrikeJoe Security
        extracted_payload.dll.dllJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
          extracted_payload.dll.dllWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
          • 0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
          • 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
          • 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
          • 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes!
          • 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
          • 0x3136a:$a11: Could not open service control manager on %s: %d
          • 0x3189c:$a12: %d is an x64 process (can't inject x86 content)
          • 0x318cc:$a13: %d is an x86 process (can't inject x64 content)
          • 0x31bed:$a14: Failed to impersonate logged on user %d (%u)
          • 0x31855:$a15: could not create remote thread in %d: %d
          • 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
          • 0x31803:$a17: could not write to process memory: %d
          • 0x3139b:$a18: Could not create service %s on %s: %d
          • 0x31424:$a19: Could not delete service %s on %s: %d
          • 0x31289:$a20: Could not open process token: %d (%u)
          Click to see the 9 entries

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
            00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
              00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
              • 0x9a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0xa1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0x1180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
              • 0x14b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
              • 0x1444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
              • 0x14b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
              • 0xa7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0xc0f:$a7: could not run command (w/ token) because of its length of %d bytes!
              • 0xac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0xb02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
              • 0x14fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
              • 0xd6a:$a11: Could not open service control manager on %s: %d
              • 0x129c:$a12: %d is an x64 process (can't inject x86 content)
              • 0x12cc:$a13: %d is an x86 process (can't inject x64 content)
              • 0x15ed:$a14: Failed to impersonate logged on user %d (%u)
              • 0x1255:$a15: could not create remote thread in %d: %d
              • 0xb38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
              • 0x1203:$a17: could not write to process memory: %d
              • 0xd9b:$a18: Could not create service %s on %s: %d
              • 0xe24:$a19: Could not delete service %s on %s: %d
              • 0xc89:$a20: Could not open process token: %d (%u)
              00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpCobaltStrike_Unmodifed_BeaconDetects unmodified CobaltStrike beacon DLLyara@s3c.za.net
              • 0xfbf1:$loader_export: ReflectiveLoader
              • 0x960:$exportname: beacon.dll
              00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpWiltedTulip_ReflectiveLoaderDetects reflective loader (Cobalt Strike) used in Operation Wilted TulipFlorian Roth
              • 0x14fc:$x1: powershell -nop -exec bypass -EncodedCommand "%s"
              • 0x12cc:$x2: %d is an x86 process (can't inject x64 content)
              • 0x14b2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
              • 0x1596:$x4: Failed to impersonate token from %d (%u)
              • 0x15ed:$x5: Failed to impersonate logged on user %d (%u)
              • 0x9a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
              Click to see the 77 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              10.2.rundll32.exe.25254020000.0.unpackJoeSecurity_CobaltStrikeYara detected CobaltStrikeJoe Security
                10.2.rundll32.exe.25254020000.0.unpackJoeSecurity_CobaltStrike_3Yara detected CobaltStrikeJoe Security
                  10.2.rundll32.exe.25254020000.0.unpackWindows_Trojan_CobaltStrike_ee756db7Attempts to detect Cobalt Strike based on strings found in BEACONunknown
                  • 0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
                  • 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
                  • 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset.
                  • 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s
                  • 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
                  • 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/')
                  • 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
                  • 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes!
                  • 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s
                  • 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s
                  • 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s"
                  • 0x32d6a:$a11: Could not open service control manager on %s: %d
                  • 0x3329c:$a12: %d is an x64 process (can't inject x86 content)
                  • 0x332cc:$a13: %d is an x86 process (can't inject x64 content)
                  • 0x335ed:$a14: Failed to impersonate logged on user %d (%u)
                  • 0x33255:$a15: could not create remote thread in %d: %d
                  • 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
                  • 0x33203:$a17: could not write to process memory: %d
                  • 0x32d9b:$a18: Could not create service %s on %s: %d
                  • 0x32e24:$a19: Could not delete service %s on %s: %d
                  • 0x32c89:$a20: Could not open process token: %d (%u)
                  10.2.rundll32.exe.25254020000.0.unpackWindows_Trojan_CobaltStrike_663fc95dIdentifies CobaltStrike via unidentified function codeunknown
                  • 0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
                  10.2.rundll32.exe.25254020000.0.unpackWindows_Trojan_CobaltStrike_f0b627fcRule for beacon reflective loaderunknown
                  • 0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
                  • 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
                  Click to see the 97 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: extracted_payload.dll.dllAvira: detected
                  Found malware configuration
                  Source: extracted_payload.dll.dllMalware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTP"], "Port": 8080, "SleepTime": 60000, "MaxGetSize": 1048576, "Jitter": 0, "C2Server": "3.78.244.11,/dot.gif", "HttpPostUri": "/submit.php", "Malleable_C2_Instructions": [], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe", "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "False", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "True", "bProcInject_MinAllocSize": 0, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}
                  Machine Learning detection for sample
                  Source: extracted_payload.dll.dllJoe Sandbox ML: detected
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E131184 CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,3_2_00007FFE0E131184
                  Source: extracted_payload.dll.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E141C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,3_2_00007FFE0E141C30
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E149220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,3_2_00007FFE0E149220

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 3.78.244.11
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E13E68C _snprintf,_snprintf,_snprintf,HttpOpenRequestA,HttpSendRequestA,InternetQueryDataAvailable,InternetCloseHandle,InternetReadFile,InternetCloseHandle,3_2_00007FFE0E13E68C
                  Source: extracted_payload.dll.dllString found in binary or memory: http://127.0.0.1:%u/
                  Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: unknown
                  Source: 0000000A.00000002.2011763487.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 0000000A.00000002.2011763487.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 0000000A.00000002.2011763487.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 0000000A.00000002.2011740435.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 0000000A.00000002.2011740435.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 0000000A.00000002.2011740435.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: unknown
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: 00000004.00000002.2038775891.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Identifies CobaltStrike via unidentified function code Author: unknown
                  Source: 00000004.00000002.2038775891.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Rule for beacon reflective loader Author: unknown
                  Source: 00000004.00000002.2038775891.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 Author: unknown
                  Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
                  Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
                  Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: Detects Cobalt Strike loader Author: @VK_Intel
                  Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: CobaltStrike payload Author: ditekSHen
                  Source: Process Memory Space: rundll32.exe PID: 7588, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: Process Memory Space: rundll32.exe PID: 7588, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: Process Memory Space: rundll32.exe PID: 7588, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: Process Memory Space: rundll32.exe PID: 7852, type: MEMORYSTRMatched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
                  Source: Process Memory Space: rundll32.exe PID: 7852, type: MEMORYSTRMatched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
                  Source: Process Memory Space: rundll32.exe PID: 7852, type: MEMORYSTRMatched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E140F34 CreateProcessAsUserA,GetLastError,GetLastError,CreateProcessA,GetLastError,GetCurrentDirectoryW,GetCurrentDirectoryW,CreateProcessWithTokenW,GetLastError,GetLastError,GetLastError,GetLastError,3_2_00007FFE0E140F34
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E151E643_2_00007FFE0E151E64
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E14867C3_2_00007FFE0E14867C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E15B6B03_2_00007FFE0E15B6B0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E140F343_2_00007FFE0E140F34
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E150F743_2_00007FFE0E150F74
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E152F9C3_2_00007FFE0E152F9C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E15CF973_2_00007FFE0E15CF97
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E1525283_2_00007FFE0E152528
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E1565143_2_00007FFE0E156514
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E139D6C3_2_00007FFE0E139D6C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E13A2803_2_00007FFE0E13A280
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E15D2803_2_00007FFE0E15D280
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E147B383_2_00007FFE0E147B38
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E15C3B03_2_00007FFE0E15C3B0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E15DBF03_2_00007FFE0E15DBF0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E1501A83_2_00007FFE0E1501A8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E13DA3C3_2_00007FFE0E13DA3C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E15F2003_2_00007FFE0E15F200
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7572 -s 332
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: extracted_payload.dll.dll, type: SAMPLEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                  Source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
                  Source: 0000000A.00000002.2011763487.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 0000000A.00000002.2011763487.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 0000000A.00000002.2011763487.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0000000A.00000002.2011740435.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 0000000A.00000002.2011740435.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 0000000A.00000002.2011740435.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: 00000004.00000002.2038775891.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
                  Source: 00000004.00000002.2038775891.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
                  Source: 00000004.00000002.2038775891.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Trojan_Raw_Generic_4 date_created = 2020-12-02, rev = FireEye, date_modified = 2020-12-02, md5 = f41074be5b423afb02a74bc74222e35d
                  Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
                  Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTRMatched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
                  Source: Process Memory Space: rundll32.exe PID: 7588, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: Process Memory Space: rundll32.exe PID: 7588, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: Process Memory Space: rundll32.exe PID: 7588, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: Process Memory Space: rundll32.exe PID: 7852, type: MEMORYSTRMatched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
                  Source: Process Memory Space: rundll32.exe PID: 7852, type: MEMORYSTRMatched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
                  Source: Process Memory Space: rundll32.exe PID: 7852, type: MEMORYSTRMatched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: classification engineClassification label: mal100.troj.evad.winDLL@13/13@0/0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E140B70 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_00007FFE0E140B70
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E14867C TerminateProcess,GetLastError,GetCurrentProcess,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,Process32Next,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,htonl,htonl,GetLastError,OpenProcessToken,GetLastError,ImpersonateLoggedOnUser,GetLastError,DuplicateTokenEx,GetLastError,ImpersonateLoggedOnUser,GetLastError,3_2_00007FFE0E14867C
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7572
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7520:120:WilError_03
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7588
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7852
                  Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\d210d64e-e0ae-4cd1-8717-e6a3d7ba41cbJump to behavior
                  Source: extracted_payload.dll.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extracted_payload.dll.dll,ReflectiveLoader
                  Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\extracted_payload.dll.dll"
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",#1
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extracted_payload.dll.dll,ReflectiveLoader
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",#1
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7572 -s 332
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7588 -s 352
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",ReflectiveLoader
                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7852 -s 352
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\extracted_payload.dll.dll,ReflectiveLoaderJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",ReflectiveLoaderJump to behavior
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",#1Jump to behavior
                  Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: extracted_payload.dll.dllStatic PE information: Image base 0x180000000 > 0x60000000
                  Source: extracted_payload.dll.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E159744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_00007FFE0E159744
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E1501A8 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00007FFE0E1501A8
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Contains functionality to detect sleep reduction / modifications
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E1458543_2_00007FFE0E145854
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E13FA1C3_2_00007FFE0E13FA1C
                  Source: C:\Windows\System32\rundll32.exeAPI coverage: 0.1 %
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E13FA1C3_2_00007FFE0E13FA1C
                  Source: C:\Windows\System32\loaddll64.exe TID: 7516Thread sleep time: -120000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E141C30 malloc,GetCurrentDirectoryA,FindFirstFileA,GetLastError,free,free,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose,3_2_00007FFE0E141C30
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E149220 malloc,_snprintf,FindFirstFileA,free,malloc,_snprintf,free,FindNextFileA,FindClose,3_2_00007FFE0E149220
                  Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
                  Source: Amcache.hve.8.drBinary or memory string: VMware
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E159744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_00007FFE0E159744
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E159744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_00007FFE0E159744
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E159744 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,3_2_00007FFE0E159744
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E1476F0 InitializeProcThreadAttributeList,GetProcessHeap,HeapAlloc,InitializeProcThreadAttributeList,3_2_00007FFE0E1476F0
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E1544D0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FFE0E1544D0

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Yara detected Powershell download and execute
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7588, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7852, type: MEMORYSTR
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E14DF50 LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError,3_2_00007FFE0E14DF50
                  Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",#1Jump to behavior
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E14DEC8 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,3_2_00007FFE0E14DEC8
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E140920 CreateNamedPipeA,3_2_00007FFE0E140920
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E15145C GetSystemTimeAsFileTime,3_2_00007FFE0E15145C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E14B47C malloc,GetComputerNameExA,GetComputerNameA,GetUserNameA,malloc,3_2_00007FFE0E14B47C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E145E28 GetUserNameA,GetComputerNameA,GetModuleFileNameA,strrchr,GetVersionExA,GetProcAddress,GetModuleHandleA,GetProcAddress,_snprintf,3_2_00007FFE0E145E28
                  Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                  Remote Access Functionality

                  barindex
                  Yara detected CobaltStrike
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7572, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7588, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7852, type: MEMORYSTR
                  Source: Yara matchFile source: extracted_payload.dll.dll, type: SAMPLE
                  Source: Yara matchFile source: 10.2.rundll32.exe.25254020000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.1627eff0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.1a4c0fd0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.1a4c0fd0000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.1627eff0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.7ffe0e130000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 10.2.rundll32.exe.25254020000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2011763487.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E146670 htonl,htons,socket,closesocket,bind,ioctlsocket,3_2_00007FFE0E146670
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E14EE8C socket,closesocket,htons,bind,listen,3_2_00007FFE0E14EE8C
                  Source: C:\Windows\System32\rundll32.exeCode function: 3_2_00007FFE0E146A78 socket,htons,ioctlsocket,closesocket,bind,listen,3_2_00007FFE0E146A78

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		1
                  Native API                  		2
                  Valid Accounts                  		2
                  Valid Accounts                  		2
                  Valid Accounts                  		OS Credential Dumping1
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		2
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/Job1
                  DLL Side-Loading                  		21
                  Access Token Manipulation                  		11
                  Virtualization/Sandbox Evasion                  		LSASS Memory151
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)12
                  Process Injection                  		21
                  Access Token Manipulation                  		Security Account Manager11
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  DLL Side-Loading                  		12
                  Process Injection                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Rundll32                  		LSA Secrets1
                  Account Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials1
                  System Owner/User Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                  File and Directory Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem3
                  System Information Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562721 Sample: extracted_payload.dll.exe Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 27 Found malware configuration 2->27 29 Malicious sample detected (through community Yara rule) 2->29 31 Antivirus / Scanner detection for submitted sample 2->31 33 4 other signatures 2->33 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 conhost.exe 8->17         started        signatures5 35 Contains functionality to detect sleep reduction / modifications 10->35 19 WerFault.exe 20 16 10->19         started        21 rundll32.exe 13->21         started        23 WerFault.exe 16 15->23         started        process6 process7 25 WerFault.exe 18 21->25         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  extracted_payload.dll.dll100%AviraHEUR/AGEN.1302565
                  extracted_payload.dll.dll100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  3.78.244.110%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  3.78.244.11true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://upx.sf.netAmcache.hve.8.drfalse
                    		high
                    http://127.0.0.1:%u/extracted_payload.dll.dllfalse
                      		high

                      World Map of Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1562721
                      Start date and time:2024-11-25 23:01:10 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 29s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:17
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:extracted_payload.dll.dll
                      (renamed file extension from exe to dll)
                      Original Sample Name:extracted_payload.dll.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winDLL@13/13@0/0
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 1
                      • Number of non-executed functions: 99

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 20.189.173.22
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • VT rate limit hit for: extracted_payload.dll.dll

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      17:02:05API Interceptor1x Sleep call for process: loaddll64.exe modified
                      17:02:31API Interceptor3x Sleep call for process: WerFault.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      No context

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ext_cb732a877ab57dd2d946af222794a5afefd7721_f0f0aff8_253f7c32-d5c0-48d0-9464-549d84556580\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7806591003723623
                      Encrypted:false
                      SSDEEP:96:Y+FbZ0iHPyKy67tsjP4RvM7HfOQXIDcQ8c65cExcw3VXaXz+HbHgSQgJjIo8F3Y7:nJmiHPy67tg0C9bpjMZzuiFiZ24lO86
                      MD5:C64C57D327A8D8819A0FEED66C849360
                      SHA1:FD2F0987542161F3A7931E73A7BE27B367D3B8D8
                      SHA-256:26AE329D077B63571F8A7EA6F93AA6E32A92329DD668764314A1822407289D4A
                      SHA-512:0EBC2A45C8CAB2B63B495F79C2FD0AB6C4CCFA1F582C387B6242A18F3E02CEA11AFCC7DC63057F01F06B152BCD7A584FF2C105AE8A0D35A985217F0425F2A6F3
                      Malicious:false
                      Reputation:low
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.4.5.7.2.2.4.0.2.0.3.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.4.5.7.2.3.0.1.1.4.1.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.5.3.f.7.c.3.2.-.d.5.c.0.-.4.8.d.0.-.9.4.6.4.-.5.4.9.d.8.4.5.5.6.5.8.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.1.6.5.3.5.1.-.7.5.c.c.-.4.1.1.c.-.9.f.e.c.-.3.c.5.3.6.0.7.6.9.1.0.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.e.x.t.r.a.c.t.e.d._.p.a.y.l.o.a.d...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.9.4.-.0.0.0.1.-.0.0.1.4.-.2.e.9.e.-.0.a.a.8.8.5.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ext_cb732a877ab57dd2d946af222794a5afefd7721_f0f0aff8_eeaad2f6-aca0-401b-9aab-2173bff9d66e\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7803520022392944
                      Encrypted:false
                      SSDEEP:96:1RVFbpV0iWyKy6sjP4RvM7HfOQXIDcQ8c65cExcw3VXaXz+HbHgSQgJjIo8F3YFJ:5BpCiWy6g0C9bpjMZzuiFiZ24lO86
                      MD5:394DD6F38715481640B93A1C6EB0001E
                      SHA1:E8582535317B38E28A3323FDF90F8339DFECAC95
                      SHA-256:2CB3A7C8CD313B07AA803AD984DD05D2D1D57257D02AF82A7FFC37EF31DC82E3
                      SHA-512:6C371F9771ED4A1BCD21207E75935BDD220E4E532E82FE552A8EE6A973640E10A53E53F941DC32D4F3C95A5F4D4CFADBD77C99547069F400AFA037478DE954CE
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.4.5.7.2.5.1.8.0.6.0.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.4.5.7.2.5.4.7.7.4.9.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.a.a.d.2.f.6.-.a.c.a.0.-.4.0.1.b.-.9.a.a.b.-.2.1.7.3.b.f.f.9.d.6.6.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.7.2.6.d.8.d.-.6.5.d.8.-.4.f.7.c.-.a.5.e.3.-.e.6.e.8.1.5.b.9.f.4.e.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.e.x.t.r.a.c.t.e.d._.p.a.y.l.o.a.d...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.a.c.-.0.0.0.1.-.0.0.1.4.-.f.1.b.2.-.d.7.a.9.8.5.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.

                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ext_cb732a877ab57dd2d946af222794a5afefd7721_f0f0aff8_ff20ae40-2634-4b53-bc11-91db7a4c3297\Report.wer

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):65536
                      Entropy (8bit):0.7833739225258657
                      Encrypted:false
                      SSDEEP:96:VLCFaa2X0i1yKylsjP4RvM7HfOQXIDcQ8c65cExcw3VXaXz+HbHgSQgJjIo8F3Y7:BCMa2ki1ylg0C9bpjMZzuiFiZ24lO86
                      MD5:141A4423A5C58A4148EF8519508E718E
                      SHA1:D8312CD6C7084D151829BF77D436F1316275F592
                      SHA-256:929CF4E7B1F018AC2ADFA9CB5D2424DD0B08D2B6681B6BFAFC63220B5C922BE6
                      SHA-512:F9DB7E114CD91D74E17D05546D8911D0BCCB1B9AE527F98E134F5B8CBF319F85D64DCD84C2FF827F5DBFD9715A38C6A7485FFD84DDB749633CD91BA6D7A77E6D
                      Malicious:false
                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.0.4.5.7.2.2.3.9.7.4.6.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.0.4.5.7.2.3.0.0.6.8.3.8.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.2.0.a.e.4.0.-.2.6.3.4.-.4.b.5.3.-.b.c.1.1.-.9.1.d.b.7.a.4.c.3.2.9.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.e.8.8.3.3.1.6.-.d.f.1.4.-.4.c.e.1.-.8.2.0.0.-.f.c.0.c.3.c.4.7.c.1.f.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.e.x.t.r.a.c.t.e.d._.p.a.y.l.o.a.d...d.l.l...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.4.-.0.0.0.1.-.0.0.1.4.-.f.5.8.8.-.0.c.a.8.8.5.3.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.d.d.3.9.9.a.e.4.6.3.0.3.3.4.3.f.9.f.0.d.a.1.8.9.a.e.e.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6598.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Mon Nov 25 22:02:02 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):50838
                      Entropy (8bit):1.4581367502913058
                      Encrypted:false
                      SSDEEP:96:5V8Gi1gjLqikUeilRPFUYxbYNE/lWWiddoi7M9m22B4C1AD4nsmrSO+WIB7IBwx4:wsHx1OMQrQ4NJ
                      MD5:7607504F9FB964538BDDAA451A9B7E94
                      SHA1:DF8E736659BF582E0CE1A28DE77E53BD295241A2
                      SHA-256:15B8DDB37724550928D02FDF1F2149C73EC2B5ABAF5D7ED7A248AC721E2A609A
                      SHA-512:890D8623D0A82934260A0180504F2042D3D9C7ED9A280D4943014CF37304AC4FE8187DC83EAD3352CE22F2A0B923FA04333AE89E5CEADAA63C7792B9EFCBB782
                      Malicious:false
                      Preview:MDMP..a..... .........Dg........................$...............D*..........T.......8...........T......................................................................................................................eJ......D.......Lw......................T.............Dg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6616.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Mon Nov 25 22:02:02 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):48850
                      Entropy (8bit):1.5090967717071728
                      Encrypted:false
                      SSDEEP:96:5V8GBwFLqikUeilRPFUYxbYNEM+sMeoi7MrdbklvOCDZCZxNrv4165Lc14nzaWIG:wxHxeiOMsGJcCGloNR
                      MD5:561D8D3AAF48FE7CA933A203EA04B37E
                      SHA1:82E0511FEBE9A371B541FA586F6FCC917FAD2294
                      SHA-256:2C78A8AD5A0EA8B240C9EBB8173C6A5F4A2F498338F472E4446FB159D29BAC09
                      SHA-512:333CFB64ADCAB04FFB6454073D9699DC84EC796221B79A5DA22F49F41C888A2054893D30F8A4277B64081ADEF9AB3746F90B67B912321C9A397C344EC719578D
                      Malicious:false
                      Preview:MDMP..a..... .........Dg........................$...............D*..........T.......8...........T........... ...........................................................................................................eJ......D.......Lw......................T.............Dg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6654.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8552
                      Entropy (8bit):3.695684091888604
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJim66YQEZUgmfpqWpDT89b5p9fmVTm:R6lXJD66YTKgmfpqf5TfR
                      MD5:19C24E7291860B9B19938156292E3BF7
                      SHA1:A2466B56F039D1EA75DE0E019B9DF6243D61DDDA
                      SHA-256:903AC7E5FB6AAAACCA4A2D8C66A4E688FAF8886D266E61B2C7AA6E93B6930615
                      SHA-512:E8D88B4D849A6068BCFAF378D1997D07802651B1C00608BFC2E7A1BB39394AA3ECA60DA5F83B154FE5E3A3DB5C68CA44FB22E2ADC10A3CEC7C2DA4729CB90AC8
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.7.2.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6694.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8812
                      Entropy (8bit):3.6989812095626764
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJXxv6YjTLJ0gmfpqWpDP89b5CDfK0Tm:R6lXJhv6YXmgmfpq75OfG
                      MD5:3F5833B873081409F857C029F5A2462B
                      SHA1:EBD7A61247A9108DEA4A664EC7A0166B88083A6A
                      SHA-256:A861CA287226EF0EBAE0BF8E93BF2B3EE5B747849BE52F3F6002F4F98BF0A2F8
                      SHA-512:ED1F324224696402FB0967502BC2495210AC72501A8AC1DA1AD6B27F59D7EF59D9840F670F706FEC095ED29546B57195DB45E74091AE69782F1EAB2B0E36A1DB
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.5.8.8.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6694.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4808
                      Entropy (8bit):4.489148884886861
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsrJg771I9bIWpW8VYsYm8M4JCyCg+FJbyq85mff/ptSTS5d:uIjfFI7Qh7VQJkbV/poO5d
                      MD5:81DEAE99004FD909FD29258E52162511
                      SHA1:FE0608CBC1361BA7AFBBB35F45CAC70B0DD9D935
                      SHA-256:C11C597FAE688660C1380964E36865C77A41576FCB224310973B6857ABABF3FC
                      SHA-512:E768D058A9DB95B6C6D5FD842B6E46F4277D30BE4328F88E7051EEEFC444B1DCFAF9D639AEFCD01551C50308EF8AEB0965F50EEEC96043A9104CE350499C97D2
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604144" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER6712.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4809
                      Entropy (8bit):4.488106238136089
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsrJg771I9bIWpW8VYFYm8M4JCyCg+FY8yq85mfvptSTSqd:uIjfFI7Qh7V9J985poOqd
                      MD5:C7A19B552A083F2131DAD6BCDFAB0551
                      SHA1:7C285E0FBD2A061F2AAAA11B3167C74240BC76D3
                      SHA-256:3F22A81DC61704E33C486A8E098AF7964DBE8C486B954BC3DC57199A5C9F293D
                      SHA-512:83DD546D70471D62C5B4D7A953FCC581CA9194B9AA4C220082EBA825D1C742B0BBED434853079E4A6805F50C936AE5656C3ECD55D419AE0D7C2CA4BCA2E55202
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604144" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER70B3.tmp.dmp

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:Mini DuMP crash report, 14 streams, Mon Nov 25 22:02:05 2024, 0x1205a4 type
                      Category:dropped
                      Size (bytes):50438
                      Entropy (8bit):1.4660393328264436
                      Encrypted:false
                      SSDEEP:96:5y8GjQ7plDLqikUeilRPFUYxbYNECXH/X4eoi7M7RhP3lnslfjTCUsrwrE4v1M4C:fT7pdHxOfIXOM7z/KhjTmejdk
                      MD5:8F324862002C8A16D471975629F17C08
                      SHA1:A364F069154917AFC2E8A893D5B8CC5B3E2B3B2C
                      SHA-256:525F9BC95A5D7C6371BAA1BB5F63218BE0A3E60F329F767459AF172C8F46C640
                      SHA-512:7C73FEC69E5D5B47DEED0E76FFF39E688C40F32988A054BC11411D222126181FD27667D0ACECAC784FC4371AAA1AE31E48492C8D725F3DE038C7FA6331B92A0D
                      Malicious:false
                      Preview:MDMP..a..... .........Dg........................$...............D*..........T.......8...........T...............6.......................................................................................................eJ......D.......Lw......................T.............Dg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7102.tmp.WERInternalMetadata.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):8538
                      Entropy (8bit):3.694285281876966
                      Encrypted:false
                      SSDEEP:192:R6l7wVeJ1cZm6YjkCtDgmfpqWpDv89bGYbfYuvCm:R6lXJOY6YAGDgmfpqjGMfYa
                      MD5:5AAA852A6E58DE323D2B1EDEF75A3F2F
                      SHA1:8757F3134406F621F5AD7758E56A5AEEC21B432D
                      SHA-256:2B0096F76D56C35DC87AF3FD1FC042298679C4B2FC16865BB41EFB7AEDD49AD4
                      SHA-512:5ADE8D1C3D03219BA990BC9F73C59EF1A89939960EBDD97659622EF2C95FC8210AE9D2DC9A05F7E7888CC39BA98161B05E1F029F2BF3946880BCA29F04D078C8
                      Malicious:false
                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.5.2.<./.P.i.

                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER7123.tmp.xml

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):4808
                      Entropy (8bit):4.490307599876796
                      Encrypted:false
                      SSDEEP:48:cvIwWl8zsrJg771I9bIWpW8VYCPYm8M4JCyCg+FRvmyq85mfyptSTSZd:uIjfFI7Qh7VPSJImwpoOZd
                      MD5:8E2AC8396F0BCD305D4361FE3B13B039
                      SHA1:081D6305B3FBBB7C8DF2F28AC7AAECCEB9989725
                      SHA-256:209454D74FF6703B92F8875ADCF755E4BE907AFAA303B43A548D363B223DE178
                      SHA-512:16DC4D17DC033EDC8E38C16396EE2FD4E609AB538BB09E595E2A7F1BC8DB5E49690681EC94E209C5467A03BE430849E4F07E028541B7CF355446652642FD9384
                      Malicious:false
                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="604144" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                      C:\Windows\appcompat\Programs\Amcache.hve

                      Download File
                      Process:C:\Windows\System32\WerFault.exe
                      File Type:MS Windows registry file, NT/2000 or above
                      Category:dropped
                      Size (bytes):1835008
                      Entropy (8bit):4.4664004199192435
                      Encrypted:false
                      SSDEEP:6144:oIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNcdwBCswSb9:9XD94zWlLZMM6YFHa+9
                      MD5:471E5651E18897D4399B07E908C18FD3
                      SHA1:5610D3B9D6931B51726B66473E681C835D8E16DD
                      SHA-256:EB8D407F9701FB515A015D0B7AB44ECF42D20EDBC694E45CFD8883D50FDE5D00
                      SHA-512:DBBFA6A354E35755BC1A4A2CBA157071F446482EAE1EF979BAA96B3BCAB676DCF835698726D5298E096BC103939848B6F1D1CE14E567C1ABD0875FE025A13EEE
                      Malicious:false
                      Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.:..?................................................................................................................................................................................................................................................................................................................................................-.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                      Entropy (8bit):6.551503358324626
                      TrID:
                      • Win64 Dynamic Link Library (generic) (102004/3) 87.93%
                      • Win64 Executable (generic) (12005/4) 10.35%
                      • DOS Executable Generic (2002/1) 1.73%
                      File name:extracted_payload.dll.dll
                      File size:307'200 bytes
                      MD5:178ccafbf32465d483887e491b016fb1
                      SHA1:70be3864b1ae3fdd2c0be6684fea6bf51c829125
                      SHA256:0ee6bc20a7f855d881cce962de09c77960ea5c85ca013e3d123fce61109ff8c5
                      SHA512:1e0b963630752e9271f538e69a319250e1db03cb8abf70456c5f4f7af1d6c85c33988192eaa985b4d3831665b4a0074cd3c533394ea427799650d5a9446bff61
                      SSDEEP:6144:Gj/7Qsrm8pU99tkS1eTbqreroFvFPqQuOY:GvLPw9tZU+tFPqYY
                      TLSH:D2646C5973A078F5E8A7C239CA57461BEFF27C554770D70F07640AAA2F233A1622E352
                      File Content Preview:MZARUH..H.. ...H......H..H........A....Vh....ZH.........................!..L.!This program cannot be run in DOS mode....$.........-...CO..CO..CO.).O..CO.(.OY.CO_g.O..CO0..O..CO0..OH.CO0..O..CO...O..CO..BO..CO.(.O..CO.).O..CO.).O..CO.).O..CORich..CO.......

                      File Icon

                      Icon Hash:7ae282899bbab082

                      Static PE Info

                      General

                      Entrypoint:0x180021b48
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x180000000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL, BYTES_REVERSED_HI
                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                      Time Stamp:0x64F88C7F [Wed Sep 6 14:28:15 2023 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:2
                      File Version Major:5
                      File Version Minor:2
                      Subsystem Version Major:5
                      Subsystem Version Minor:2
                      Import Hash:46551b97c1d63fc258acfca97bdbeb94

                      Entrypoint Preview

                      Instruction
                      dec eax
                      mov dword ptr [esp+08h], ebx
                      dec eax
                      mov dword ptr [esp+10h], esi
                      push edi
                      dec eax
                      sub esp, 20h
                      dec ecx
                      mov edi, eax
                      mov ebx, edx
                      dec eax
                      mov esi, ecx
                      cmp edx, 01h
                      jne 00007FC1C47DD327h
                      call 00007FC1C47E4A8Ch
                      dec esp
                      mov eax, edi
                      mov edx, ebx
                      dec eax
                      mov ecx, esi
                      dec eax
                      mov ebx, dword ptr [esp+30h]
                      dec eax
                      mov esi, dword ptr [esp+38h]
                      dec eax
                      add esp, 20h
                      pop edi
                      jmp 00007FC1C47DD328h
                      int3
                      int3
                      int3
                      dec eax
                      mov eax, esp
                      dec eax
                      mov dword ptr [eax+20h], ebx
                      dec esp
                      mov dword ptr [eax+18h], eax
                      mov dword ptr [eax+10h], edx
                      dec eax
                      mov dword ptr [eax+08h], ecx
                      push esi
                      push edi
                      inc ecx
                      push esi
                      dec eax
                      sub esp, 50h
                      dec ecx
                      mov esi, eax
                      mov ebx, edx
                      dec esp
                      mov esi, ecx
                      mov edx, 00000001h
                      mov dword ptr [eax-48h], edx
                      test ebx, ebx
                      jne 00007FC1C47DD331h
                      cmp dword ptr [0002BD6Ch], ebx
                      jne 00007FC1C47DD329h
                      xor eax, eax
                      jmp 00007FC1C47DD3F7h
                      lea eax, dword ptr [ebx-01h]
                      cmp eax, 01h
                      jnbe 00007FC1C47DD35Ah
                      dec eax
                      mov eax, dword ptr [00011E44h]
                      dec eax
                      test eax, eax
                      je 00007FC1C47DD32Ch
                      mov edx, ebx
                      call eax
                      mov edx, eax
                      mov dword ptr [esp+20h], eax
                      test edx, edx
                      je 00007FC1C47DD339h
                      dec esp
                      mov eax, esi
                      mov edx, ebx
                      dec ecx
                      mov ecx, esi
                      call 00007FC1C47DD119h
                      mov edx, eax
                      mov dword ptr [esp+20h], eax
                      test eax, eax
                      jne 00007FC1C47DD329h
                      xor eax, eax
                      jmp 00007FC1C47DD3B7h
                      dec esp
                      mov eax, esi
                      mov edx, ebx
                      dec ecx
                      mov ecx, esi
                      call 00007FC1C47E4AF3h

                      Rich Headers

                      Programming Language:
                      • [ C ] VS2012 UPD4 build 61030
                      • [IMP] VS2008 SP1 build 30729
                      • [ASM] VS2012 UPD4 build 61030
                      • [EXP] VS2012 UPD4 build 61030
                      • [LNK] VS2012 UPD4 build 61030

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x41bb00x52.rdata
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x407140x64.rdata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x540000x2454.pdata
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x570000x60c.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3eb000x70.rdata
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x320000x670.rdata
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x10000x301820x30200d4765b4cdf8bb0a9feca2d1a2ebcaa06False0.5363484172077922data6.4002379289370745IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rdata0x320000xfc020xfe00a43424cb6e8482821fb8a5894ce4d497False0.4482652559055118data5.735909310967844IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .data0x420000x118480x76001bff13304eb7b3bbc8f27ba21c4da493False0.7428495762711864data6.999699924895678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .pdata0x540000x24540x26002e42b627cef8b93a9b56078fce16de59False0.47543174342105265data5.253297756368923IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x570000xfd00x10002c055c20145664ddc544d8b9a4ebfad8False0.263427734375data2.8619184639926245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Imports

                      DLLImport
                      KERNEL32.dllCreateNamedPipeA, TerminateProcess, CreateProcessA, GetCurrentDirectoryW, GetFullPathNameA, GetLogicalDrives, FindClose, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, ExpandEnvironmentStringsA, GetFileAttributesA, FindFirstFileA, FindNextFileA, CopyFileA, MoveFileA, GetCurrentProcessId, CreateThread, CreateToolhelp32Snapshot, Thread32First, Thread32Next, Wow64GetThreadContext, Wow64SetThreadContext, VirtualAlloc, VirtualProtect, SetLastError, SetNamedPipeHandleState, PeekNamedPipe, CreateFileA, WaitNamedPipeA, GetModuleFileNameA, GetComputerNameA, GetVersionExA, GetACP, GetOEMCP, GetProcessHeap, InitializeProcThreadAttributeList, DeleteProcThreadAttributeList, SetErrorMode, UpdateProcThreadAttribute, ProcessIdToSessionId, Process32First, Process32Next, GetComputerNameExA, VirtualFree, VirtualQuery, VirtualAllocEx, VirtualProtectEx, OpenProcess, CreateRemoteThread, ConnectNamedPipe, ReadProcessMemory, WriteProcessMemory, GetThreadContext, SetThreadContext, ResumeThread, CloseHandle, DuplicateHandle, MapViewOfFile, UnmapViewOfFile, CreateFileMappingA, ExitProcess, ExitThread, ReadFile, GetCurrentThread, GetCurrentProcess, MultiByteToWideChar, GetCurrentDirectoryA, SetCurrentDirectoryA, GetStartupInfoA, DisconnectNamedPipe, CreatePipe, GetTickCount, GetLocalTime, FlushFileBuffers, WriteFile, WaitForSingleObject, Sleep, GetModuleHandleA, LoadLibraryA, GetLastError, HeapFree, RaiseException, SetEnvironmentVariableW, SetEnvironmentVariableA, HeapAlloc, HeapDestroy, HeapCreate, SetEndOfFile, CreateFileW, WriteConsoleW, SetStdHandle, GetStringTypeW, LCMapStringW, CompareStringW, HeapSize, LoadLibraryW, OutputDebugStringW, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, RemoveDirectoryW, CreateDirectoryW, DeleteFileW, GetFileType, SetFilePointerEx, SetFilePointer, ReadConsoleW, GetConsoleMode, GetConsoleCP, WideCharToMultiByte, GetCPInfo, IsValidCodePage, RtlUnwindEx, GetProcAddress, OpenThread, FreeLibrary, EncodePointer, DecodePointer, GetModuleHandleExW, AreFileApisANSI, GetSystemTimeAsFileTime, HeapReAlloc, GetCommandLineA, GetCurrentThreadId, GetStdHandle, GetModuleFileNameW, IsDebuggerPresent, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, LoadLibraryExW
                      ADVAPI32.dllGetTokenInformation, OpenProcessToken, CryptReleaseContext, CryptAcquireContextA, CryptGenRandom, CheckTokenMembership, DuplicateTokenEx, LogonUserA, LookupAccountSidA, FreeSid, AllocateAndInitializeSid, ImpersonateNamedPipeClient, RevertToSelf, GetUserNameA, CreateProcessWithTokenW, CreateProcessWithLogonW, CreateProcessAsUserA, ImpersonateLoggedOnUser, LookupPrivilegeValueA, AdjustTokenPrivileges, OpenThreadToken
                      WININET.dllInternetReadFile, InternetCloseHandle, InternetConnectA, InternetQueryDataAvailable, InternetQueryOptionA, InternetSetOptionA, InternetSetStatusCallback, HttpOpenRequestA, HttpAddRequestHeadersA, HttpSendRequestA, HttpQueryInfoA, InternetOpenA
                      WS2_32.dllntohs, gethostbyname, socket, send, connect, ioctlsocket, WSAIoctl, WSACleanup, WSAStartup, closesocket, ntohl, htons, htonl, recv, shutdown, WSAGetLastError, __WSAFDIsSet, accept, bind, inet_addr, listen, recvfrom, select, sendto, WSASocketA

                      Exports

                      NameOrdinalAddress
                      ReflectiveLoader10x1800194d4

                      Network Behavior

                      No network behavior found

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:17:02:01
                      Start date:25/11/2024
                      Path:C:\Windows\System32\loaddll64.exe
                      Wow64 process (32bit):false
                      Commandline:loaddll64.exe "C:\Users\user\Desktop\extracted_payload.dll.dll"
                      Imagebase:0x7ff68ef50000
                      File size:165'888 bytes
                      MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:1
                      Start time:17:02:01
                      Start date:25/11/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:2
                      Start time:17:02:01
                      Start date:25/11/2024
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",#1
                      Imagebase:0x7ff6923f0000
                      File size:289'792 bytes
                      MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:3
                      Start time:17:02:02
                      Start date:25/11/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe C:\Users\user\Desktop\extracted_payload.dll.dll,ReflectiveLoader
                      Imagebase:0x7ff650ff0000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: yara@s3c.za.net
                      • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                      • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                      • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000003.00000002.1982754045.000001627EFF0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:4
                      Start time:17:02:02
                      Start date:25/11/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",#1
                      Imagebase:0x7ff650ff0000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: yara@s3c.za.net
                      • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000004.00000002.2038804506.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                      • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                      • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                      • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 00000004.00000002.2038692906.000001A4C0FD0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                      • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000004.00000002.2038775891.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000004.00000002.2038775891.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 00000004.00000002.2038775891.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:8
                      Start time:17:02:02
                      Start date:25/11/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 7572 -s 332
                      Imagebase:0x7ff6b9a90000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:9
                      Start time:17:02:02
                      Start date:25/11/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 7588 -s 352
                      Imagebase:0x7ff6b9a90000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:10
                      Start time:17:02:05
                      Start date:25/11/2024
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:rundll32.exe "C:\Users\user\Desktop\extracted_payload.dll.dll",ReflectiveLoader
                      Imagebase:0x7ff650ff0000
                      File size:71'680 bytes
                      MD5 hash:EF3179D498793BF4234F708D3BE28633
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 0000000A.00000002.2011763487.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 0000000A.00000002.2011763487.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 0000000A.00000002.2011763487.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 0000000A.00000002.2011763487.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: yara@s3c.za.net
                      • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 0000000A.00000002.2011763487.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmp, Author: Florian Roth
                      • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 0000000A.00000002.2011740435.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 0000000A.00000002.2011740435.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: Trojan_Raw_Generic_4, Description: unknown, Source: 0000000A.00000002.2011740435.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: JoeSecurity_CobaltStrike, Description: Yara detected CobaltStrike, Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_CobaltStrike_ee756db7, Description: Attempts to detect Cobalt Strike based on strings found in BEACON, Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                      • Rule: Beacon_K5om, Description: Detects Meterpreter Beacon - file K5om.dll, Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: CobaltStrike_Unmodifed_Beacon, Description: Detects unmodified CobaltStrike beacon DLL, Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, Author: yara@s3c.za.net
                      • Rule: Leviathan_CobaltStrike_Sample_1, Description: Detects Cobalt Strike sample from Leviathan report, Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: crime_win32_csbeacon_1, Description: Detects Cobalt Strike loader, Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, Author: @VK_Intel
                      • Rule: WiltedTulip_ReflectiveLoader, Description: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, Author: Florian Roth
                      • Rule: MALWARE_Win_CobaltStrike, Description: CobaltStrike payload, Source: 0000000A.00000002.2011684971.0000025254020000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:12
                      Start time:17:02:05
                      Start date:25/11/2024
                      Path:C:\Windows\System32\WerFault.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\WerFault.exe -u -p 7852 -s 352
                      Imagebase:0x7ff6b9a90000
                      File size:570'736 bytes
                      MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:0.2%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:0%
                        Total number of Nodes:7
                        Total number of Limit Nodes:0
                        execution_graph 16994 7ffe0e1494d4 16995 7ffe0e149561 16994->16995 16998 7ffe0e149f24 16995->16998 16997 7ffe0e149601 17001 7ffe0e149f5e 16998->17001 16999 7ffe0e14a055 VirtualAlloc 17000 7ffe0e14a079 16999->17000 17000->16997 17001->16999 17001->17000

                        Executed Functions

                        Function 00007FFE0E149F24 Relevance: 1.3, APIs: 1, Instructions: 87memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
                        • Instruction ID: 748d008ea49b495b079b526a9a2093a753c823bbd4c11dc52a69550d78e86804
                        • Opcode Fuzzy Hash: 614a4b05fd2fcf958961d58200ae62ff8fa006310eb0dba3dbba10185b0029ad
                        • Instruction Fuzzy Hash: 29417676618B8587DB50CB1AE48471EB7A1F7C8B94F105226FADE87B68DF3CD8518B00

                        Non-executed Functions

                        Function 00007FFE0E156514 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 460COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 220 7ffe0e156514-7ffe0e15655c call 7ffe0e150ac0 223 7ffe0e156565-7ffe0e156568 220->223 224 7ffe0e15655e-7ffe0e156560 220->224 225 7ffe0e15656a-7ffe0e156584 call 7ffe0e151ca8 call 7ffe0e151d18 call 7ffe0e152340 223->225 226 7ffe0e156589-7ffe0e1565bb 223->226 227 7ffe0e156c26-7ffe0e156c4f call 7ffe0e157e20 224->227 225->227 230 7ffe0e1565bd-7ffe0e1565c4 226->230 231 7ffe0e1565c6-7ffe0e1565cc 226->231 230->225 230->231 234 7ffe0e1565ce-7ffe0e1565d6 call 7ffe0e157cec 231->234 235 7ffe0e1565db-7ffe0e1565e4 call 7ffe0e1599bc 231->235 234->235 242 7ffe0e1565ea-7ffe0e1565fb 235->242 243 7ffe0e1568a6-7ffe0e1568b7 235->243 242->243 244 7ffe0e156601-7ffe0e156635 call 7ffe0e155844 GetConsoleMode 242->244 246 7ffe0e1568bd-7ffe0e1568c9 243->246 247 7ffe0e156b88-7ffe0e156ba4 WriteFile 243->247 244->243 260 7ffe0e15663b-7ffe0e15663d 244->260 248 7ffe0e1568cf-7ffe0e1568d2 246->248 249 7ffe0e156997-7ffe0e15699b 246->249 251 7ffe0e156bae-7ffe0e156bb4 GetLastError 247->251 252 7ffe0e156ba6-7ffe0e156bac 247->252 253 7ffe0e156be6-7ffe0e156bfc 248->253 254 7ffe0e1568d8 248->254 257 7ffe0e1569a1-7ffe0e1569a4 249->257 258 7ffe0e156a76-7ffe0e156a79 249->258 256 7ffe0e156bb6-7ffe0e156bb8 251->256 252->256 261 7ffe0e156bfe-7ffe0e156c02 253->261 262 7ffe0e156c08-7ffe0e156c18 call 7ffe0e151d18 call 7ffe0e151ca8 253->262 259 7ffe0e1568db-7ffe0e1568e6 254->259 264 7ffe0e156c20-7ffe0e156c24 256->264 265 7ffe0e156bba-7ffe0e156bbc 256->265 257->253 266 7ffe0e1569aa 257->266 258->253 263 7ffe0e156a7f 258->263 267 7ffe0e1568e8-7ffe0e1568f1 259->267 268 7ffe0e15663f-7ffe0e156642 260->268 269 7ffe0e156648-7ffe0e15665c GetConsoleCP 260->269 261->224 261->262 262->264 270 7ffe0e156a85-7ffe0e156a8a 263->270 264->227 265->253 272 7ffe0e156bbe-7ffe0e156bc1 265->272 273 7ffe0e1569af-7ffe0e1569ba 266->273 274 7ffe0e1568f3-7ffe0e1568fc 267->274 275 7ffe0e156919-7ffe0e15695c WriteFile 267->275 268->243 268->269 276 7ffe0e156662-7ffe0e156665 269->276 277 7ffe0e15689d-7ffe0e1568a1 269->277 278 7ffe0e156a8c-7ffe0e156a95 270->278 280 7ffe0e156bc3-7ffe0e156bd3 call 7ffe0e151d18 call 7ffe0e151ca8 272->280 281 7ffe0e156bda-7ffe0e156be1 call 7ffe0e151cc8 272->281 282 7ffe0e1569bc-7ffe0e1569c5 273->282 286 7ffe0e1568fe-7ffe0e156905 274->286 287 7ffe0e156908-7ffe0e156917 274->287 275->251 290 7ffe0e156962-7ffe0e156978 275->290 288 7ffe0e1567ef-7ffe0e1567f4 276->288 289 7ffe0e15666b-7ffe0e15668a 276->289 277->265 291 7ffe0e156ac6-7ffe0e156b0f WideCharToMultiByte 278->291 292 7ffe0e156a97-7ffe0e156aa4 278->292 280->281 281->253 283 7ffe0e1569c7-7ffe0e1569d4 282->283 284 7ffe0e1569f8-7ffe0e156a3b WriteFile 282->284 295 7ffe0e1569e4-7ffe0e1569f6 283->295 296 7ffe0e1569d6-7ffe0e1569e0 283->296 284->251 297 7ffe0e156a41-7ffe0e156a57 284->297 286->287 287->267 287->275 304 7ffe0e156814 288->304 305 7ffe0e1567f6-7ffe0e156812 288->305 299 7ffe0e1566ac-7ffe0e1566b6 call 7ffe0e158738 289->299 300 7ffe0e15668c-7ffe0e1566aa 289->300 290->256 301 7ffe0e15697e-7ffe0e15698c 290->301 291->251 307 7ffe0e156b15 291->307 302 7ffe0e156ab2-7ffe0e156ac4 292->302 303 7ffe0e156aa6-7ffe0e156aae 292->303 295->282 295->284 296->295 297->256 313 7ffe0e156a5d-7ffe0e156a6b 297->313 329 7ffe0e1566ec-7ffe0e1566f2 299->329 330 7ffe0e1566b8-7ffe0e1566c5 299->330 314 7ffe0e1566f5-7ffe0e156702 call 7ffe0e15adec 300->314 301->259 310 7ffe0e156992 301->310 302->278 302->291 303->302 311 7ffe0e156819-7ffe0e15681e 304->311 305->311 309 7ffe0e156b17-7ffe0e156b51 WriteFile 307->309 318 7ffe0e156b53-7ffe0e156b5d 309->318 319 7ffe0e156b61-7ffe0e156b69 GetLastError 309->319 310->256 316 7ffe0e15685f 311->316 317 7ffe0e156820-7ffe0e15682f call 7ffe0e15adf4 311->317 313->273 322 7ffe0e156a71 313->322 333 7ffe0e156894-7ffe0e156898 314->333 334 7ffe0e156708-7ffe0e156745 WideCharToMultiByte 314->334 328 7ffe0e156864-7ffe0e15686c 316->328 317->251 340 7ffe0e156835-7ffe0e15683b 317->340 318->309 324 7ffe0e156b5f 318->324 325 7ffe0e156b6d-7ffe0e156b6f 319->325 322->256 324->325 325->256 332 7ffe0e156b71-7ffe0e156b80 325->332 328->333 335 7ffe0e15686e 328->335 329->314 336 7ffe0e156873-7ffe0e15688b 330->336 337 7ffe0e1566cb-7ffe0e1566e1 call 7ffe0e15adec 330->337 332->270 338 7ffe0e156b86 332->338 333->256 334->333 339 7ffe0e15674b-7ffe0e15677a WriteFile 334->339 335->276 336->333 337->333 345 7ffe0e1566e7-7ffe0e1566ea 337->345 338->256 339->251 343 7ffe0e156780-7ffe0e15678e 339->343 340->316 342 7ffe0e15683d-7ffe0e156853 call 7ffe0e15adf4 340->342 342->251 351 7ffe0e156859-7ffe0e15685b 342->351 343->333 346 7ffe0e156794-7ffe0e15679e 343->346 345->334 346->328 349 7ffe0e1567a4-7ffe0e1567d6 WriteFile 346->349 349->251 350 7ffe0e1567dc-7ffe0e1567e1 349->350 350->333 352 7ffe0e1567e7-7ffe0e1567ed 350->352 351->316 352->328
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: __doserrno_errno_invalid_parameter_noinfo
                        • String ID: U
                        • API String ID: 3902385426-4171548499
                        • Opcode ID: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                        • Instruction ID: 337ed8cc8f748686fbbfcc924c729abcfeb628b5a21496be4cddee1d6d815ac2
                        • Opcode Fuzzy Hash: a469b43449293490d86ed3caa32e41753b17625943497404ea198177ea08bf0b
                        • Instruction Fuzzy Hash: 8312AE73A18642C6EB208F28D48437A67A1FB85B48F944137EACD436B5DF3DE885CB50
                        Function 00007FFE0E14867C Relevance: 46.6, APIs: 22, Strings: 4, Instructions: 1078processCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateCurrentFirstProcessProcess32SnapshotToolhelp32
                        • String ID: %s%d%d%s%s%d$%s%d%d$x64$x86
                        • API String ID: 718051232-1833344708
                        • Opcode ID: 6ff8da223217ec475276693cf42c7d1c7355bbcbd1655dcef78ea65679358709
                        • Instruction ID: 4c849acbcd79f670e06ed26acbb5c0d55b8a0cac21438f3dfe0271e01aa01f0d
                        • Opcode Fuzzy Hash: 6ff8da223217ec475276693cf42c7d1c7355bbcbd1655dcef78ea65679358709
                        • Instruction Fuzzy Hash: 2B82B191F0D74382FA68DB2694506B962D0EF8AB84F944137E9CE477F5DE3CE5828740
                        Function 00007FFE0E152F9C Relevance: 37.4, APIs: 19, Strings: 2, Instructions: 694COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                        • String ID: $@
                        • API String ID: 3318157856-1077428164
                        • Opcode ID: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                        • Instruction ID: 3006ee0cd642849bbaf0f48f4053ed9a67c0a0cbdec6445164ae603b22d1334d
                        • Opcode Fuzzy Hash: 43138757bcee35b18d1a9352f63dda4217664694579bf9df27f2658c9d71e8f1
                        • Instruction Fuzzy Hash: D3529DA3E0C696C6FB658A15954437E6AA0BF417D4F14113BDAEE47AF8DF3CE9408B00
                        Function 00007FFE0E152528 Relevance: 35.7, APIs: 19, Strings: 1, Instructions: 687COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errnowrite_multi_charwrite_string$Locale_invalid_parameter_noinfowrite_char$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
                        • String ID:
                        • API String ID: 3318157856-3916222277
                        • Opcode ID: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                        • Instruction ID: 3f1fc567481bb82b7f52369203adc9c5b19ea7184e67ff80a087cf86c71ec1a4
                        • Opcode Fuzzy Hash: fca6f3964dd5be39caa2a1998c64648d50546d36c07ae532eb44751125f6f7d4
                        • Instruction Fuzzy Hash: 7652BB23A0C696C6FB698B1495443BA6BB4BF46784F241037DACE16AF5DF7CE840CB40
                        Function 00007FFE0E147B38 Relevance: 26.0, APIs: 10, Strings: 7, Instructions: 545COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1283 7ffe0e147b38-7ffe0e147bad call 7ffe0e14f530 call 7ffe0e14b454 call 7ffe0e146104 1290 7ffe0e147bb1-7ffe0e147bbf call 7ffe0e146114 1283->1290 1293 7ffe0e147bc5 1290->1293 1294 7ffe0e147f4a-7ffe0e147f4d 1290->1294 1295 7ffe0e147f29 1293->1295 1296 7ffe0e147bcb-7ffe0e147bcd 1293->1296 1297 7ffe0e147f53-7ffe0e147f55 1294->1297 1298 7ffe0e148218-7ffe0e148250 call 7ffe0e14f530 call 7ffe0e146284 1294->1298 1299 7ffe0e147f2b-7ffe0e147f3d call 7ffe0e140de0 1295->1299 1300 7ffe0e1482f5-7ffe0e1482f8 1296->1300 1301 7ffe0e147bd3-7ffe0e147bd5 1296->1301 1302 7ffe0e148162-7ffe0e1481bb call 7ffe0e14f530 call 7ffe0e146284 call 7ffe0e14f63c 1297->1302 1303 7ffe0e147f5b-7ffe0e147f5d 1297->1303 1345 7ffe0e148252-7ffe0e148263 call 7ffe0e14f63c 1298->1345 1346 7ffe0e148265-7ffe0e148276 call 7ffe0e14f63c 1298->1346 1315 7ffe0e147f42-7ffe0e147f45 1299->1315 1311 7ffe0e1483a3-7ffe0e1483c3 1300->1311 1312 7ffe0e1482fe-7ffe0e148301 1300->1312 1306 7ffe0e147ed6-7ffe0e147f16 call 7ffe0e14f530 call 7ffe0e146284 call 7ffe0e14f920 1301->1306 1307 7ffe0e147bdb-7ffe0e147bdd 1301->1307 1360 7ffe0e1482e5 1302->1360 1383 7ffe0e1481c1-7ffe0e1481c4 1302->1383 1308 7ffe0e147f63-7ffe0e147f65 1303->1308 1309 7ffe0e14815b-7ffe0e14815d 1303->1309 1398 7ffe0e147f19-7ffe0e147f20 1306->1398 1316 7ffe0e147be3-7ffe0e147be5 1307->1316 1317 7ffe0e147e4b-7ffe0e147e8b call 7ffe0e14f530 call 7ffe0e146284 call 7ffe0e14f920 1307->1317 1319 7ffe0e1480cb-7ffe0e1480fe call 7ffe0e14f63c 1308->1319 1320 7ffe0e147f6b-7ffe0e147f6d 1308->1320 1309->1299 1312->1311 1322 7ffe0e148307-7ffe0e14830f 1312->1322 1324 7ffe0e1480b4-7ffe0e1480c6 call 7ffe0e14f530 1315->1324 1326 7ffe0e147e0e-7ffe0e147e2b call 7ffe0e131258 1316->1326 1327 7ffe0e147beb-7ffe0e147bed 1316->1327 1414 7ffe0e147e8e-7ffe0e147e95 1317->1414 1359 7ffe0e148104-7ffe0e148107 1319->1359 1319->1360 1330 7ffe0e147f73-7ffe0e147f76 1320->1330 1331 7ffe0e14808c-7ffe0e1480a9 call 7ffe0e140d04 1320->1331 1322->1322 1333 7ffe0e148311-7ffe0e148314 1322->1333 1326->1311 1375 7ffe0e147e31-7ffe0e147e49 call 7ffe0e14f530 1326->1375 1339 7ffe0e147bf3-7ffe0e147bf5 1327->1339 1340 7ffe0e147df6-7ffe0e147e09 call 7ffe0e14f920 1327->1340 1343 7ffe0e148074-7ffe0e148087 call 7ffe0e140eac 1330->1343 1344 7ffe0e147f7c-7ffe0e147f7e 1330->1344 1331->1311 1374 7ffe0e1480af 1331->1374 1333->1311 1347 7ffe0e14831a-7ffe0e148349 call 7ffe0e14f63c 1333->1347 1349 7ffe0e147d17-7ffe0e147d53 call 7ffe0e14f530 call 7ffe0e146284 1339->1349 1350 7ffe0e147bfb-7ffe0e147bfd 1339->1350 1340->1290 1343->1315 1344->1290 1362 7ffe0e147f84-7ffe0e147fac call 7ffe0e14f530 call 7ffe0e146284 1344->1362 1373 7ffe0e14827b-7ffe0e14828c 1345->1373 1346->1373 1380 7ffe0e14839b-7ffe0e14839e call 7ffe0e14f920 1347->1380 1381 7ffe0e14834b 1347->1381 1418 7ffe0e147d55-7ffe0e147d6b call 7ffe0e14f63c 1349->1418 1419 7ffe0e147d6d-7ffe0e147d83 call 7ffe0e14f63c 1349->1419 1367 7ffe0e147bff-7ffe0e147c01 1350->1367 1368 7ffe0e147c58-7ffe0e147cba call 7ffe0e14f530 call 7ffe0e146284 call 7ffe0e14f63c 1350->1368 1377 7ffe0e14810d-7ffe0e148154 1359->1377 1376 7ffe0e1482eb-7ffe0e1482f0 call 7ffe0e14f920 1360->1376 1416 7ffe0e147fae 1362->1416 1417 7ffe0e147fe5-7ffe0e148002 call 7ffe0e14f63c 1362->1417 1367->1290 1384 7ffe0e147c03-7ffe0e147c13 call 7ffe0e146114 1367->1384 1368->1360 1444 7ffe0e147cc0-7ffe0e147cc3 1368->1444 1373->1360 1386 7ffe0e14828e-7ffe0e148291 1373->1386 1374->1324 1412 7ffe0e147ec9-7ffe0e147ed1 1375->1412 1376->1290 1377->1377 1390 7ffe0e148156 1377->1390 1380->1311 1393 7ffe0e148350-7ffe0e148397 1381->1393 1396 7ffe0e1481ca-7ffe0e148211 1383->1396 1420 7ffe0e147c15-7ffe0e147c2b call 7ffe0e14f920 1384->1420 1421 7ffe0e147c2d-7ffe0e147c30 1384->1421 1399 7ffe0e148297-7ffe0e1482de 1386->1399 1390->1290 1393->1393 1406 7ffe0e148399 1393->1406 1396->1396 1408 7ffe0e148213 1396->1408 1398->1398 1410 7ffe0e147f22-7ffe0e147f24 1398->1410 1399->1399 1411 7ffe0e1482e0 1399->1411 1406->1311 1408->1290 1410->1290 1411->1290 1412->1376 1414->1414 1415 7ffe0e147e97-7ffe0e147ea9 call 7ffe0e14f920 1414->1415 1439 7ffe0e147eac-7ffe0e147eb3 1415->1439 1424 7ffe0e147fb1-7ffe0e147fb9 1416->1424 1434 7ffe0e148007-7ffe0e148017 1417->1434 1435 7ffe0e147d88-7ffe0e147d99 1418->1435 1419->1435 1420->1290 1421->1290 1429 7ffe0e147c36-7ffe0e147c53 call 7ffe0e14f920 1421->1429 1424->1424 1432 7ffe0e147fbb-7ffe0e147fbe 1424->1432 1429->1290 1432->1417 1440 7ffe0e147fc0-7ffe0e147fe3 call 7ffe0e14f63c 1432->1440 1434->1360 1441 7ffe0e14801d-7ffe0e148020 1434->1441 1435->1360 1442 7ffe0e147d9f-7ffe0e147da2 1435->1442 1439->1439 1445 7ffe0e147eb5-7ffe0e147ec6 call 7ffe0e14f530 1439->1445 1440->1434 1447 7ffe0e148026-7ffe0e14806d 1441->1447 1448 7ffe0e147da8-7ffe0e147def 1442->1448 1449 7ffe0e147cc9-7ffe0e147d10 1444->1449 1445->1412 1447->1447 1453 7ffe0e14806f 1447->1453 1448->1448 1454 7ffe0e147df1 1448->1454 1449->1449 1450 7ffe0e147d12 1449->1450 1450->1290 1453->1290 1454->1290
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _snprintf$_errno_invalid_parameter_noinfo
                        • String ID: %s%s$%s%s$%s%s: %s$%s&%s$%s&%s=%s$?%s$?%s=%s
                        • API String ID: 3442832105-1222817042
                        • Opcode ID: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                        • Instruction ID: 9d2c2d129aae424ecd0f87ebc4f7c7f828af4fa5e8ade17c10ff16a1ddd9cf1b
                        • Opcode Fuzzy Hash: 412d66828e9d0a494a073441381b0bd2cf94e887e51df8164056f8f6c456b4ac
                        • Instruction Fuzzy Hash: C64268A1A18F8692E6259B29D0011F9A3A0FF99759F045132EFCD17B75EF3CE1A6C340
                        Function 00007FFE0E141C30 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 150filetimeCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$FileFind_errno$ErrorHeapLastSystemfreemalloc$AllocCloseCurrentDirectoryFirstFreeLocalNextSpecific_callnewhhtonl
                        • String ID: %s$.\*$D0%02d/%02d/%02d %02d:%02d:%02d%s$F%I64d%02d/%02d/%02d %02d:%02d:%02d%s
                        • API String ID: 723279517-1754256099
                        • Opcode ID: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                        • Instruction ID: 4e5b1b080840be1001c0e74d83afe1939a7587c8b1ee241b7c3de56d3fbc7881
                        • Opcode Fuzzy Hash: 457427d9072a94c5804b99a9cf994faefb62e403f1d248ccd724e43b7fc9f85d
                        • Instruction Fuzzy Hash: A2619FB1B0875296EB10DB61E8405AEB7A1FB85B94F404036EE8D47BAADF7CD506CB40
                        Function 00007FFE0E13E68C Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 165networkfileCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _snprintf$Internet$CloseHandleHttpRequeststrchr$AvailableDataFileOpenQueryReadSend_errno_invalid_parameter_noinfo
                        • String ID: %s%s$*/*
                        • API String ID: 3536628738-856325523
                        • Opcode ID: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                        • Instruction ID: 00d6caa65c4101d76b9da7a7a8ad7410603ce577fd08e14ffecd7e508ebe99fd
                        • Opcode Fuzzy Hash: 5c4b2c5719e067ce629add7012f112fb417b911470ce534f4123a2ba84123eb0
                        • Instruction Fuzzy Hash: 94717C72B0878686EB109B61E4406BAB7A5FB84B98F404133EE8D57BB5DF3CE546C740
                        Function 00007FFE0E140F34 Relevance: 18.2, APIs: 12, Instructions: 163processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1672 7ffe0e140f34-7ffe0e140f49 1673 7ffe0e140f4f-7ffe0e140f53 1672->1673 1674 7ffe0e140fdb-7ffe0e14101b CreateProcessA 1672->1674 1673->1674 1675 7ffe0e140f59-7ffe0e140f97 CreateProcessAsUserA 1673->1675 1676 7ffe0e14101d-7ffe0e141028 GetLastError 1674->1676 1677 7ffe0e14102a 1674->1677 1675->1677 1678 7ffe0e140f9d-7ffe0e140fa8 GetLastError 1675->1678 1679 7ffe0e140fcc-7ffe0e140fd9 call 7ffe0e13e67c 1676->1679 1680 7ffe0e14102f-7ffe0e141034 1677->1680 1681 7ffe0e140fc1-7ffe0e140fc7 GetLastError 1678->1681 1682 7ffe0e140faa-7ffe0e140fb2 1678->1682 1679->1680 1681->1679 1682->1681 1684 7ffe0e140fb4-7ffe0e14135e call 7ffe0e150ac0 call 7ffe0e14f530 * 2 call 7ffe0e13fe54 1682->1684 1695 7ffe0e141370-7ffe0e14137c GetCurrentDirectoryW 1684->1695 1696 7ffe0e141360-7ffe0e14136b call 7ffe0e13e590 1684->1696 1698 7ffe0e14137e-7ffe0e14138e GetCurrentDirectoryW 1695->1698 1699 7ffe0e141396-7ffe0e1413e0 call 7ffe0e14e0fc CreateProcessWithTokenW call 7ffe0e14e0e0 1695->1699 1702 7ffe0e14145a 1696->1702 1698->1699 1707 7ffe0e1413e2-7ffe0e1413e7 1699->1707 1708 7ffe0e1413e9-7ffe0e1413f4 GetLastError 1699->1708 1705 7ffe0e14145c-7ffe0e141474 1702->1705 1707->1705 1709 7ffe0e1413f6-7ffe0e1413fd 1708->1709 1710 7ffe0e14141a-7ffe0e141423 GetLastError 1708->1710 1709->1710 1711 7ffe0e1413ff-7ffe0e141406 1709->1711 1712 7ffe0e141425-7ffe0e14142c 1710->1712 1713 7ffe0e141444-7ffe0e14144a GetLastError 1710->1713 1711->1710 1714 7ffe0e141408-7ffe0e141418 call 7ffe0e141268 1711->1714 1712->1713 1715 7ffe0e14142e-7ffe0e141435 1712->1715 1716 7ffe0e14144f-7ffe0e141455 call 7ffe0e13e67c 1713->1716 1714->1705 1715->1713 1718 7ffe0e141437-7ffe0e141442 GetLastError 1715->1718 1716->1702 1718->1716
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateErrorLastProcess$ByteCharCurrentDirectoryMultiWide$TokenUserWith
                        • String ID:
                        • API String ID: 3044875250-0
                        • Opcode ID: bd8628157e2bf0beea7f3f46e6f553db081dc7e69f3976c587d33e54da051543
                        • Instruction ID: 994af71e9a8c159a1f4f00eab23d7def6dc4fc79f0f964ca31257adad37e38a4
                        • Opcode Fuzzy Hash: bd8628157e2bf0beea7f3f46e6f553db081dc7e69f3976c587d33e54da051543
                        • Instruction Fuzzy Hash: 50716BB2B19B4696EB608F21E44436E73A1FB48B94F544136EA8D43BB5DF7CE494CB00
                        Function 00007FFE0E149220 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 87fileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$Find$FileHeap_snprintffreemalloc$AllocCloseErrorFirstFreeLastNext_callnewh_invalid_parameter_noinfo
                        • String ID: %s\*
                        • API String ID: 2620626937-766152087
                        • Opcode ID: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                        • Instruction ID: 467cca49e8c7df74f6b94dd2f9d990edd0dd59a3ec723b61e6335b57ab9da03b
                        • Opcode Fuzzy Hash: cc893efac870e389c3214beb74474689fb7507946bb50414294d16208cc1c1d7
                        • Instruction Fuzzy Hash: 8B318351B0C68305E6155B6268146BA7B61AB8AFD0F889132DEED077F6CE3CE453C300
                        Function 00007FFE0E145E28 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Name$ComputerFileModuleUserVersion_snprintfmallocstrrchr
                        • String ID: %s%s%s
                        • API String ID: 1671524875-1891519693
                        • Opcode ID: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                        • Instruction ID: 6f4caa7a211d10c4e1ea5b98c463e38389e2e0dc880eb5cb1516c55eb1847dfb
                        • Opcode Fuzzy Hash: 40ae984fd8d1d60e03acc18bee9c81741f4638c9dfd0547d5b2d8a001e524837
                        • Instruction Fuzzy Hash: E8415E65B0874246FA14EB22A9146BA6792BF89FD4F544532EE9D077B6CF3CE442C700
                        Function 00007FFE0E14B47C Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 258COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: malloc$Name$Computer_errno$AllocHeapSocketUser_callnewh
                        • String ID: VUUU
                        • API String ID: 632458648-2040033107
                        • Opcode ID: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                        • Instruction ID: 786a68efb323037aa33380f884b13dad9e8099b65350a18c96c3ae0d6c20a8da
                        • Opcode Fuzzy Hash: 05713f2820868472ca49688c2b85268c5ac8a6a8808567d94079f7d4b5d3be16
                        • Instruction Fuzzy Hash: 3FA1B1A6F0C75246EB14AB66D811ABD2291FF89BC4F804137E9CD5B7B6DE3CE5028340
                        Function 00007FFE0E131184 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39encryptionCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Crypt$Context$Acquire$RandomRelease
                        • String ID: ($Microsoft Base Cryptographic Provider v1.0
                        • API String ID: 685801729-4046902070
                        • Opcode ID: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                        • Instruction ID: e591b5432dd3b11b769f315abe6e57af6193ef4a76e32b7c6a5f549474e752ae
                        • Opcode Fuzzy Hash: 0f7b575704e2efa4e71594adee21552c9336b074ba1ad3f512173577c0e57d68
                        • Instruction Fuzzy Hash: CB014435B08A4282EB50CFA5E888769B761FBD8B84F548436C68D83775DF7CDA49C740
                        Function 00007FFE0E146A78 Relevance: 9.1, APIs: 6, Instructions: 60networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: bindclosesockethtonsioctlsocketlistensocket
                        • String ID:
                        • API String ID: 1767165869-0
                        • Opcode ID: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                        • Instruction ID: d1758223179c8865c3260faf67a905af996ada506979de64fbf3a18909a3d640
                        • Opcode Fuzzy Hash: f4b350054c05ef1cd9ff918b3eebb66b28a02a47d439b5acf83660ca504c3395
                        • Instruction Fuzzy Hash: D721E1A1B08B5682E7248F16A420079B7A0FB88FA8F544636DEDE037B5DF3CE446C700
                        Function 00007FFE0E146670 Relevance: 9.1, APIs: 6, Instructions: 57networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: bindclosesockethtonlhtonsioctlsocketsocket
                        • String ID:
                        • API String ID: 3910169428-0
                        • Opcode ID: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                        • Instruction ID: 29e6ccf7ec55e4132cc252f8ee1680db35c2efcb9ac2d49d86d5200e30de84ef
                        • Opcode Fuzzy Hash: b53a2f792c81892d7b6d7ca8ab412e3f2e468a0ee1017cf91dd071cea0dc5194
                        • Instruction Fuzzy Hash: 1021E765B14B4282E7249F21E4142A93760FB89BA8F544236CEAD433F5EF3CD549C700
                        Function 00007FFE0E14DF50 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharErrorLastMultiUserWidemalloc$ImpersonateLoggedLogonRevertSelf
                        • String ID: %s\%s
                        • API String ID: 3621627092-4073750446
                        • Opcode ID: 5de9f1acc7c944da019a1c91db6cd56726b723104b2f927a8a32be778dd2ea71
                        • Instruction ID: 610e98e83c47e740cffa203d845f1456b2128bdc13a851a842660769538b1137
                        • Opcode Fuzzy Hash: 5de9f1acc7c944da019a1c91db6cd56726b723104b2f927a8a32be778dd2ea71
                        • Instruction Fuzzy Hash: 20410761B18B4681FB00AB62F8546BA22A1EF8AF90F504037E9DD577B7DE3CE585C700
                        Function 00007FFE0E13FA1C Relevance: 7.6, APIs: 5, Instructions: 61sleepCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountSleepTick$closesocket
                        • String ID:
                        • API String ID: 2363407838-0
                        • Opcode ID: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                        • Instruction ID: 98b911ee623ff505bd098685a84c7fe48a35daa29ae4d45d216587a2a6043832
                        • Opcode Fuzzy Hash: 10e278be78da8f1e85a2fadd26c76492043cbdbeff7cfa22a85522b80d216db2
                        • Instruction Fuzzy Hash: 0F218061F0874681EA10AB22B4440AAB250BB89BA4F540733EDFE437F6DE3CE5068741
                        Function 00007FFE0E14EE8C Relevance: 7.6, APIs: 5, Instructions: 53networkCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: bindclosesockethtonslistensocket
                        • String ID:
                        • API String ID: 564772725-0
                        • Opcode ID: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                        • Instruction ID: 28b49a6b0c579512051171a78a6ccf80c8705e18188b4ee3247ec0a2b6a949fa
                        • Opcode Fuzzy Hash: be1f698a7e4eb4207d6933216863c257059b8865fc596cd8fbc22c7be6d18c17
                        • Instruction Fuzzy Hash: E111B166A1875682EA209F16E41516AB3A0FB84BE4F444236EEED1B7F5DF3CE105CB04
                        Function 00007FFE0E140B70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                        • String ID: %s
                        • API String ID: 4244140340-620797490
                        • Opcode ID: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                        • Instruction ID: a78b0a6a475f681c12af536e19a6d2429680ff440be841916e1667966ef61947
                        • Opcode Fuzzy Hash: bf812f175a1fbc479699b50877281c9aa9b2d5b741073a8283bc0e57be89c079
                        • Instruction Fuzzy Hash: 23214DB2B04B0299EB149B61D4447AC33B5FB58B88F844476CE8C93B69EF78D515C380
                        Function 00007FFE0E145854 Relevance: 6.1, APIs: 4, Instructions: 73sleepnetworkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$ErrorLastSleepioctlsocket
                        • String ID:
                        • API String ID: 1121440892-0
                        • Opcode ID: fcdb65340708f9b0e72f1d1b015c2b604b997b38f69e191681fce0415d28b530
                        • Instruction ID: c0c781729d7e208281e1efbf4f3606f3e9bfa4fc33ce1682b96722ab7cd377be
                        • Opcode Fuzzy Hash: fcdb65340708f9b0e72f1d1b015c2b604b997b38f69e191681fce0415d28b530
                        • Instruction Fuzzy Hash: 0F318C76F08B42C6EB10DBA2E4841AC33B6FB89B94B51023ADE9D937A5DE38D555C340
                        Function 00007FFE0E1476F0 Relevance: 6.0, APIs: 4, Instructions: 32memorythreadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AttributeHeapInitializeListProcThread$AllocProcess
                        • String ID:
                        • API String ID: 1212816094-0
                        • Opcode ID: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                        • Instruction ID: ecb0a733cdccb1d97db17f4e4ab7daae9a2c9616a96b881ec9712e19f2506a88
                        • Opcode Fuzzy Hash: 092ee1049558447ca0759a62b312a2f8f202331ccdb130be8b8fda5f5e098b35
                        • Instruction Fuzzy Hash: 11F0C266B2C68282EB548B35A44477A62A0EF88B90F585437EA8F43B74CE3CD444CA00
                        Function 00007FFE0E13DA3C Relevance: 4.9, APIs: 3, Instructions: 374memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000000,00007FFE0E14227C), ref: 00007FFE0E13DD33
                          • Part of subcall function 00007FFE0E14CC00: GetCurrentProcess.KERNEL32 ref: 00007FFE0E14CC8D
                        • HeapCreate.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000000,00007FFE0E14227C), ref: 00007FFE0E13DCDA
                        • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00000000,00007FFE0E14227C), ref: 00007FFE0E13DCF8
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocCreateCurrentErrorLastProcesshtonl
                        • String ID:
                        • API String ID: 3419463915-0
                        • Opcode ID: 09ac317b63605e0848025d9268b3ee17f6708c8c31475479f45a29ec1cc35a83
                        • Instruction ID: 728f53dea96afb82fe905c8a3460c5323000deb895a33e1ef86ca7f5d0ef39f5
                        • Opcode Fuzzy Hash: 09ac317b63605e0848025d9268b3ee17f6708c8c31475479f45a29ec1cc35a83
                        • Instruction Fuzzy Hash: ECE14CA2A1474287FB648B35E8413BA73A1FB99755F484136DACE97BA6DE3CF045C300
                        Function 00007FFE0E14DEC8 Relevance: 4.5, APIs: 3, Instructions: 34memoryCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateCheckFreeInitializeMembershipToken
                        • String ID:
                        • API String ID: 3429775523-0
                        • Opcode ID: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
                        • Instruction ID: fbeed2ef8103ade94ddc1f03f7c1f09cd7917c0a4ceea60cc1fb421cd953a466
                        • Opcode Fuzzy Hash: 133629f3ff4376339bdb4199f1e62c11324afdffa1ae21ac4a70826d2a5797c2
                        • Instruction Fuzzy Hash: 46011E73A24B428FEB208F20E4453AD37B0F75476EF411929F68D46AA9CB7CC159CB80
                        Function 00007FFE0E15C3B0 Relevance: 3.4, Strings: 2, Instructions: 884COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: $<
                        • API String ID: 0-428540627
                        • Opcode ID: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                        • Instruction ID: ddc0f1dad38d609b2f8d2f9c747b01df4b217b1a6f0f31c6c26c41f312dd866e
                        • Opcode Fuzzy Hash: b07265f8357a11157a4f9c9ad581af4fb46f207739a0a4220b37d603b0229bef
                        • Instruction Fuzzy Hash: 8E92E0B2729A8187DB58CB1DE4A173AB7A1F3C8780F44513AE79B877A4CE2CD451CB44
                        Function 00007FFE0E140920 Relevance: 1.5, APIs: 1, Instructions: 33pipeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateNamedPipe
                        • String ID:
                        • API String ID: 2489174969-0
                        • Opcode ID: ffc033c595a008210ccbf7715394fddec234f51f7fbc04560c83c088a3818f65
                        • Instruction ID: d67df7cc43cfc64915aa4c54020f0d49fc714676e50c2dfe4619045aab1c1c14
                        • Opcode Fuzzy Hash: ffc033c595a008210ccbf7715394fddec234f51f7fbc04560c83c088a3818f65
                        • Instruction Fuzzy Hash: 360157B1A18B428AEA118B10E44436976F1FB99765F54433AD6DD027F6EF3CD01ACB00
                        Function 00007FFE0E15DBF0 Relevance: .6, Instructions: 617COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                        • Instruction ID: 3213d3b1a9ef054f34e6cf2b4db27676d1e53a40bdc9b194709fc2595384a671
                        • Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
                        • Instruction Fuzzy Hash: 00523FB261898587D708CB1CE4A173AB7A1F7C9B80F44853AE78B8B799CE3DD554CB40
                        Function 00007FFE0E15D280 Relevance: .6, Instructions: 592COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                        • Instruction ID: 93d7c7d61c4a402b0b32d19dd7f29fbeda491b41e1b5facc6bf08ef85bf32d4f
                        • Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
                        • Instruction Fuzzy Hash: A75264B261858187D708CF1DE4A163AB7E1F7C9B80F44853AE79A8B7A9CE3CD545CB40
                        Function 00007FFE0E13A280 Relevance: .4, Instructions: 404COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free
                        • String ID:
                        • API String ID: 1294909896-0
                        • Opcode ID: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
                        • Instruction ID: 608a94113d10742e0f36e0587376f252639dfb4ab6deaed214bff9b5ebf6c785
                        • Opcode Fuzzy Hash: c765d2767cc6881341997e71bcd018a989170b9b961d50c461c72776cf572830
                        • Instruction Fuzzy Hash: 07F16262B0864386EB20CB3594901BE73A1FF95784F904137EBCD876A9EE3DE945CB40
                        Function 00007FFE0E139D6C Relevance: .4, Instructions: 367COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free
                        • String ID:
                        • API String ID: 1294909896-0
                        • Opcode ID: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
                        • Instruction ID: c6ac65be7ebe8577f96fc0808e03b212ebae9054ec968b9062dde27c3e25a8e5
                        • Opcode Fuzzy Hash: 1cd785112f09a1c6710790546be46074dbf73f7ffcb36dc8c2022c63c2ed85fc
                        • Instruction Fuzzy Hash: 6CE1C662B0CA4391EB209B75D4901BE77A1FF94788F900033EACD976A9EE7DE945C740
                        Function 00007FFE0E15CF97 Relevance: .1, Instructions: 134COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                        • Instruction ID: 4fa35cd08519166b88b9ebf0924bd266c6918e0c3ceb83143305cdda69f5bfb9
                        • Opcode Fuzzy Hash: aa69cfbe2dfd85e7477dd7a8e83c12114f76cab9aed25d9437113f4cd473f74e
                        • Instruction Fuzzy Hash: 85610FB661865187DB14CB0DE4E062AB7E1F3CC794F84422AE38F87768DA3CD545CB40
                        Function 00007FFE0E146BE0 Relevance: 22.7, APIs: 15, Instructions: 195networkCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1505 7ffe0e146be0-7ffe0e146c20 1506 7ffe0e146f13-7ffe0e146f29 1505->1506 1507 7ffe0e146c26-7ffe0e146c2c 1505->1507 1508 7ffe0e146c31-7ffe0e146c35 1507->1508 1509 7ffe0e146efc-7ffe0e146f03 1508->1509 1510 7ffe0e146c3b-7ffe0e146cb9 htonl select 1508->1510 1509->1506 1511 7ffe0e146f05 1509->1511 1512 7ffe0e146cbf-7ffe0e146cca __WSAFDIsSet 1510->1512 1513 7ffe0e146d8d-7ffe0e146d91 1510->1513 1511->1508 1512->1509 1516 7ffe0e146cd0-7ffe0e146d01 accept ioctlsocket 1512->1516 1514 7ffe0e146d97-7ffe0e146da2 __WSAFDIsSet 1513->1514 1515 7ffe0e146e26-7ffe0e146e31 1513->1515 1514->1509 1517 7ffe0e146da8-7ffe0e146e21 accept call 7ffe0e145a20 call 7ffe0e1451b4 1514->1517 1518 7ffe0e146e33-7ffe0e146e3a __WSAFDIsSet 1515->1518 1519 7ffe0e146e67-7ffe0e146e6e call 7ffe0e15c3a4 1515->1519 1520 7ffe0e146d07-7ffe0e146d88 call 7ffe0e146b7c call 7ffe0e1463e0 call 7ffe0e13d044 call 7ffe0e13d074 * 2 call 7ffe0e1461e4 call 7ffe0e13d1b8 call 7ffe0e13d020 1516->1520 1521 7ffe0e146f0a-7ffe0e146f0d closesocket 1516->1521 1517->1509 1523 7ffe0e146e40-7ffe0e146e52 __WSAFDIsSet 1518->1523 1524 7ffe0e146ee9-7ffe0e146eed 1518->1524 1519->1524 1535 7ffe0e146e70-7ffe0e146e82 __WSAFDIsSet 1519->1535 1520->1509 1521->1506 1529 7ffe0e146e58-7ffe0e146e62 1523->1529 1530 7ffe0e146edb-7ffe0e146ee7 GetTickCount 1523->1530 1528 7ffe0e146ef0-7ffe0e146ef7 1524->1528 1528->1509 1529->1528 1530->1509 1530->1524 1535->1529 1538 7ffe0e146e84-7ffe0e146e93 __WSAFDIsSet 1535->1538 1538->1530 1539 7ffe0e146e95-7ffe0e146eb9 accept 1538->1539 1541 7ffe0e146ec4-7ffe0e146ec8 1539->1541 1542 7ffe0e146ebb-7ffe0e146ec2 1539->1542 1544 7ffe0e146ece-7ffe0e146ed9 closesocket 1541->1544 1542->1544 1544->1509
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: acceptioctlsocket$closesockethtonlselect
                        • String ID:
                        • API String ID: 2003300010-0
                        • Opcode ID: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                        • Instruction ID: 473558a110dc64a5f3950c73dafba28d169e5a172813449c7ca566ab030f331a
                        • Opcode Fuzzy Hash: 54efb49355ab49030012f44656aa982b574d006ff9989bba4d15e008082401ba
                        • Instruction Fuzzy Hash: B29180B2A147929BE764DF25E9507AD33A1FB88798F000136DB8D47BA9DF38E564C700
                        Function 00007FFE0E13EC04 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 165networksleepCOMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1557 7ffe0e13ec04-7ffe0e13ec7b call 7ffe0e14f530 * 3 1564 7ffe0e13ec81-7ffe0e13ec99 call 7ffe0e1483d0 1557->1564 1565 7ffe0e13eeba-7ffe0e13eed2 1557->1565 1568 7ffe0e13ece8-7ffe0e13ecfe call 7ffe0e14f63c 1564->1568 1569 7ffe0e13ec9b-7ffe0e13eca2 1564->1569 1572 7ffe0e13ed03-7ffe0e13ed23 call 7ffe0e14f63c 1568->1572 1571 7ffe0e13eca5-7ffe0e13ecac 1569->1571 1571->1571 1573 7ffe0e13ecae-7ffe0e13ecb1 1571->1573 1578 7ffe0e13ed26-7ffe0e13ed2d 1572->1578 1573->1568 1575 7ffe0e13ecb3-7ffe0e13ece6 call 7ffe0e1431f4 call 7ffe0e14f63c call 7ffe0e14f530 1573->1575 1575->1572 1578->1578 1580 7ffe0e13ed2f-7ffe0e13ed6d call 7ffe0e14b454 call 7ffe0e147b38 1578->1580 1589 7ffe0e13ed6f-7ffe0e13eda1 call 7ffe0e142d70 call 7ffe0e142c0c 1580->1589 1590 7ffe0e13eda6-7ffe0e13edab 1580->1590 1589->1590 1591 7ffe0e13edae-7ffe0e13edb5 1590->1591 1591->1591 1593 7ffe0e13edb7-7ffe0e13edc2 1591->1593 1595 7ffe0e13edc4-7ffe0e13edd4 call 7ffe0e14f63c 1593->1595 1596 7ffe0e13edd6-7ffe0e13ede6 call 7ffe0e14f63c 1593->1596 1601 7ffe0e13edeb-7ffe0e13edf0 call 7ffe0e14e0fc 1595->1601 1596->1601 1604 7ffe0e13edf2-7ffe0e13ee48 call 7ffe0e14b454 HttpOpenRequestA call 7ffe0e13e918 1601->1604 1609 7ffe0e13ee4b-7ffe0e13ee53 1604->1609 1609->1609 1610 7ffe0e13ee55-7ffe0e13ee78 HttpSendRequestA call 7ffe0e13efbc 1609->1610 1613 7ffe0e13ee98 InternetCloseHandle 1610->1613 1614 7ffe0e13ee7a-7ffe0e13ee90 InternetCloseHandle Sleep 1610->1614 1616 7ffe0e13ee9e-7ffe0e13eeb5 call 7ffe0e1483c4 call 7ffe0e14e12c 1613->1616 1614->1604 1615 7ffe0e13ee96 1614->1615 1615->1616 1616->1565
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _snprintf$CloseHandleHttpInternetRequest$OpenSendSleep
                        • String ID: %s%s$*/*
                        • API String ID: 3787158362-856325523
                        • Opcode ID: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                        • Instruction ID: 043666dac65d964eca2f2c7245dfb070976d1f3183457f9274e35f0ec364ac09
                        • Opcode Fuzzy Hash: 74fcd7c73aed85367ed650ea4945df165b3c67cd5a727985712ddaae692fa4ee
                        • Instruction Fuzzy Hash: B4814DB2A08B8685EB109B65E4407F977A1FB88748F440133EA9E437B5DF3CE54AC740
                        Function 00007FFE0E1453E4 Relevance: 18.1, APIs: 12, Instructions: 105pipesleepfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$CountNamedPipeTick$CreateDisconnectFileHandleSleepStateWait
                        • String ID:
                        • API String ID: 34948862-0
                        • Opcode ID: 341130c136fd618ea16e4fd89061d9c08dc6fb9df6fe7754f90ebd89f48b5033
                        • Instruction ID: 36d1b9d91fce1f953331634a528927a897ee91ddc8947b7de2d2786e53bfab76
                        • Opcode Fuzzy Hash: 341130c136fd618ea16e4fd89061d9c08dc6fb9df6fe7754f90ebd89f48b5033
                        • Instruction Fuzzy Hash: 93418E72A08B0286F7109B61E85467D3362EB88BA4F504236DEAE47BF5DF3CD445C700
                        Function 00007FFE0E14FF6C Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1776 7ffe0e14ff6c-7ffe0e14ff90 DecodePointer 1777 7ffe0e14ff92-7ffe0e14ff98 1776->1777 1778 7ffe0e14ffac-7ffe0e14ffc6 call 7ffe0e14f244 1776->1778 1779 7ffe0e14ffa5 1777->1779 1780 7ffe0e14ff9a-7ffe0e14ffa3 call 7ffe0e14f244 1777->1780 1785 7ffe0e14ffe2-7ffe0e150021 call 7ffe0e14f244 * 3 1778->1785 1786 7ffe0e14ffc8-7ffe0e14ffce 1778->1786 1779->1778 1780->1777 1780->1779 1797 7ffe0e150023-7ffe0e15002b 1785->1797 1798 7ffe0e150035-7ffe0e15004f EncodePointer 1785->1798 1787 7ffe0e14ffd0-7ffe0e14ffd9 call 7ffe0e14f244 1786->1787 1788 7ffe0e14ffdb 1786->1788 1787->1786 1787->1788 1788->1785 1797->1798 1799 7ffe0e15002d-7ffe0e150030 call 7ffe0e14f244 1797->1799 1800 7ffe0e15005e-7ffe0e150068 1798->1800 1801 7ffe0e150051-7ffe0e150056 call 7ffe0e14f244 1798->1801 1799->1798 1804 7ffe0e15006a-7ffe0e15006f call 7ffe0e14f244 1800->1804 1805 7ffe0e150077-7ffe0e150086 1800->1805 1801->1800 1804->1805 1808 7ffe0e1500a7-7ffe0e1500b1 1805->1808 1809 7ffe0e150088-7ffe0e150099 1805->1809 1809->1808 1810 7ffe0e15009b-7ffe0e1500a0 call 7ffe0e14f244 1809->1810 1810->1808
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
                        • String ID:
                        • API String ID: 4099253644-0
                        • Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                        • Instruction ID: 00af54cd1f5cc6406e367452f288244c1a62474a29b7f4c8ae7eeef033712810
                        • Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
                        • Instruction Fuzzy Hash: 1131D266E09B4681FF54AB51E8547B923B0EF89B94F081637D9ED063B1CF7CE4868210
                        Function 00007FFE0E14FE10 Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: ApisByteCharErrorFileLastMultiPackagedWide__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 1138158220-0
                        • Opcode ID: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                        • Instruction ID: ce71a52eebca79dc5dcdb1e943421dc2269519d0f958111b0f84fc2f12225d14
                        • Opcode Fuzzy Hash: 05425721233f79f79091f3b96a0ee25a442efda7d0ba0e08876b468a33414fe7
                        • Instruction Fuzzy Hash: 0631AD62B08B0282FB20AB26A81433D66E1EF89B95F154636DA9D537F6DF3CE441C300
                        Function 00007FFE0E147308 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 73networkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$gethostbynamehtonsinet_addrselectsendto
                        • String ID: d
                        • API String ID: 1257931466-2564639436
                        • Opcode ID: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                        • Instruction ID: c4be44d6072b557e0b7ab9c5a438f3b6dcb7af8111bd41421b63741ce09259c4
                        • Opcode Fuzzy Hash: ab0c442174a33fd942d7502bed514c8ee7f8710e336f335b2024a32b2463658a
                        • Instruction Fuzzy Hash: 90317E72618B86C6E7208F61E8446AA77A4FB88B88F041137EECD47B74DF78D555CB40
                        Function 00007FFE0E156E1C Relevance: 16.6, APIs: 11, Instructions: 81COMMONLIBRARYCODE
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 388111225-0
                        • Opcode ID: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                        • Instruction ID: 8c41c1efc6969c7e7efdd40c9ac3346b57dae4e56d4dbdbdf7d0b3ac6549a8e8
                        • Opcode Fuzzy Hash: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
                        • Instruction Fuzzy Hash: 7A310133F09652C6E317AF61985127D2650AF817A0FD44237EAA9073F2CE7CE841C740
                        Function 00007FFE0E1471FC Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57networksleepCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$ErrorLastSleepselectsend
                        • String ID: d
                        • API String ID: 2152284305-2564639436
                        • Opcode ID: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                        • Instruction ID: e92cee603297a011f3d5590ac4c198bec85c8ecb461ae5d839128022590f6a2f
                        • Opcode Fuzzy Hash: 968d1f127f461a1dbb27dc7435d3ebfca4b5ec6114cfb3c6d112f4c985c4520d
                        • Instruction Fuzzy Hash: 2F219F72A18B8282E7608F21F8486A97361FB84784F400136EBDD43BB5DF7CD454CB44
                        Function 00007FFE0E13FB08 Relevance: 15.1, APIs: 10, Instructions: 91sleepfilepipeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CountErrorLastSleepTickWrite$BuffersDisconnectFlushNamedPipe
                        • String ID:
                        • API String ID: 3101085627-0
                        • Opcode ID: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                        • Instruction ID: eded0ad1c252e96f23b434f8df078d5a8189b17344101ba749ac8c16f94dd138
                        • Opcode Fuzzy Hash: 2fa90bf5de3d4daae598bfc7d95f016883deb1b957d31e82556552939848cc78
                        • Instruction Fuzzy Hash: 06415D62B08A4296EB109FB5E4946AC3361FB48B98F514137DE8D97A79DF3CD509C340
                        Function 00007FFE0E157A90 Relevance: 15.1, APIs: 10, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
                        • String ID:
                        • API String ID: 1078912150-0
                        • Opcode ID: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                        • Instruction ID: 78c87fdab2c46dddda8d959f3428134a19a9d52053ebdf70d3209f1df990b980
                        • Opcode Fuzzy Hash: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
                        • Instruction Fuzzy Hash: B521BB23F0864286F7166F25D8463BD6662BF817A1F59423BEA9D072F2CE7CA8418750
                        Function 00007FFE0E157C08 Relevance: 15.1, APIs: 10, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
                        • String ID:
                        • API String ID: 2644381645-0
                        • Opcode ID: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                        • Instruction ID: ea575ee44f6b1ce04e62f0485ed1db4ec954335e71d3fca22f7f6c7b6d2cdeb2
                        • Opcode Fuzzy Hash: b12dde97457ee21ef34638bcae53c6e161a46aae09bdd653f8f5ca1ee8b86ca4
                        • Instruction Fuzzy Hash: C121B023F0855286F6166B15980637D6651AF80BB1F994737EABD073F2CF7CA4418B60
                        Function 00007FFE0E15FD50 Relevance: 13.6, APIs: 9, Instructions: 127COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 1812809483-0
                        • Opcode ID: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                        • Instruction ID: f9c1445891b33db82f1fc07758c77ea557cf22d7c80197b96a067736c54d2448
                        • Opcode Fuzzy Hash: f9c4d6ed39d3bdcb6b80e8c2d76cc2c0cca7aaaf292465ae2b9830194cf53d53
                        • Instruction Fuzzy Hash: 9A41D373F09293C5FB60AB1195402B922A1EF59B94FA14137EAD8477E6DF3CA8428700
                        Function 00007FFE0E146500 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: htons$ErrorLastclosesocketconnectgethostbynamehtonlioctlsocketsocket
                        • String ID:
                        • API String ID: 3339321253-0
                        • Opcode ID: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                        • Instruction ID: 7d15498b8c9d3f6d9b06eb21124d3bde161920ab9d0ff64659938cfbb7a2ba43
                        • Opcode Fuzzy Hash: 05f6a439e9e7b1774ef1c5ddc00099d5cfca8a0839fadce43f34e2615c209cd9
                        • Instruction Fuzzy Hash: AE3104A171879292EB349F21E8546BA6361FB44B98F040136DE8E077B9EE3CD54AC700
                        Function 00007FFE0E146B98 Relevance: 13.6, APIs: 9, Instructions: 72COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$freehtonlshutdown$ErrorLastacceptclosesocketioctlsocketmallocrecvfromselect
                        • String ID:
                        • API String ID: 3610715900-0
                        • Opcode ID: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                        • Instruction ID: 10f82a21b50f45764dd600c8739e427d9e2d5d28d5f3290c425ba1dfe1a42c92
                        • Opcode Fuzzy Hash: 1c403b153f4cdb51b3aa82c7904d7a2a385d985f1a2ac89a95e712731fd71160
                        • Instruction Fuzzy Hash: 8A312BA2A08B4382EB659F62E94413D22A0EF49F98F184537CACD477B5DF3CE8918701
                        Function 00007FFE0E156434 Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
                        • String ID:
                        • API String ID: 2464146582-0
                        • Opcode ID: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                        • Instruction ID: 0ec396fcc084ed20ed1902703671cf17f332565d3be0e0b57fb067cb902dab9f
                        • Opcode Fuzzy Hash: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
                        • Instruction Fuzzy Hash: 5F21FF23F0C542C6F716AF24984537D2660AF80BA1F994236EA9C073F2CE7CA841C791
                        Function 00007FFE0E15A73C Relevance: 13.6, APIs: 9, Instructions: 63COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
                        • String ID:
                        • API String ID: 2927645455-0
                        • Opcode ID: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                        • Instruction ID: adb0f2e5c775d97a4e95849f54470a957918285d9346e2e5df540e0ff5bea731
                        • Opcode Fuzzy Hash: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
                        • Instruction Fuzzy Hash: E721C323F88643C5F716AF65989527D2660AF81760F59023FDAAD072F2EE7CA881C354
                        Function 00007FFE0E155C58 Relevance: 13.6, APIs: 9, Instructions: 57COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
                        • String ID:
                        • API String ID: 2140805544-0
                        • Opcode ID: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                        • Instruction ID: bd48b202c6502a561a08ed9d2bff144c60a828e5b1b359ccff2a92b18d8e2a67
                        • Opcode Fuzzy Hash: 8f1e5b792f872c4dc36995a7bc6d01a3aafca90ffb12f932fc30e24f319e98c6
                        • Instruction Fuzzy Hash: DC11D323E08682C6F316AF65984537C2662AF81761FA90637D99E072F2DE7CA4418B10
                        Function 00007FFE0E143A64 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113sleepprocesslibraryCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressCreateHandleModuleNextProcSleepSnapshotThread32Toolhelp32freemalloc
                        • String ID: NtQueueApcThread$ntdll
                        • API String ID: 1427994231-1374908105
                        • Opcode ID: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                        • Instruction ID: 4f13f7ee05bc5f53c5715715f24c5a278619a5977e3873edde64c87c05e00277
                        • Opcode Fuzzy Hash: 4682eb5fa987184764bf2e500015da157d39ace14d4a97c914713ac55f463483
                        • Instruction Fuzzy Hash: C4416BB2B09B4299EB10CB61E8402AD73A4FB48B88F544136DE9D57BA9EF38D545C740
                        Function 00007FFE0E15A348 Relevance: 12.1, APIs: 8, Instructions: 132COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CriticalSection$_lock$CountEnterInitializeLeaveSpin__lock_fhandle_calloc_crt_mtinitlocknum
                        • String ID:
                        • API String ID: 854778215-0
                        • Opcode ID: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                        • Instruction ID: 549c0258c1284a7dc009ae90a20c6eb0101ac985349dfb8c4cc8f71fb84eaa05
                        • Opcode Fuzzy Hash: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
                        • Instruction Fuzzy Hash: BA51A933A58682C2EA208F10D444239A7A5FF94B98F19823ADADE477F5DF7CE851C700
                        Function 00007FFE0E13460C Relevance: 11.5, APIs: 9, Instructions: 201COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$malloc$_errno$_callnewh$AllocHeap
                        • String ID:
                        • API String ID: 3534990644-0
                        • Opcode ID: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                        • Instruction ID: 8946840100046989f65b4b5a667e5b8711c26c96fe6076007b077c5ed94b5ba6
                        • Opcode Fuzzy Hash: cc81e054d2004eb51c8bee4b84b58d4814fb308bd44c01250cbaa5dfc0e514d5
                        • Instruction Fuzzy Hash: 2B71E566B087C646EE249BB694407BA7791FF85BC8F004136DD9E47BA6DE3CE446C700
                        Function 00007FFE0E141478 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 128processCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCurrentDirectoryMultiWide$CreateErrorInfoLastLogonProcessStartupWithmalloc
                        • String ID: %s as %s\%s: %d
                        • API String ID: 3435635427-816037529
                        • Opcode ID: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                        • Instruction ID: 04b56d41ba5dd970719ee93e471225c511b515cad670415e66bce44ab8d61462
                        • Opcode Fuzzy Hash: bd007c1fecfa8e9c64263907c3ef2a9985436de431c3054d3c53bc822cf7e9f1
                        • Instruction Fuzzy Hash: A5513E72708B8286D750DB16B84069AB7A5FB89B84F044036EECD47B6ADF3CD055CB00
                        Function 00007FFE0E14E98C Relevance: 10.6, APIs: 7, Instructions: 79COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$OpenProcessToken
                        • String ID:
                        • API String ID: 2009710997-0
                        • Opcode ID: 10fd636a6ff57dda84e789d1aa0c37ea0400f486ec7234268ec0d1e4ef0ac4b9
                        • Instruction ID: 3747dc2beb9d9e3f6adfea0c59b735b20fca4e5ca1bee00c91ca523df2584cd4
                        • Opcode Fuzzy Hash: 10fd636a6ff57dda84e789d1aa0c37ea0400f486ec7234268ec0d1e4ef0ac4b9
                        • Instruction Fuzzy Hash: A1318065B0C70342FB10AB62E45477AA691FF89BD4F14403AEA8E477B6DE3CE445CA80
                        Function 00007FFE0E15FBD0 Relevance: 10.6, APIs: 7, Instructions: 72COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 3191669884-0
                        • Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                        • Instruction ID: 3bcdf9789fb9c4ddf72e80dc33e09bbdff5f10cbe82abcb78eed1d5be3f2014c
                        • Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
                        • Instruction Fuzzy Hash: 0C318073B08785C5E7619B119444A6DA6A5FB48BE0F944132EEDC07BE5CF78E942CB00
                        Function 00007FFE0E14596C Relevance: 10.6, APIs: 7, Instructions: 52COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTickioctlsocket
                        • String ID:
                        • API String ID: 3686034022-0
                        • Opcode ID: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                        • Instruction ID: 5a4a0e0203bc1eaec4d510e9eaed9e8dc479fb89fa557dc02c72306e2259c780
                        • Opcode Fuzzy Hash: 178b23397deac81d3d51abbf71857af196517098d1f0b7b181b2ee049de2b99e
                        • Instruction Fuzzy Hash: 4111C462A0868347F7208B69E8441797361EF84BA4F600236DADE866F1DF7CE889C710
                        Function 00007FFE0E140AA0 Relevance: 10.5, APIs: 7, Instructions: 45pipethreadfileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: NamedPipe$Thread$ClientConnectCurrentDisconnectErrorFileImpersonateLastOpenReadToken
                        • String ID:
                        • API String ID: 4232080776-0
                        • Opcode ID: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                        • Instruction ID: b4cfaa3bab02eccdfa5c57838f4ed0b3f95cf6e5fa2ba96f03729c7e133f53cb
                        • Opcode Fuzzy Hash: ef7db9755eefa0db9f7ee1ec6e209610e40617530726d74f2edde71b678aab6d
                        • Instruction Fuzzy Hash: C0212965E1C64386FB509B22E85477923A1FF98B84F844537C9CD826B1CF3CE449C726
                        Function 00007FFE0E150B10 Relevance: 9.2, APIs: 6, Instructions: 166COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
                        • String ID:
                        • API String ID: 2328795619-0
                        • Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                        • Instruction ID: c5cb339e7020249da4947ce06245de689d8b98f1c8e3732918a56864a6bde4b6
                        • Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
                        • Instruction Fuzzy Hash: 30511423B0C242C6FA248AA655505796690BF49BF4F144736EEBD43BF5CF3CF4918640
                        Function 00007FFE0E141694 Relevance: 9.1, APIs: 6, Instructions: 126COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_invalid_parameter_noinfomalloc$fseek$AllocFullHeapNamePath_callnewh_fseek_nolock_ftelli64fclosehtonl
                        • String ID:
                        • API String ID: 3587854850-0
                        • Opcode ID: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                        • Instruction ID: f1e74b4f6bfefcd8c1897ec92948d3f2190e64fc6ec2b8459bb38572750cdb29
                        • Opcode Fuzzy Hash: f2abbbf20f3530519e2fbcb7cf3f65dd4e7c47c251f31922550871d18ad798e2
                        • Instruction Fuzzy Hash: CE419062B1965282EB10EB22E4145BD6251FFC9BD0F508137EE9E47BE6DE3CD545C700
                        Function 00007FFE0E145C60 Relevance: 9.1, APIs: 6, Instructions: 113COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • GetACP.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000001,00007FFE0E13CC89), ref: 00007FFE0E145C78
                        • GetOEMCP.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000001,00007FFE0E13CC89), ref: 00007FFE0E145C82
                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000001,00007FFE0E13CC89), ref: 00007FFE0E145CA8
                        • GetTickCount.KERNEL32 ref: 00007FFE0E145CB0
                        • GetCurrentProcess.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000001,00007FFE0E13CC89), ref: 00007FFE0E145CEC
                          • Part of subcall function 00007FFE0E140C64: GetModuleHandleA.KERNEL32 ref: 00007FFE0E140C79
                          • Part of subcall function 00007FFE0E140C64: GetProcAddress.KERNEL32 ref: 00007FFE0E140C89
                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000001,00007FFE0E13CC89), ref: 00007FFE0E145D5E
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CurrentProcess$AddressCountHandleModuleProcTick_getptd
                        • String ID:
                        • API String ID: 3426420785-0
                        • Opcode ID: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                        • Instruction ID: bcd27455f72537cec03a10a4509c8d8e1d312260e9b866134f2d7d062dcc2de0
                        • Opcode Fuzzy Hash: cace55278df1f4be28c563725835e26b24be87b65be8dda4f354c1bcfac1d593
                        • Instruction Fuzzy Hash: DA416A62B1871295FB10EB71D8456F923A1AF88794F404433EE8D576B6EE3CE50AC750
                        Function 00007FFE0E13EA48 Relevance: 9.1, APIs: 6, Instructions: 109networkCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$Option$ConnectOpenRevertSelf
                        • String ID:
                        • API String ID: 1513466045-0
                        • Opcode ID: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                        • Instruction ID: ff79fbb9ec00c174e2551160d10d63c220f4f2914c6f15463b223373309e81fa
                        • Opcode Fuzzy Hash: a9b8b553a89bf16a576f3c9bc92d43a984d256c5d92c920833b48d6b9218c37a
                        • Instruction Fuzzy Hash: A0416B75A0878382EB249B65E455AB97761FB84B88F044037DACE17BB6DF3CE545C700
                        Function 00007FFE0E146F2C Relevance: 9.1, APIs: 6, Instructions: 99networkCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$AllocErrorHeapLast_callnewhhtonlmallocrecvfrom
                        • String ID:
                        • API String ID: 2310505145-0
                        • Opcode ID: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                        • Instruction ID: 78df5494d27b50ffc214ba63d5cf335e46c7f2a979ce4b6053f8fd470a14b44a
                        • Opcode Fuzzy Hash: 2261c4ce2f877d491e78f0891c545d8b3f459d63dae9fe63479e894e722204df
                        • Instruction Fuzzy Hash: F54150B2A0978282EB118F25E45462E67A1FF85B99F144237DACD477B4DF3DD481CB40
                        Function 00007FFE0E1479C4 Relevance: 9.1, APIs: 6, Instructions: 96threadCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CurrentProcess$ErrorLast$AttributeProcThreadUpdate
                        • String ID:
                        • API String ID: 1014270282-0
                        • Opcode ID: 0cb4279866ef29e982ae4f369d0c6812c9ca3a69e5fd7e451e0c486501f78930
                        • Instruction ID: 7829b48e46ad725cd9dd0d05f0613915db57048b5c28758a3f706dea073970be
                        • Opcode Fuzzy Hash: 0cb4279866ef29e982ae4f369d0c6812c9ca3a69e5fd7e451e0c486501f78930
                        • Instruction Fuzzy Hash: 7F417172A1978186FB109F52E4043A9B7A1FB89BD4F18453AEACD43BA5DF3CD605C740
                        Function 00007FFE0E150620 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
                        • String ID:
                        • API String ID: 1547050394-0
                        • Opcode ID: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                        • Instruction ID: f62caf3a18c7352f39abe7697c9c83d633c0ddc14346bc35448ebcebc366ab77
                        • Opcode Fuzzy Hash: e39adbfa2b2f6f7307badbfd63093f86f5a875a8f375d579bd57b533050ef8dc
                        • Instruction Fuzzy Hash: A121C3A3B1C683C5FB519B61990127E62A1BF49BC0F444433EACC97BA6DF3CE4009700
                        Function 00007FFE0E13FC64 Relevance: 9.1, APIs: 6, Instructions: 58fileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$ErrorHeapLastfree$AllocFree_callnewhfclosefwritemalloc
                        • String ID:
                        • API String ID: 1616846154-0
                        • Opcode ID: 8c7c721236fbcb9524ede4000f702344c776a949a9befbcc7880e8398d8c76ab
                        • Instruction ID: 4fdba10dd3e5d39dbe9dcaabb07ea8946c9a4dfc647e11015ea1114117c868b9
                        • Opcode Fuzzy Hash: 8c7c721236fbcb9524ede4000f702344c776a949a9befbcc7880e8398d8c76ab
                        • Instruction Fuzzy Hash: A9117295F0CB4281EA10E762A0551BE6251EF89BE4F444237EEED47BEBDE3CD5028740
                        Function 00007FFE0E144488 Relevance: 9.1, APIs: 6, Instructions: 51pipefileCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: NamedPipe$ErrorLast$CreateDisconnectFileHandleStateWait
                        • String ID:
                        • API String ID: 3798860377-0
                        • Opcode ID: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                        • Instruction ID: 9a7d337bcd5e7eda35f6bba3415eb6a947f66821d94a8f0c07cac65cc361007c
                        • Opcode Fuzzy Hash: 66f56032a1747051bfe9465942bea2b3a251e1270fb13d2c0e90442697245dfd
                        • Instruction Fuzzy Hash: 11118E62A0CB5282FB109B25F51473A62A1FB84BE4F444236EAAE47BB5CF7CD4458B01
                        Function 00007FFE0E14EFEC Relevance: 9.0, APIs: 5, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        • HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d, xrefs: 00007FFE0E14F044
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errnomalloc$_callnewh$AllocHeap_invalid_parameter_noinfo_snprintf
                        • String ID: HTTP/1.1 200 OKContent-Type: application/octet-streamContent-Length: %d
                        • API String ID: 3518644649-2739389480
                        • Opcode ID: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                        • Instruction ID: c0b8c6966640ee1a6da7de203f937a70e3fbf182d1f2824173ffb4a9baa6f559
                        • Opcode Fuzzy Hash: afba7a99536ed02a45dac5d500ee5d86b7940ec366185a31927e6e9a708e28fc
                        • Instruction Fuzzy Hash: 5201C875B09B9141EA44DB52B40466A7699FB8CFD0F15523AFEED477D6CE3CC0428740
                        Function 00007FFE0E1431F4 Relevance: 8.9, APIs: 7, Instructions: 181stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: freemallocstrchr$rand
                        • String ID:
                        • API String ID: 1305919620-0
                        • Opcode ID: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                        • Instruction ID: bf5f8c69945fefdb7a5aa32e6390a0d50f04c668529bdaad5c2f92a0192500c4
                        • Opcode Fuzzy Hash: 5dd9697f37be70f43a9dfb8e879823c33dc0761040d61eac182ad5eba971c26a
                        • Instruction Fuzzy Hash: E671FAA2B0CFC541FA269B29A4113FAA390EF99B94F085136DBDD177B6DE2DD1438700
                        Function 00007FFE0E134170 Relevance: 8.9, APIs: 7, Instructions: 115COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$_callnewhmalloc$AllocHeap
                        • String ID:
                        • API String ID: 996410232-0
                        • Opcode ID: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                        • Instruction ID: 4966c476943dde7f79703ad092cf1d3ae2c02e5d5503d5e76ab2596c3e5ba8ef
                        • Opcode Fuzzy Hash: 6118db362e25067081320d314af47720c2282f168c26b715ed83619844a1cd4b
                        • Instruction Fuzzy Hash: 9141D021B08B878BFA659B76A95057E37A0FB49B80F404132DEAE17765DF3CE426C300
                        Function 00007FFE0E13F274 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: htonl$freemalloc
                        • String ID: zyxwvutsrqponmlk
                        • API String ID: 1249573706-3884694604
                        • Opcode ID: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                        • Instruction ID: 466dc70d1e856908aad833844090340c827d03d1283882308b62d6dd543c95f2
                        • Opcode Fuzzy Hash: 71d646e4bb8b7e31db9a3308653b2d67bec3fe39b167032709c668510024000a
                        • Instruction Fuzzy Hash: 9931F462B0974242EB14EB76A4516B9BAD1DF88BC0F044036EEDE477B7EE3CE5068300
                        Function 00007FFE0E143FA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CurrentProcess$AddressErrorHandleLastModuleProc
                        • String ID: NtMapViewOfSection$ntdll.dll
                        • API String ID: 1006775078-3170647572
                        • Opcode ID: 868c7ab08dff2991da44dabb64f48b116913dc7f1fa1e2d31966cfe3fdcf82bf
                        • Instruction ID: 2ae137ac1fedda00c0ab25288d5d4bdbcea820f9967754397cb9ba8bee029dee
                        • Opcode Fuzzy Hash: 868c7ab08dff2991da44dabb64f48b116913dc7f1fa1e2d31966cfe3fdcf82bf
                        • Instruction Fuzzy Hash: 6831A162B1974682EB109B61A4557BA63A0FB88BA4F040336EEAD07BE6DF7CD4458740
                        Function 00007FFE0E141FB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$remove$AllocHeap_callnewh_invalid_parameter_noinfo_snprintfmalloc
                        • String ID: %s\%s
                        • API String ID: 1896346573-4073750446
                        • Opcode ID: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                        • Instruction ID: 4e354cb2f167d59256861a677d03d1f27a4e83234e026f4f7cf9945432825bc7
                        • Opcode Fuzzy Hash: 6cb8594f6045d264f6437138ccf0bddfe367ceba4f17556bef63a27e1bb3b346
                        • Instruction Fuzzy Hash: 79F06DA6A0DB4285E2109B11B8102BEA260EB88BD0F584532FFCC17BB6CE3CD4518744
                        Function 00007FFE0E13CA74 Relevance: 7.8, APIs: 6, Instructions: 296COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: malloc$_snprintf$_errno_time64freehtonlstrtok$AllocExitHeapLocalSleepThreadTime_callnewhrealloc
                        • String ID:
                        • API String ID: 548016584-0
                        • Opcode ID: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                        • Instruction ID: d0249793b5e1f5004e88e32e339b5572ff5fd776396706104397c1b2dde1a9bb
                        • Opcode Fuzzy Hash: 2bc6c26e52030706472ef6675f80d589c4fc0031a0de3ea0680d9c9adc863854
                        • Instruction Fuzzy Hash: 63C178A1B0838342FA14AB76A851AFA7291EF85780F445037EADE577F7DE3CE4068750
                        Function 00007FFE0E1400F8 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                        • Instruction ID: 74bc37845eea4a2a2faf431d9ed110b7a6d6fe6a7304ab1088fd29b47423d209
                        • Opcode Fuzzy Hash: 59c4576cc3bafda9519a74292b63c923cc8fd4fa7f2b0ae73700a3254d899919
                        • Instruction Fuzzy Hash: 2951C1A2F08B4296EB10EB65C4412FD6360EF99B88F419136EF8E177A6DE3CE545C740
                        Function 00007FFE0E1354F0 Relevance: 7.6, APIs: 6, Instructions: 114COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$_callnewhmalloc$AllocHeap
                        • String ID:
                        • API String ID: 996410232-0
                        • Opcode ID: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                        • Instruction ID: 46bf6739a819da19b3a88cb8d7741eafb0c8b350524eddd3a449c13ee5c8c203
                        • Opcode Fuzzy Hash: de79741046cbe64d3bb630df06faae11b500053710235a4762571f6057312210
                        • Instruction Fuzzy Hash: A841C262B0878646FA15DB36580057A77A6FB99FC8F194032DDA94B762DE3CE40AC300
                        Function 00007FFE0E15239C Relevance: 7.6, APIs: 5, Instructions: 114COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
                        • String ID:
                        • API String ID: 304646821-0
                        • Opcode ID: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
                        • Instruction ID: b87a22a6169f8bacf983588fe7fa97f7026ab19da86cd34ecab242759be07dc1
                        • Opcode Fuzzy Hash: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
                        • Instruction Fuzzy Hash: 68419E73A18646CAEB689F28C45127C36B1EB44B94F144236DAED473F6DE7CE851C780
                        Function 00007FFE0E142D70 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 94stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: strchr$_snprintfmalloc$_errno_invalid_parameter_noinforand
                        • String ID: %s&%s$?%s
                        • API String ID: 1095232423-1750478248
                        • Opcode ID: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                        • Instruction ID: 58b5c8942089e5e3c042b29dc29703709b23bf2e55b6bc68fa5c244c915a5238
                        • Opcode Fuzzy Hash: 7c8d9433ae2b1aa8ac26fc6f099732b3782b91ff34ed5625b9a0d50b015d32b5
                        • Instruction Fuzzy Hash: 384145A6708F8191EA119B2AD1451F8A3A0FF98B95F045532EF8D67B71DF38E1A2C340
                        Function 00007FFE0E15AC98 Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
                        • String ID:
                        • API String ID: 2998201375-0
                        • Opcode ID: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                        • Instruction ID: e40acf79e419b7dc944376a041c27b7025557eff698922c9d58eebb4dbc17479
                        • Opcode Fuzzy Hash: bc69b486777a6b9bad5038bbf0975aad08e47f38b0eed12a125a0790956d64d5
                        • Instruction Fuzzy Hash: AA418E32608782C6E7609F15E180279ABA5EF85B90F184236EBCD57BA5DF3CE8418B00
                        Function 00007FFE0E15A5EC Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _getptd_noexit$__doserrno_errno
                        • String ID:
                        • API String ID: 2964073243-0
                        • Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                        • Instruction ID: 01c3a8c9e76231211e5dbc9403a3cd5322ba2c723e649e0efb7358ea891d80c9
                        • Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
                        • Instruction Fuzzy Hash: 05018C63F4AA06C5FA1A6B24C89137C22619F51B32FA14333D5BD073F2DF7C64418A11
                        Function 00007FFE0E13D83C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 135COMMONLIBRARYCODE
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: %s!%s
                        • API String ID: 0-2935588013
                        • Opcode ID: 11c79b581c41a901bf94dbe351f3c8b8a36ef020f7db61bed265b6392c07ab58
                        • Instruction ID: e3fbc2e1c07c88d34cfdc5d15b43a9ae6ba6857829d29f3cabe8d5065e14306a
                        • Opcode Fuzzy Hash: 11c79b581c41a901bf94dbe351f3c8b8a36ef020f7db61bed265b6392c07ab58
                        • Instruction Fuzzy Hash: 2A516EA6A0864286EB649F61E0005B973A1FB89B94F448037EFCF577A5DF3CE942C704
                        Function 00007FFE0E142818 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93sleeppipeCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$CreateInfoPipeSleepStartup
                        • String ID: h
                        • API String ID: 1809008225-2439710439
                        • Opcode ID: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                        • Instruction ID: 81114273005c728951033e792a26032554ea2d9c8324ffac217f8dfb0f1bd968
                        • Opcode Fuzzy Hash: 4e35baa7647db691c7f670eac516f3e1fc872cfd04f6cc2549e4bc2b31640604
                        • Instruction Fuzzy Hash: 00417C72A08B858AE710CF65E84069EB7B5F788798F504126EF9C53BA8DF38D546CB40
                        Function 00007FFE0E14E1D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AccountInformationLookupToken_snprintf
                        • String ID: %s\%s
                        • API String ID: 2107350476-4073750446
                        • Opcode ID: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                        • Instruction ID: 3c08070803c9bbb17aba9269bb1a1d72f631293002283c2da9f2e39739ce1c79
                        • Opcode Fuzzy Hash: 3628ba452fb9f12347beb94bf517dfb845e986fa94d428b7ed87531c0f30446e
                        • Instruction Fuzzy Hash: 38312572608FC295EB24CF61E8446EA6364FB88B88F444136EACD57B69DF3CD206C740
                        Function 00007FFE0E144224 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFE0E1436B0), ref: 00007FFE0E14424E
                        • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FFE0E1436B0), ref: 00007FFE0E14425E
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: RtlCreateUserThread$ntdll.dll
                        • API String ID: 1646373207-2935400652
                        • Opcode ID: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                        • Instruction ID: 4f38c4dac1357ec0ae5761283fc76946a59aba75b24e39a743c0b6916ee7bff1
                        • Opcode Fuzzy Hash: ec9d2d620c63392f70290ebc437f8ca1b743032b52a150f3fdfac3901f9a5ced
                        • Instruction Fuzzy Hash: 06112D32618B9282EB20CF51F884559B7B8FB98BC0F998136EADD43B24DF38D595C700
                        Function 00007FFE0E143C0C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        • GetModuleHandleA.KERNEL32(?,?,?,?,?,00007FFE0E1435E0,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFE0E143C30
                        • GetProcAddress.KERNEL32(?,?,?,?,?,00007FFE0E1435E0,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FFE0E143C40
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: NtQueueApcThread$ntdll
                        • API String ID: 1646373207-1374908105
                        • Opcode ID: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                        • Instruction ID: d75b04899b491fb7b78aac5f7c4a34f57e07820924963ce52b3874e9723b21ef
                        • Opcode Fuzzy Hash: 2536bb9452705a2f6e7169ceafa1b416df13a56cc0cf1ef56e7307e0eec9c158
                        • Instruction Fuzzy Hash: CD018F65B08B4382EA008B52F84406AA3A0EB99BD0B944537DEAC43BB5DF3CE491C300
                        Function 00007FFE0E140C64 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: IsWow64Process$kernel32
                        • API String ID: 1646373207-3789238822
                        • Opcode ID: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                        • Instruction ID: 917f0af6b81483512005916cf78eec4dfd0a6215a4496b2342d36ee6f8936acd
                        • Opcode Fuzzy Hash: ec429c199b0f6375f9f9bb3acfabef0345e96e1c9904636b59857b424156df6f
                        • Instruction Fuzzy Hash: 2EE01261B2974382EE448B56E894A756360EF98795F481032D98F46375EF3CD589CB00
                        Function 00007FFE0E1420AC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: Wow64DisableWow64FsRedirection$kernel32
                        • API String ID: 1646373207-736604160
                        • Opcode ID: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                        • Instruction ID: 48ac31e3c80625e4074c3b31971686956c3d73566173e09c1159daadd2167c3f
                        • Opcode Fuzzy Hash: ee7ac246b15703f1bae1af517107d06ce80ae1fd60a4afa284d23f3dc5206b46
                        • Instruction Fuzzy Hash: 9AD09E50F5560781FE159B92B8544786360AF59B81B481037C99E0A371EE3CE5DAC314
                        Function 00007FFE0E1420E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressHandleModuleProc
                        • String ID: Wow64RevertWow64FsRedirection$kernel32
                        • API String ID: 1646373207-3900151262
                        • Opcode ID: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                        • Instruction ID: fa5e8786a78b04c9a963429a3028cfa9bfb3b1f677f1eda00373f405c9836e5f
                        • Opcode Fuzzy Hash: 319746fa707029ab9a73eb8f742d9554a97dfc1dcddc658422bf1e3b845b0c79
                        • Instruction Fuzzy Hash: 86D09E50F5564781FE199B92BC5547463A0AF5DF81B581036C99E0A371EE3CE5D9C310
                        Function 00007FFE0E14BFC0 Relevance: 6.1, APIs: 4, Instructions: 140COMMONLIBRARYCODE
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                        • Instruction ID: 6e6695e201bfc074a0bce276b24d5f5d35c3eba744eb903391e1d2468cd19652
                        • Opcode Fuzzy Hash: 1dde0bc93da3cc204cab392ef88660b8feabc790641522e6986fd432b01f6e40
                        • Instruction Fuzzy Hash: FD618BB6A4A746C6F7188B28A84527872A0EF99F54F24413BD9DD473B1CF3DE4818B80
                        Function 00007FFE0E15062C Relevance: 6.1, APIs: 4, Instructions: 124COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
                        • String ID:
                        • API String ID: 634798775-0
                        • Opcode ID: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                        • Instruction ID: 546102a51372446aec0521c8b03b6272143593ce2d91e657e347351eaa6d59fa
                        • Opcode Fuzzy Hash: 09bfc7a718d0a166204737d50e50cc52c68c3e2e3a0cecd9edcc1235780d4021
                        • Instruction Fuzzy Hash: 6141F623B08642C6FA649AA2594427AB691BF4CFD0F184236DEEE477F1DE7CE4819640
                        Function 00007FFE0E144A04 Relevance: 6.1, APIs: 4, Instructions: 80synchronizationCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • malloc.LIBCMT ref: 00007FFE0E144A45
                          • Part of subcall function 00007FFE0E14F284: _FF_MSGBANNER.LIBCMT ref: 00007FFE0E14F2B4
                          • Part of subcall function 00007FFE0E14F284: _NMSG_WRITE.LIBCMT ref: 00007FFE0E14F2BE
                          • Part of subcall function 00007FFE0E14F284: HeapAlloc.KERNEL32(?,?,?,00007FFE0E14600D,?,?,?,00007FFE0E14B4A0,?,?,?,?,?,?,?,00000001), ref: 00007FFE0E14F2D9
                          • Part of subcall function 00007FFE0E14F284: _callnewh.LIBCMT ref: 00007FFE0E14F2F2
                          • Part of subcall function 00007FFE0E14F284: _errno.LIBCMT ref: 00007FFE0E14F2FD
                          • Part of subcall function 00007FFE0E14F284: _errno.LIBCMT ref: 00007FFE0E14F308
                        • htonl.WS2_32 ref: 00007FFE0E144A5B
                          • Part of subcall function 00007FFE0E144C44: PeekNamedPipe.KERNEL32 ref: 00007FFE0E144C7C
                        • WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00007FFE0E13CDE9,?,?,?,?,?,?,?,?,?,00000001,?,00007FFE0E1494B9), ref: 00007FFE0E144AB6
                        • free.LIBCMT ref: 00007FFE0E144AF2
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno$AllocHeapNamedObjectPeekPipeSingleWait_callnewhfreehtonlmalloc
                        • String ID:
                        • API String ID: 2495333179-0
                        • Opcode ID: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                        • Instruction ID: ab15354ff5091c63738e49e97f2a53a687acee38e0221ac570df0b298daf57b3
                        • Opcode Fuzzy Hash: 92903f8e34bb86019301daba1a442a9bec2b61465fa0227abaf91983d09bc4f7
                        • Instruction Fuzzy Hash: 6E31C4A6A0875281E754DF22A54027963E5FF48B88F194536DEAE077B5DF3CE881C344
                        Function 00007FFE0E14C230 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Timestrtok$FileSystem_getptd_time64malloc
                        • String ID:
                        • API String ID: 460628555-0
                        • Opcode ID: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                        • Instruction ID: 255ec65e3a1a28ceb1703f591dc752172eec31ada986c6f3641a5176973636b8
                        • Opcode Fuzzy Hash: 2fe16f1730b9e72f7102dc70ee842add604a2edc5f5efba699c173ab423aa684
                        • Instruction Fuzzy Hash: 7121B4B7A05B9581EB00CF91E0845B977A8FB88BD4B165276EE9E477A2CF38D4418780
                        Function 00007FFE0E15F5D8 Relevance: 6.1, APIs: 4, Instructions: 62stringCOMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: Locale$UpdateUpdate::___updatetlocinfo__updatetmbcinfo_errno_getptd_getptd_noexit_invalid_parameter_noinfostrchr
                        • String ID:
                        • API String ID: 4151157258-0
                        • Opcode ID: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                        • Instruction ID: 53ae527ba50cdcb25e1bc2352241cf7cffed48eb15c7f6b15108bd4af14c7500
                        • Opcode Fuzzy Hash: 981429a1da204f704ed88d261ee2d43387d2cfac4902a0026a6358d448239ec3
                        • Instruction Fuzzy Hash: 4721D263B0D2A2D1EB614615905023DA6D0EB88BD4F584133EAEE0BAF5DF6CD4438710
                        Function 00007FFE0E1310D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: clock
                        • String ID:
                        • API String ID: 3195780754-0
                        • Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                        • Instruction ID: bf13b6ff4562ad0551cfcf57b2c3dc3179891ed42aaf1df8ba7c97f516c6f675
                        • Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
                        • Instruction Fuzzy Hash: 5C11E323F0878655E7B09E7669405BBB690BF84394F190132EECC43666ED79EC828A00
                        Function 00007FFE0E14EF5C Relevance: 6.0, APIs: 4, Instructions: 39networkCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$closesocketsend$accept
                        • String ID:
                        • API String ID: 47150829-0
                        • Opcode ID: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                        • Instruction ID: 05bad1485197b05c5bfcb59b3117c6f36ffc8981b3fc4735bfcb3bdf66c0d35e
                        • Opcode Fuzzy Hash: caadc6cbf8b8aa9901aecb44ddbc265dbb6e74dc9ec5a2b89a727a9022558361
                        • Instruction Fuzzy Hash: 2901B565B18A4341EB649B32E56597D2361FF89FF4F049232DEAA077B5CE3CD0818B00
                        Function 00007FFE0E1453EC Relevance: 6.0, APIs: 4, Instructions: 34sleeppipeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$NamedPeekPipeSleep
                        • String ID:
                        • API String ID: 1593283408-0
                        • Opcode ID: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                        • Instruction ID: 9af4d16dc5a9a65e8a8e147aea87127853c1fc4c24493bfb391065033edf29fb
                        • Opcode Fuzzy Hash: 210e21c30d6d06447862c16b29a5b20d0c0fb279467bc43041b9c33569e9406a
                        • Instruction Fuzzy Hash: 48018661A1CB5683F7208725F84432AA6A2FF85B85F684136DBCD46BB4EE3CD491C705
                        Function 00007FFE0E1448D8 Relevance: 6.0, APIs: 4, Instructions: 32sleeppipeCOMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: CountTick$NamedPeekPipeSleep
                        • String ID:
                        • API String ID: 1593283408-0
                        • Opcode ID: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                        • Instruction ID: 9dbfda1d36d8424f903e84d24f1816194c818e845711d88d5e6a501a851e9c6e
                        • Opcode Fuzzy Hash: aac62254f3a365505a6a564a1f05aa253f383d98e2b7473c1e2f14b721fad9df
                        • Instruction Fuzzy Hash: 0B01AD32A18A4382F3208B14F84432AB2A0EB89B80F244135DBC902A75DF3CC891CB04
                        Function 00007FFE0E14F098 Relevance: 6.0, APIs: 4, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$ErrorFreeHeapLast_errnoclosesocket
                        • String ID:
                        • API String ID: 1525665891-0
                        • Opcode ID: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                        • Instruction ID: 6dec79b3627f708cd6104b9f6b7709e3102fcfd8babd3bfeafb3ab9024558fdc
                        • Opcode Fuzzy Hash: 514671407b84a75ab4a957943dd5047acaa779434bbb8d29509bbfd64e64c7a5
                        • Instruction Fuzzy Hash: 54E04CA5B1894581EA14EB62D8654791230EB9CF98B141032DEAE463B68D68D456C344
                        Function 00007FFE0E14F860 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: _errno_getptd_noexit_invalid_parameter_noinfo
                        • String ID: B
                        • API String ID: 1812809483-1255198513
                        • Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                        • Instruction ID: fd7ead27c820e24fb26a892b0376a5b2501296af7f3e0a7baa91d2c6882256e8
                        • Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
                        • Instruction Fuzzy Hash: C01182B2B14B4185EB109B12D4443A97660FB98FE4F644332EB9C0BBA5CF3CD141CB00
                        Function 00007FFE0E131CC4 Relevance: 5.3, APIs: 4, Instructions: 261COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$_calloc_implcalloc
                        • String ID:
                        • API String ID: 4000150058-0
                        • Opcode ID: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                        • Instruction ID: 6281dfabd3cf67cea4062f160a2debb8d8b35cd43b03bde69fa76d8f54c5f0fe
                        • Opcode Fuzzy Hash: 098b9973f943fd418b7180529354ef0ede5274538db457ffc537a6b083c63ad8
                        • Instruction Fuzzy Hash: 76C10836608B858AE764CF65E48479E77A4F788B88F10413AEBCD87B68DF38D455CB00
                        Function 00007FFE0E14AD44 Relevance: 5.2, APIs: 4, Instructions: 155COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: free$_errno$AllocHeap_callnewhmalloc
                        • String ID:
                        • API String ID: 3531731211-0
                        • Opcode ID: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                        • Instruction ID: a43f2ce2f7769e43245ba289d11f888c5351b2be797ec868794f1c1c616a9f85
                        • Opcode Fuzzy Hash: 12a82f6075b3f1b1b37aa8f48911ccb92805a6f06572296fb4e409a8028c0c4a
                        • Instruction Fuzzy Hash: AF51CEA6B0870781EA18AB2194500BD73A1FF84B84F150537EEDE17BB6EF7DE5428300
                        Function 00007FFE0E134300 Relevance: 5.1, APIs: 4, Instructions: 112COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: malloc
                        • String ID:
                        • API String ID: 2803490479-0
                        • Opcode ID: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                        • Instruction ID: d0403f898edc68af6901aeacdc9a228f39ec9e502614475be4d56cf80f113817
                        • Opcode Fuzzy Hash: 1a29f9ba763a41af98fc3daf4a760b7fafa00e022ffdaa07ef0aba0b6fdaf4ad
                        • Instruction Fuzzy Hash: 1A417022B0878287EB54DB36A41057E73A1FB84B88F444536DEAE47BA5EF3CE8058700
                        Function 00007FFE0E141038 Relevance: 5.1, APIs: 4, Instructions: 109COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1982832363.00007FFE0E131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FFE0E130000, based on PE: true
                        • Associated: 00000003.00000002.1982820280.00007FFE0E130000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982856008.00007FFE0E162000.00000002.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982872117.00007FFE0E172000.00000008.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982884370.00007FFE0E178000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982896706.00007FFE0E17E000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982908790.00007FFE0E183000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000003.00000002.1982920668.00007FFE0E184000.00000002.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffe0e130000_rundll32.jbxd
                        Yara matches
                        Similarity
                        • API ID: ErrorLast$CurrentProcessfreemalloc
                        • String ID:
                        • API String ID: 1397824077-0
                        • Opcode ID: 0df9c81f0b9eec500472e39839fc2f1b129e603cc236899a7b86f6cba6f9b6ee
                        • Instruction ID: 03d612d844bf847fda2927947e4a6f7c1bd54030fe0eb39b28ccd57175097c58
                        • Opcode Fuzzy Hash: 0df9c81f0b9eec500472e39839fc2f1b129e603cc236899a7b86f6cba6f9b6ee
                        • Instruction Fuzzy Hash: 0F4143E2B1974295E7649B22E4407BE6391EF88BC8F005536EECD47BAAEF3DD5418700