Edit tour

Windows Analysis Report
pwn.dll.dll

Overview

General Information

Sample name:	pwn.dll.dll (renamed file extension from exe to dll)
Original sample name:	pwn.dll.exe
Analysis ID:	1580305
MD5:	2f8dd834b75bbf2ebf0be0b114c77521
SHA1:	32e1a98a551916f1ace9e2ff3018fa065122ba71
SHA256:	31a2bd9b628a18a8e38d0a125bd56d958c9cb097da214d67560f8caae1a84032
Tags:	dllexeuser-NDA0E
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected CobaltStrike

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Writes to foreign memory regions

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7872 cmdline: loaddll64.exe "C:\Users\user\Desktop\pwn.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7964 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pwn.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7988 cmdline: rundll32.exe "C:\Users\user\Desktop\pwn.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

wermgr.exe (PID: 8020 cmdline: wermgr.exe MD5: 74A0194782E039ACE1F7349544DC1CF4)

rundll32.exe (PID: 7972 cmdline: rundll32.exe C:\Users\user\Desktop\pwn.dll.dll,LRDCP MD5: EF3179D498793BF4234F708D3BE28633)

wermgr.exe (PID: 8012 cmdline: wermgr.exe MD5: 74A0194782E039ACE1F7349544DC1CF4)

rundll32.exe (PID: 8176 cmdline: rundll32.exe "C:\Users\user\Desktop\pwn.dll.dll",LRDCP MD5: EF3179D498793BF4234F708D3BE28633)

wermgr.exe (PID: 7172 cmdline: wermgr.exe MD5: 74A0194782E039ACE1F7349544DC1CF4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus Earth Baxia FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Malware Configuration

Threatname: CobaltStrike

{"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 15285, "MaxGetSize": 2101826, "Jitter": 39, "C2Server": "www.service-ad.pro,/sub/ccs/NDNZH1WD1", "HttpPostUri": "/Enable/docs41/VGZ8YK523L2G", "Malleable_C2_Instructions": ["Remove 2052 bytes from the end", "Remove 2614 bytes from the beginning", "NetBIOS decode 'a'", "XOR mask w/ random key"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\DevicePairingWizard.exe", "Spawnto_x64": "%windir%\\sysnative\\Locator.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 666666666, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 9409, "ProcInject_PrependAppend_x86": ["Dx+EAAAAAAAPH0AAUFgPH0AADx+EAAAAAAA=", "Dx+AAAAAAA8fAGaQUFgPH0QAAA8fAA8fRAAADx9AAGaQDx+AAAAAAA8fAA8fRAAADx8A"], "ProcInject_PrependAppend_x64": ["UFgPH0AAZg8fRAAAkGaQZg8fRAAAZpBmkA8fgAAAAAAPH0AADx9AAA8fQAAPHwBmDx+EAAAAAABmDx+EAAAAAAAPH4AAAAAADx9AAA8fgAAAAAA=", "ZpAPHwBmDx9EAABmDx9EAABmkA8fRAAADx+EAAAAAAAPH0QAAGYPH0QAAA8fhAAAAAAAkA=="], "ProcInject_Execute": ["ntdll:RtlUserThreadStart", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.2589449610.000002963D080000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0000000A.00000002.2589449610.000002963D080000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x137:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000006.00000002.2588676723.0000026E03400000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000006.00000002.2588676723.0000026E03400000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x137:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000007.00000002.2588686195.0000015A06FF0000.00000020.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000007.00000002.2588686195.0000015A06FF0000.00000020.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_b54b94ac	Rule for beacon sleep obfuscation routine	unknown	0x137:$a_x64: 4C 8B 53 08 45 8B 0A 45 8B 5A 04 4D 8D 52 08 45 85 C9 75 05 45 85 DB 74 33 45 3B CB 73 E6 49 8B F9 4C 8B 03
00000006.00000003.1354728332.0000026E033C0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000006.00000003.1354728332.0000026E033C0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000006.00000003.1354728332.0000026E033C0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x18982:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19a73:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1c9bc:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000004.00000002.1354786097.0000009707462000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000004.00000002.1354786097.0000009707462000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000004.00000002.1354786097.0000009707462000.00000004.00000010.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1b152:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1c243:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0000000A.00000003.1383681030.000002963CDA0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
0000000A.00000003.1383681030.000002963CDA0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0000000A.00000003.1383681030.000002963CDA0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x18982:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19a73:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000007.00000003.1354748088.0000015A06FB0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000007.00000003.1354748088.0000015A06FB0000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000007.00000003.1354748088.0000015A06FB0000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x18982:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19a73:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1c9bc:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1c9bc:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000009.00000002.1383568977.00000013E3831000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000009.00000002.1383568977.00000013E3831000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000009.00000002.1383568977.00000013E3831000.00000004.00000010.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1c312:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1d403:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000005.00000002.1354476157.0000008837DB2000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000005.00000002.1354476157.0000008837DB2000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000005.00000002.1354476157.0000008837DB2000.00000004.00000010.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1b4f2:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1c5e3:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
Process Memory Space: rundll32.exe PID: 7972	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: rundll32.exe PID: 7988	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: wermgr.exe PID: 8020	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: wermgr.exe PID: 8012	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: rundll32.exe PID: 8176	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Process Memory Space: wermgr.exe PID: 7172	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
Click to see the 31 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000006.00000003.1354728332.0000026E033C0000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 443, "SleepTime": 15285, "MaxGetSize": 2101826, "Jitter": 39, "C2Server": "www.service-ad.pro,/sub/ccs/NDNZH1WD1", "HttpPostUri": "/Enable/docs41/VGZ8YK523L2G", "Malleable_C2_Instructions": ["Remove 2052 bytes from the end", "Remove 2614 bytes from the beginning", "NetBIOS decode 'a'", "XOR mask w/ random key"], "HttpGet_Verb": "GET", "HttpPost_Verb": "POST", "HttpPostChunk": 0, "Spawnto_x86": "%windir%\\syswow64\\DevicePairingWizard.exe", "Spawnto_x64": "%windir%\\sysnative\\Locator.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 666666666, "bStageCleanup": "True", "bCFGCaution": "False", "KillDate": 0, "bProcInject_StartRWX": "False", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 9409, "ProcInject_PrependAppend_x86": ["Dx+EAAAAAAAPH0AAUFgPH0AADx+EAAAAAAA=", "Dx+AAAAAAA8fAGaQUFgPH0QAAA8fAA8fRAAADx9AAGaQDx+AAAAAAA8fAA8fRAAADx8A"], "ProcInject_PrependAppend_x64": ["UFgPH0AAZg8fRAAAkGaQZg8fRAAAZpBmkA8fgAAAAAAPH0AADx9AAA8fQAAPHwBmDx+EAAAAAABmDx+EAAAAAAAPH4AAAAAADx9AAA8fgAAAAAA=", "ZpAPHwBmDx9EAABmDx9EAABmkA8fRAAADx+EAAAAAAAPH0QAAGYPH0QAAA8fhAAAAAAAkA=="], "ProcInject_Execute": ["ntdll:RtlUserThreadStart", "CreateThread", "NtQueueApcThread-s", "CreateRemoteThread", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "VirtualAllocEx", "bUsesCookies": "True", "HostHeader": ""}

Multi AV Scanner detection for submitted file

Source: pwn.dll.dll	Virustotal: Detection: 19%			Perma Link
Source: pwn.dll.dll	ReversingLabs: Detection: 47%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: pwn.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.service-ad.pro

Source: Joe Sandbox View

ASN Name: AMAZON-AESUS AMAZON-AESUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: www.service-ad.pro

Source: wermgr.exe, 00000006.00000002.2588861671.0000026E0355F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000006.00000002.2588861671.0000026E0350C000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000006.00000003.2255143942.0000026E0355F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000006.00000003.1814770599.0000026E0355F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000002.2588821962.0000015A07069000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000002.2588821962.0000015A070BD000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.1814771239.0000015A070C8000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.2255409316.0000015A070C8000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000002.2588786427.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000002.2588786427.000002963CE67000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.2265711351.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.1824931429.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/
Source: wermgr.exe, 00000006.00000002.2588861671.0000026E0350C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/(
Source: wermgr.exe, 0000000A.00000002.2588786427.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.2265711351.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.1824931429.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/:ji
Source: wermgr.exe, 00000007.00000002.2588821962.0000015A07069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/ControlSet
Source: wermgr.exe, 00000006.00000002.2588861671.0000026E0350C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/T
Source: wermgr.exe, 0000000A.00000002.2588786427.000002963CE67000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.2265711351.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.1824931429.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/pg
Source: wermgr.exe, 00000006.00000002.2588861671.0000026E0350C000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000002.2588821962.0000015A07069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/phy
Source: wermgr.exe, 00000007.00000002.2588821962.0000015A070BD000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000002.2588821962.0000015A070AC000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000002.2588786427.000002963CE67000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.1824931429.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000002.2588786427.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000002.2588786427.000002963CE00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD1
Source: wermgr.exe, 0000000A.00000002.2588786427.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD1%G4
Source: wermgr.exe, 0000000A.00000002.2588786427.000002963CE67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD1(g5
Source: wermgr.exe, 0000000A.00000002.2588786427.000002963CE67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD1-53011b87bd06ndows
Source: wermgr.exe, 00000006.00000002.2588861671.0000026E0355F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD1/vJ
Source: wermgr.exe, 0000000A.00000003.1824931429.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000002.2588786427.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD10b1d
Source: wermgr.exe, 00000006.00000002.2588861671.0000026E0350C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD124612
Source: wermgr.exe, 00000006.00000002.2588861671.0000026E0350C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD15cc
Source: wermgr.exe, 0000000A.00000002.2588786427.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD19X4
Source: wermgr.exe, 00000007.00000002.2588821962.0000015A07069000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD1J
Source: wermgr.exe, 0000000A.00000002.2588786427.000002963CE67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD1Lg
Source: wermgr.exe, 0000000A.00000003.1824931429.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000002.2588786427.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD1RG
Source: wermgr.exe, 00000006.00000002.2588861671.0000026E0355F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD1_v
Source: wermgr.exe, 0000000A.00000002.2588786427.000002963CE00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD1p
Source: wermgr.exe, 00000006.00000002.2588861671.0000026E0354F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD1sH
Source: wermgr.exe, 00000006.00000002.2588861671.0000026E0355F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD1tography
Source: wermgr.exe, 00000007.00000002.2588821962.0000015A070BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.service-ad.pro/sub/ccs/NDNZH1WD1ui

Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49921

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000000A.00000002.2589449610.000002963D080000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000006.00000002.2588676723.0000026E03400000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000007.00000002.2588686195.0000015A06FF0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon sleep obfuscation routine Author: unknown
Source: 00000006.00000003.1354728332.0000026E033C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000004.00000002.1354786097.0000009707462000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0000000A.00000003.1383681030.000002963CDA0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000007.00000003.1354748088.0000015A06FB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000009.00000002.1383568977.00000013E3831000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000005.00000002.1354476157.0000008837DB2000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown

Source: C:\Windows\System32\wermgr.exe	Code function: 6_3_0000026E033C52AD	6_3_0000026E033C52AD
Source: C:\Windows\System32\wermgr.exe	Code function: 6_3_0000026E033C64DF	6_3_0000026E033C64DF
Source: C:\Windows\System32\wermgr.exe	Code function: 6_3_0000026E033C4974	6_3_0000026E033C4974
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E03400000	6_2_0000026E03400000
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E037A201C	6_2_0000026E037A201C
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E037A0EE4	6_2_0000026E037A0EE4
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E037986B0	6_2_0000026E037986B0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E037A15A8	6_2_0000026E037A15A8
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E03796BB8	6_2_0000026E03796BB8
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E037ACC70	6_2_0000026E037ACC70
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E037AC300	6_2_0000026E037AC300
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E0379F228	6_2_0000026E0379F228
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E037991EF	6_2_0000026E037991EF
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E03799297	6_2_0000026E03799297
Source: C:\Windows\System32\wermgr.exe	Code function: 7_3_0000015A06FB64DF	7_3_0000015A06FB64DF
Source: C:\Windows\System32\wermgr.exe	Code function: 7_3_0000015A06FB4974	7_3_0000015A06FB4974
Source: C:\Windows\System32\wermgr.exe	Code function: 7_3_0000015A06FB52AD	7_3_0000015A06FB52AD
Source: C:\Windows\System32\wermgr.exe	Code function: 7_2_0000015A06FF0000	7_2_0000015A06FF0000
Source: C:\Windows\System32\wermgr.exe	Code function: 7_2_0000015A072F15A8	7_2_0000015A072F15A8
Source: C:\Windows\System32\wermgr.exe	Code function: 7_2_0000015A072FCC70	7_2_0000015A072FCC70
Source: C:\Windows\System32\wermgr.exe	Code function: 7_2_0000015A072E6BB8	7_2_0000015A072E6BB8
Source: C:\Windows\System32\wermgr.exe	Code function: 7_2_0000015A072EF228	7_2_0000015A072EF228
Source: C:\Windows\System32\wermgr.exe	Code function: 7_2_0000015A072E9297	7_2_0000015A072E9297
Source: C:\Windows\System32\wermgr.exe	Code function: 7_2_0000015A072FC300	7_2_0000015A072FC300
Source: C:\Windows\System32\wermgr.exe	Code function: 7_2_0000015A072E91EF	7_2_0000015A072E91EF
Source: C:\Windows\System32\wermgr.exe	Code function: 7_2_0000015A072F201C	7_2_0000015A072F201C
Source: C:\Windows\System32\wermgr.exe	Code function: 7_2_0000015A072E86B0	7_2_0000015A072E86B0
Source: C:\Windows\System32\wermgr.exe	Code function: 7_2_0000015A072F0EE4	7_2_0000015A072F0EE4
Source: C:\Windows\System32\wermgr.exe	Code function: 10_3_000002963CDA4974	10_3_000002963CDA4974
Source: C:\Windows\System32\wermgr.exe	Code function: 10_3_000002963CDA64DF	10_3_000002963CDA64DF
Source: C:\Windows\System32\wermgr.exe	Code function: 10_3_000002963CDA52AD	10_3_000002963CDA52AD
Source: C:\Windows\System32\wermgr.exe	Code function: 10_2_000002963D080000	10_2_000002963D080000
Source: C:\Windows\System32\wermgr.exe	Code function: 10_2_000002963D2315A8	10_2_000002963D2315A8
Source: C:\Windows\System32\wermgr.exe	Code function: 10_2_000002963D23CC70	10_2_000002963D23CC70
Source: C:\Windows\System32\wermgr.exe	Code function: 10_2_000002963D230EE4	10_2_000002963D230EE4
Source: C:\Windows\System32\wermgr.exe	Code function: 10_2_000002963D2286B0	10_2_000002963D2286B0
Source: C:\Windows\System32\wermgr.exe	Code function: 10_2_000002963D23201C	10_2_000002963D23201C
Source: C:\Windows\System32\wermgr.exe	Code function: 10_2_000002963D23C300	10_2_000002963D23C300
Source: C:\Windows\System32\wermgr.exe	Code function: 10_2_000002963D226BB8	10_2_000002963D226BB8
Source: C:\Windows\System32\wermgr.exe	Code function: 10_2_000002963D2291EF	10_2_000002963D2291EF
Source: C:\Windows\System32\wermgr.exe	Code function: 10_2_000002963D22F228	10_2_000002963D22F228
Source: C:\Windows\System32\wermgr.exe	Code function: 10_2_000002963D229297	10_2_000002963D229297

Source: pwn.dll.dll

Static PE information: Number of sections : 21 > 10

Source: 0000000A.00000002.2589449610.000002963D080000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000006.00000002.2588676723.0000026E03400000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000007.00000002.2588686195.0000015A06FF0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_b54b94ac reference_sample = 36d32b1ed967f07a4bd19f5e671294d5359009c04835601f2cc40fb8b54f6a2a, os = windows, severity = x86, description = Rule for beacon sleep obfuscation routine, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = 2344dd7820656f18cfb774a89d89f5ab65d46cc7761c1f16b7e768df66aa41c8, id = b54b94ac-6ef8-4ee9-a8a6-f7324c1974ca, last_modified = 2022-01-13
Source: 00000006.00000003.1354728332.0000026E033C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000004.00000002.1354786097.0000009707462000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0000000A.00000003.1383681030.000002963CDA0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000007.00000003.1354748088.0000015A06FB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000009.00000002.1383568977.00000013E3831000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000005.00000002.1354476157.0000008837DB2000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.evad.winDLL@16/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03

Source: pwn.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pwn.dll.dll,LRDCP

Source: pwn.dll.dll	Virustotal: Detection: 19%
Source: pwn.dll.dll	ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\pwn.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pwn.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pwn.dll.dll,LRDCP
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pwn.dll.dll",#1
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe wermgr.exe
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe wermgr.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pwn.dll.dll",LRDCP
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe wermgr.exe
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pwn.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\pwn.dll.dll,LRDCP	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pwn.dll.dll",LRDCP	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pwn.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe wermgr.exe	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe wermgr.exe	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe wermgr.exe	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll			Jump to behavior

Source: pwn.dll.dll

Static PE information: Image base 0x366e90000 > 0x60000000

Source: pwn.dll.dll

Static file information: File size 2961425 > 1048576

Source: pwn.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: pwn.dll.dll	Static PE information: section name: /4
Source: pwn.dll.dll	Static PE information: section name: .xdata
Source: pwn.dll.dll	Static PE information: section name: /14
Source: pwn.dll.dll	Static PE information: section name: /29
Source: pwn.dll.dll	Static PE information: section name: /41
Source: pwn.dll.dll	Static PE information: section name: /55
Source: pwn.dll.dll	Static PE information: section name: /67
Source: pwn.dll.dll	Static PE information: section name: /80
Source: pwn.dll.dll	Static PE information: section name: /91
Source: pwn.dll.dll	Static PE information: section name: /107
Source: pwn.dll.dll	Static PE information: section name: /123

Source: C:\Windows\System32\wermgr.exe	Code function: 6_3_0000026E033C47D2 push ss; retf	6_3_0000026E033C47D3
Source: C:\Windows\System32\wermgr.exe	Code function: 6_3_0000026E033C1FC1 push esi; ret	6_3_0000026E033C1FDD
Source: C:\Windows\System32\wermgr.exe	Code function: 6_3_0000026E033C6017 pushad ; iretd	6_3_0000026E033C6016
Source: C:\Windows\System32\wermgr.exe	Code function: 6_3_0000026E033C5455 push FFFFFF81h; retf	6_3_0000026E033C5457
Source: C:\Windows\System32\wermgr.exe	Code function: 6_3_0000026E033C5F76 pushad ; iretd	6_3_0000026E033C6016
Source: C:\Windows\System32\wermgr.exe	Code function: 6_3_0000026E033C15D8 push ebx; ret	6_3_0000026E033C15E5
Source: C:\Windows\System32\wermgr.exe	Code function: 6_3_0000026E033C220F push edi; ret	6_3_0000026E033C2211
Source: C:\Windows\System32\wermgr.exe	Code function: 6_3_0000026E033C65FE push ss; retf	6_3_0000026E033C6602
Source: C:\Windows\System32\wermgr.exe	Code function: 6_3_0000026E033C5D71 push FFFFFF81h; retf	6_3_0000026E033C5D73
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E03799009 push FFFFFF88h; retf	6_2_0000026E03799043
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E0378979E push cs; retf	6_2_0000026E0378979F
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E03798619 push edx; iretd	6_2_0000026E03798646
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E037995E8 pushad ; ret	6_2_0000026E037995F2
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E0378ADD8 push ebp; iretd	6_2_0000026E0378ADD9
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E037893DD push edi; iretd	6_2_0000026E037893DE
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E037994A7 push 9D2172B5h; iretd	6_2_0000026E037994A6
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E0379945D push 9D2172B5h; iretd	6_2_0000026E037994A6
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E037AA918 push ebp; iretd	6_2_0000026E037AA919
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E037AA8EF push ebp; iretd	6_2_0000026E037AA8F0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E037AA8CF push ebp; iretd	6_2_0000026E037AA8D0
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E0378B99C pushad ; retf	6_2_0000026E0378B99D
Source: C:\Windows\System32\wermgr.exe	Code function: 6_2_0000026E0378F981 push ebx; iretd	6_2_0000026E0378F982
Source: C:\Windows\System32\wermgr.exe	Code function: 7_3_0000015A06FB5455 push FFFFFF81h; retf	7_3_0000015A06FB5457
Source: C:\Windows\System32\wermgr.exe	Code function: 7_3_0000015A06FB220F push edi; ret	7_3_0000015A06FB2211
Source: C:\Windows\System32\wermgr.exe	Code function: 7_3_0000015A06FB65FE push ss; retf	7_3_0000015A06FB6602
Source: C:\Windows\System32\wermgr.exe	Code function: 7_3_0000015A06FB15D8 push ebx; ret	7_3_0000015A06FB15E5
Source: C:\Windows\System32\wermgr.exe	Code function: 7_3_0000015A06FB5D71 push FFFFFF81h; retf	7_3_0000015A06FB5D73
Source: C:\Windows\System32\wermgr.exe	Code function: 7_3_0000015A06FB6017 pushad ; iretd	7_3_0000015A06FB6016
Source: C:\Windows\System32\wermgr.exe	Code function: 7_3_0000015A06FB47D2 push ss; retf	7_3_0000015A06FB47D3
Source: C:\Windows\System32\wermgr.exe	Code function: 7_3_0000015A06FB1FC1 push esi; ret	7_3_0000015A06FB1FDD
Source: C:\Windows\System32\wermgr.exe	Code function: 7_3_0000015A06FB5F76 pushad ; iretd	7_3_0000015A06FB6016

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe TID: 7876

Thread sleep time: -120000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\wermgr.exe	Last function: Thread delayed
Source: C:\Windows\System32\wermgr.exe	Last function: Thread delayed
Source: C:\Windows\System32\wermgr.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: wermgr.exe, 0000000A.00000002.2588786427.000002963CE00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: wermgr.exe, 00000006.00000002.2588861671.0000026E0350C000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000006.00000002.2588861671.0000026E0357F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000002.2588821962.0000015A07069000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.1814771239.0000015A070E2000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000002.2588821962.0000015A070DE000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000002.2588821962.0000015A070E2000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.2265711351.000002963CE85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wermgr.exe, 0000000A.00000003.2265711351.000002963CE85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWG

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\System32\wermgr.exe base: 15A06FB0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\System32\wermgr.exe base: 26E033C0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory allocated: C:\Windows\System32\wermgr.exe base: 2963CDA0000 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\rundll32.exe	Thread created: C:\Windows\System32\wermgr.exe EIP: 6FB0000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread created: C:\Windows\System32\wermgr.exe EIP: 33C0000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread created: C:\Windows\System32\wermgr.exe EIP: 3CDA0000	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: 15A06FB0000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: 26E033C0000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: C:\Windows\System32\wermgr.exe base: 2963CDA0000	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\pwn.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe wermgr.exe	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe wermgr.exe	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe wermgr.exe	Jump to behavior

Source: C:\Windows\System32\wermgr.exe

Code function: 6_2_0000026E03794EA8 GetUserNameA,strrchr,_snprintf,

6_2_0000026E03794EA8

Remote Access Functionality

Yara detected CobaltStrike

Source: Yara match	File source: 00000006.00000003.1354728332.0000026E033C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1354786097.0000009707462000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1383681030.000002963CDA0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1354748088.0000015A06FB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1383568977.00000013E3831000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1354476157.0000008837DB2000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2589449610.000002963D080000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2588676723.0000026E03400000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2588686195.0000015A06FF0000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7972, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7988, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wermgr.exe PID: 8020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wermgr.exe PID: 8012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 8176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: wermgr.exe PID: 7172, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	11 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Rundll32	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
pwn.dll.dll	19%	Virustotal		Browse
pwn.dll.dll	47%	ReversingLabs	Win64.Backdoor.Cobeacon

Source	Detection	Scanner	Label
https://www.service-ad.pro/sub/ccs/NDNZH1WD1_v	0%	Avira URL Cloud	safe
https://www.service-ad.pro/T	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD1tography	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD1-53011b87bd06ndows	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD1J	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD1sH	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD1	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD1RG	0%	Avira URL Cloud	safe
https://www.service-ad.pro/:ji	0%	Avira URL Cloud	safe
https://www.service-ad.pro/pg	0%	Avira URL Cloud	safe
https://www.service-ad.pro/phy	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD124612	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD1Lg	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD1%G4	0%	Avira URL Cloud	safe
https://www.service-ad.pro/	0%	Avira URL Cloud	safe
https://www.service-ad.pro/(	0%	Avira URL Cloud	safe
https://www.service-ad.pro/ControlSet	0%	Avira URL Cloud	safe
www.service-ad.pro	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD10b1d	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD1ui	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD1/vJ	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD1p	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD15cc	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD19X4	0%	Avira URL Cloud	safe
https://www.service-ad.pro/sub/ccs/NDNZH1WD1(g5	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high
www.service-ad.pro	54.173.64.206	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.service-ad.pro	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.service-ad.pro/T	wermgr.exe, 00000006.00000002.2588861671.0000026E0350C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD1	wermgr.exe, 00000007.00000002.2588821962.0000015A070BD000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000002.2588821962.0000015A070AC000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000002.2588786427.000002963CE67000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.1824931429.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000002.2588786427.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000002.2588786427.000002963CE00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD1tography	wermgr.exe, 00000006.00000002.2588861671.0000026E0355F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD1RG	wermgr.exe, 0000000A.00000003.1824931429.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000002.2588786427.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD1sH	wermgr.exe, 00000006.00000002.2588861671.0000026E0354F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD1-53011b87bd06ndows	wermgr.exe, 0000000A.00000002.2588786427.000002963CE67000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD1_v	wermgr.exe, 00000006.00000002.2588861671.0000026E0355F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/:ji	wermgr.exe, 0000000A.00000002.2588786427.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.2265711351.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.1824931429.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/pg	wermgr.exe, 0000000A.00000002.2588786427.000002963CE67000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.2265711351.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.1824931429.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD1J	wermgr.exe, 00000007.00000002.2588821962.0000015A07069000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/	wermgr.exe, 00000006.00000002.2588861671.0000026E0355F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000006.00000002.2588861671.0000026E0350C000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000006.00000003.2255143942.0000026E0355F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000006.00000003.1814770599.0000026E0355F000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000002.2588821962.0000015A07069000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000002.2588821962.0000015A070BD000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.1814771239.0000015A070C8000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000003.2255409316.0000015A070C8000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000002.2588786427.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000002.2588786427.000002963CE67000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.2265711351.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000003.1824931429.000002963CE5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/phy	wermgr.exe, 00000006.00000002.2588861671.0000026E0350C000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 00000007.00000002.2588821962.0000015A07069000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD1%G4	wermgr.exe, 0000000A.00000002.2588786427.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/(	wermgr.exe, 00000006.00000002.2588861671.0000026E0350C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD10b1d	wermgr.exe, 0000000A.00000003.1824931429.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp, wermgr.exe, 0000000A.00000002.2588786427.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD124612	wermgr.exe, 00000006.00000002.2588861671.0000026E0350C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/ControlSet	wermgr.exe, 00000007.00000002.2588821962.0000015A07069000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD1ui	wermgr.exe, 00000007.00000002.2588821962.0000015A070BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD1Lg	wermgr.exe, 0000000A.00000002.2588786427.000002963CE67000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD1/vJ	wermgr.exe, 00000006.00000002.2588861671.0000026E0355F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD1p	wermgr.exe, 0000000A.00000002.2588786427.000002963CE00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD1(g5	wermgr.exe, 0000000A.00000002.2588786427.000002963CE67000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD15cc	wermgr.exe, 00000006.00000002.2588861671.0000026E0350C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.service-ad.pro/sub/ccs/NDNZH1WD19X4	wermgr.exe, 0000000A.00000002.2588786427.000002963CE4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.173.64.206	www.service-ad.pro	United States		14618	AMAZON-AESUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580305
Start date and time:	2024-12-24 09:04:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	pwn.dll.dll (renamed file extension from exe to dll)
Original Sample Name:	pwn.dll.exe
Detection:	MAL
Classification:	mal100.troj.evad.winDLL@16/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 83% Number of executed functions: 15 Number of non-executed functions: 99

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
03:05:22	API Interceptor	1x Sleep call for process: loaddll64.exe modified
03:06:49	API Interceptor	3x Sleep call for process: wermgr.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	7kf4hLzMoS.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	13.107.246.63
	2S5jaCcFo5.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	QDQXUZhiY3.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	13.107.246.63
	https://en.newsnowbangla.com/archives/69912	Get hash	malicious	HTMLPhisher, TechSupportScam	Browse	13.107.246.63
	https://flowto.it/8tooc2sec?fc=0	Get hash	malicious	Unknown	Browse	13.107.246.63
	Onboard Training Checklist v1.1 - Wyatt Young (1).xlsx	Get hash	malicious	Unknown	Browse	13.107.246.63
	vFile__0054seconds__Airborn.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	https://jkqbjwq.maxiite.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	https://jkqbjwq.maxiite.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	https://jkqbjwq.maxiite.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	Gq48hjKhZf.exe	Get hash	malicious	LodaRAT	Browse	3.5.8.193
	x6Rd1DzUJA.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.226.108.155
	SzXZZDlkVE.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.226.108.155
	ijn8pyFXSP.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.226.108.155
	WzyLDvldFI.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.226.108.155
	PhwUGyok2i.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.226.108.155
	nRYpZg6i5E.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.226.108.155
	RGU8qibimk.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.226.108.155
	FMuiLqyqaT.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	34.226.108.155
	iaLId0uLUw.exe	Get hash	malicious	LummaC	Browse	3.5.17.0

File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	6.249570982937299
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	pwn.dll.dll
File size:	2'961'425 bytes
MD5:	2f8dd834b75bbf2ebf0be0b114c77521
SHA1:	32e1a98a551916f1ace9e2ff3018fa065122ba71
SHA256:	31a2bd9b628a18a8e38d0a125bd56d958c9cb097da214d67560f8caae1a84032
SHA512:	498bea3e769f021958f8ec3d397f354bc5374417491b5d5b538f80d2605c5a2676bb2ef4d5e0bcf026acc3ebff17e85f48b5e86ebecad87f536d81697e3bc2e0
SSDEEP:	49152:SiEC6uOSWZ/pFnvkp8rHNClssJn1Q8FXpoEzgf7fA:FbspFnvkp1s4XpoEzgf7fA
TLSH:	27D5094369DB0DA5DED677BCA2C35335A778FD35CA291F2BAA08C13129536C4AD1EB00
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....Acg.z........& ...*.......................f.............................`........-...`... ............................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x366e91292
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x366e90000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x676341AA [Wed Dec 18 21:42:02 2024 UTC]
TLS Callbacks:	0x66e9b560, 0x3, 0x66e9b620, 0x3, 0x66eaa3ee, 0x3
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9c0bc9bd0a50ec0d7df40f8d51bcddec

Entrypoint Preview

Instruction
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 20h
dec eax
mov dword ptr [ebp+10h], ecx
mov dword ptr [ebp+18h], edx
dec esp
mov dword ptr [ebp+20h], eax
dec eax
mov eax, dword ptr [00114014h]
mov dword ptr [eax], 00000000h
dec eax
mov ecx, dword ptr [ebp+20h]
mov edx, dword ptr [ebp+18h]
dec eax
mov eax, dword ptr [ebp+10h]
dec ecx
mov eax, ecx
dec eax
mov ecx, eax
call 00007F6A4CD34A9Bh
dec eax
add esp, 20h
pop ebp
ret
push ebp
dec eax
mov ebp, esp
dec eax
sub esp, 30h
dec eax
mov dword ptr [ebp+10h], ecx
mov dword ptr [ebp+18h], edx
dec esp
mov dword ptr [ebp+20h], eax
mov dword ptr [ebp-04h], 00000001h
dec eax
mov eax, dword ptr [00113FF1h]
mov edx, dword ptr [ebp+18h]
mov dword ptr [eax], edx
cmp dword ptr [ebp+18h], 00000000h
jne 00007F6A4CD34AA8h
mov eax, dword ptr [0013FD00h]
test eax, eax
jne 00007F6A4CD34A9Eh
mov dword ptr [ebp-04h], 00000000h
jmp 00007F6A4CD34BD6h
call 00007F6A4CD3F5E8h
cmp dword ptr [ebp+18h], 01h
je 00007F6A4CD34A98h
cmp dword ptr [ebp+18h], 02h
jne 00007F6A4CD34AFBh
dec eax
mov ecx, dword ptr [ebp+20h]
mov edx, dword ptr [ebp+18h]
dec eax
mov eax, dword ptr [ebp+10h]
dec ecx
mov eax, ecx
dec eax
mov ecx, eax
call 00007F6A4CD3477Bh
mov dword ptr [ebp-04h], eax
cmp dword ptr [ebp-04h], 00000000h
je 00007F6A4CD34B9Ch
dec eax
mov ecx, dword ptr [ebp+20h]
mov edx, dword ptr [ebp+18h]
dec eax
mov eax, dword ptr [ebp+10h]
dec ecx
mov eax, ecx
dec eax
mov ecx, eax
call 00007F6A4CD4075Bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x142000	0x40	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x143000	0x190c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x123000	0xc12c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x147000	0x1640	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x113cc0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x143648	0x530	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xbea28	0xbec00	0a9355d24f0e54ef3995145ebeb79915	False	0.3478879116153342	data	6.139638316650916	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xc0000	0x3080	0x3200	d7d25c99683f900c18ca46358cdaf886	False	0.02796875	dBase III DBT, version number 0, next free block index 1, 1st item "\320-\353f\003"	0.3744154107590934	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc4000	0x5d4f0	0x5d600	eab27f141125611bb26524ef6550575b	False	0.7583171226572959	data	7.643759419563151	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0x122000	0x4	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x123000	0xc12c	0xc200	cd7b0492f8a8f1c8f2ebf7a96cc64817	False	0.5144772873711341	data	5.949220732775683	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x130000	0x10bf0	0x10c00	add6697e8161d4ff7ad3fd3da3f32ae8	False	0.18661089085820895	, SYS \003\001P	4.886387418702516	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x141000	0xd20	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x142000	0x40	0x200	4b01f7ea2691d093afa17124eeb17546	False	0.119140625	data	0.6720558129187144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x143000	0x190c	0x1a00	433be6924348010807170ccdcfb26697	False	0.3046875	data	4.3852150569721156	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x145000	0x60	0x200	58d7a8c2e21102f787b5225a72e0a126	False	0.068359375	data	0.345979103835012	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x146000	0x10	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x147000	0x1640	0x1800	a07e6e96b1231be730509c2d725e41dd	False	0.3894856770833333	data	5.325942218419584	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/14	0x149000	0xd0	0x200	e69c9c5c78c1b91a826abcec04b38c2b	False	0.158203125	data	0.8801018156738997	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/29	0x14a000	0x46f9	0x4800	d77bfc4f43021a61a2ec944cc68856c3	False	0.3791775173611111	Matlab v4 mat-file (little endian) f\003, rows 134283269, columns 0, imaginary	5.867887116880315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/41	0x14f000	0x8a5	0xa00	8c412e1ec809bc2d22840ac0c0dd9436	False	0.326953125	data	4.517567710861818	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/55	0x150000	0x97f	0xa00	d285d6cd0db463fcb80331454a301ba0	False	0.541015625	data	4.818092440198135	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/67	0x151000	0x498	0x600	05aaae4054744240010da927faed8496	False	0.3470052083333333	data	3.2931908827991117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/80	0x152000	0xce	0x200	292217cd9caa0647d900f44faf753dd5	False	0.34375	data	2.8722615854557496	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/91	0x153000	0x461	0x600	75a450f8317627827fe1cca60ebb0ae6	False	0.181640625	data	4.17072784657899	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/107	0x154000	0x88b	0xa00	fb732459dfa7f47d77bcbc5dc4c8ca68	False	0.399609375	data	4.243449352096334	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/123	0x155000	0x108	0x200	d2c23f33ed4b9902afd81a6cb72499db	False	0.291015625	data	2.5304828581562533	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	AddVectoredExceptionHandler, CloseHandle, CreateEventA, CreateProcessA, CreateRemoteThread, CreateSemaphoreA, DeleteCriticalSection, DuplicateHandle, EnterCriticalSection, FormatMessageA, FreeLibrary, GetCurrentProcess, GetCurrentProcessId, GetCurrentThread, GetCurrentThreadId, GetHandleInformation, GetLastError, GetModuleHandleA, GetProcAddress, GetProcessAffinityMask, GetSystemTimeAsFileTime, GetThreadContext, GetThreadPriority, GetTickCount64, InitializeCriticalSection, IsDebuggerPresent, LeaveCriticalSection, LoadLibraryA, LocalFree, MultiByteToWideChar, OpenProcess, OutputDebugStringA, RaiseException, ReleaseSemaphore, RemoveVectoredExceptionHandler, ResetEvent, ResumeThread, RtlCaptureContext, RtlLookupFunctionEntry, RtlUnwindEx, RtlVirtualUnwind, SetEvent, SetLastError, SetProcessAffinityMask, SetThreadContext, SetThreadPriority, Sleep, SuspendThread, TlsAlloc, TlsGetValue, TlsSetValue, TryEnterCriticalSection, VirtualAllocEx, VirtualProtect, VirtualQuery, WaitForMultipleObjects, WaitForSingleObject, WideCharToMultiByte, WriteProcessMemory, __C_specific_handler
api-ms-win-crt-convert-l1-1-0.dll	_ultoa, mbrtowc, strtoul, wcrtomb
api-ms-win-crt-environment-l1-1-0.dll	__p__environ, __p__wenviron, getenv
api-ms-win-crt-filesystem-l1-1-0.dll	_fstat64
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, calloc, free, malloc, realloc
api-ms-win-crt-locale-l1-1-0.dll	___lc_codepage_func, ___mb_cur_max_func, localeconv, setlocale
api-ms-win-crt-math-l1-1-0.dll	_fdopen
api-ms-win-crt-private-l1-1-0.dll	__intrinsic_setjmpex, longjmp, memchr, memcmp, memcpy, memmove, strchr
api-ms-win-crt-runtime-l1-1-0.dll	__p___argc, __p___argv, __p___wargv, _beginthreadex, _configure_narrow_argv, _configure_wide_argv, _crt_at_quick_exit, _crt_atexit, _endthreadex, _errno, _execute_onexit_table, _exit, _initialize_narrow_environment, _initialize_onexit_table, _initialize_wide_environment, _initterm, _register_onexit_function, abort, exit, signal, strerror
api-ms-win-crt-stdio-l1-1-0.dll	__acrt_iob_func, __stdio_common_vfprintf, __stdio_common_vfwprintf, __stdio_common_vsprintf, __stdio_common_vswprintf, _fileno, _fseeki64, _ftelli64, _lseeki64, _read, _wfopen, _write, fclose, fflush, fgetwc, fopen, fputc, fputs, fread, fwrite, getc, getwc, putc, putwc, setvbuf, ungetc, ungetwc
api-ms-win-crt-string-l1-1-0.dll	_strdup, iswctype, memset, strcmp, strcoll, strlen, strncmp, strxfrm, towlower, towupper, wcscoll, wcslen, wcsxfrm
api-ms-win-crt-time-l1-1-0.dll	__daylight, __timezone, __tzname, _tzset, strftime, wcsftime
api-ms-win-crt-utility-l1-1-0.dll	rand_s

Exports

Name	Ordinal	Address
LRDCP	1	0x366e915a0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 09:05:22.564690113 CET	49717	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:05:22.564724922 CET	443	49717	54.173.64.206	192.168.2.9
Dec 24, 2024 09:05:22.564836025 CET	49717	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:05:22.565562010 CET	49718	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:05:22.565607071 CET	443	49718	54.173.64.206	192.168.2.9
Dec 24, 2024 09:05:22.565671921 CET	49718	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:05:22.597518921 CET	49717	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:05:22.597536087 CET	443	49717	54.173.64.206	192.168.2.9
Dec 24, 2024 09:05:22.597542048 CET	49718	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:05:22.597558975 CET	443	49718	54.173.64.206	192.168.2.9
Dec 24, 2024 09:05:23.599489927 CET	49719	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:05:23.599529028 CET	443	49719	54.173.64.206	192.168.2.9
Dec 24, 2024 09:05:23.599647045 CET	49719	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:05:23.610647917 CET	49719	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:05:23.610663891 CET	443	49719	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:06.634749889 CET	443	49718	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:06.634751081 CET	443	49717	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:06.634865999 CET	49717	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:06.635004997 CET	49717	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:06.635010958 CET	49718	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:06.635010958 CET	49718	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:06.635021925 CET	443	49717	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:06.644053936 CET	49817	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:06.644088984 CET	443	49817	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:06.644155025 CET	49817	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:06.644490004 CET	49817	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:06.644499063 CET	443	49817	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:06.651016951 CET	49818	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:06.651071072 CET	443	49818	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:06.651158094 CET	49818	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:06.651364088 CET	49818	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:06.651385069 CET	443	49818	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:06.940416098 CET	49718	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:06.940460920 CET	443	49718	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:07.648211002 CET	443	49719	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:07.648300886 CET	49719	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:07.648426056 CET	49719	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:07.648446083 CET	443	49719	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:07.667735100 CET	49823	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:07.667781115 CET	443	49823	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:07.667897940 CET	49823	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:07.668205976 CET	49823	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:07.668224096 CET	443	49823	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:50.664397955 CET	443	49818	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:50.667525053 CET	49818	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.667622089 CET	49818	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.667634964 CET	443	49818	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:50.673118114 CET	49921	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.673150063 CET	443	49921	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:50.673216105 CET	49921	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.673273087 CET	49921	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.673299074 CET	443	49921	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:50.673603058 CET	49921	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.695779085 CET	443	49817	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:50.695847034 CET	49817	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.695924997 CET	49817	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.695936918 CET	443	49817	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:50.712044954 CET	49922	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.712074041 CET	443	49922	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:50.712142944 CET	49922	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.712177992 CET	49922	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.712229013 CET	443	49922	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:50.712460995 CET	49922	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.801861048 CET	49923	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.801923037 CET	443	49923	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:50.802051067 CET	49923	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.802333117 CET	49923	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.802347898 CET	443	49923	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:50.833062887 CET	49924	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.833122015 CET	443	49924	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:50.833235979 CET	49924	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.833554029 CET	49924	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:50.833568096 CET	443	49924	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:51.727015018 CET	443	49823	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:51.727106094 CET	49823	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:51.727207899 CET	49823	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:51.727229118 CET	443	49823	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:51.730047941 CET	49927	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:51.730156898 CET	443	49927	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:51.730249882 CET	49927	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:51.730320930 CET	49927	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:51.730391026 CET	443	49927	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:51.730442047 CET	49927	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:51.849788904 CET	49928	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:51.849809885 CET	443	49928	54.173.64.206	192.168.2.9
Dec 24, 2024 09:06:51.849865913 CET	49928	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:51.850275040 CET	49928	443	192.168.2.9	54.173.64.206
Dec 24, 2024 09:06:51.850282907 CET	443	49928	54.173.64.206	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 24, 2024 09:05:22.212398052 CET	58175	53	192.168.2.9	1.1.1.1
Dec 24, 2024 09:05:22.547111988 CET	53	58175	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 24, 2024 09:05:22.212398052 CET	192.168.2.9	1.1.1.1	0xa9e6	Standard query (0)	www.service-ad.pro	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 24, 2024 09:05:16.384417057 CET	1.1.1.1	192.168.2.9	0xe39f	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 24, 2024 09:05:16.384417057 CET	1.1.1.1	192.168.2.9	0xe39f	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 24, 2024 09:05:22.547111988 CET	1.1.1.1	192.168.2.9	0xa9e6	No error (0)	www.service-ad.pro		54.173.64.206	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:05:18
Start date:	24/12/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\pwn.dll.dll"
Imagebase:	0x7ff607b70000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:05:19
Start date:	24/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:05:19
Start date:	24/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pwn.dll.dll",#1
Imagebase:	0x7ff656220000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:05:19
Start date:	24/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\pwn.dll.dll,LRDCP
Imagebase:	0x7ff752900000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000004.00000002.1354786097.0000009707462000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000004.00000002.1354786097.0000009707462000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000004.00000002.1354786097.0000009707462000.00000004.00000010.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:05:19
Start date:	24/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\pwn.dll.dll",#1
Imagebase:	0x7ff752900000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000005.00000002.1354476157.0000008837DB2000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000005.00000002.1354476157.0000008837DB2000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000005.00000002.1354476157.0000008837DB2000.00000004.00000010.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:05:19
Start date:	24/12/2024
Path:	C:\Windows\System32\wermgr.exe
Wow64 process (32bit):	false
Commandline:	wermgr.exe
Imagebase:	0x7ff61efb0000
File size:	229'728 bytes
MD5 hash:	74A0194782E039ACE1F7349544DC1CF4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000006.00000002.2588676723.0000026E03400000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000006.00000002.2588676723.0000026E03400000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000006.00000003.1354728332.0000026E033C0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000006.00000003.1354728332.0000026E033C0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000006.00000003.1354728332.0000026E033C0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	03:05:19
Start date:	24/12/2024
Path:	C:\Windows\System32\wermgr.exe
Wow64 process (32bit):	false
Commandline:	wermgr.exe
Imagebase:	0x7ff61efb0000
File size:	229'728 bytes
MD5 hash:	74A0194782E039ACE1F7349544DC1CF4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000007.00000002.2588686195.0000015A06FF0000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 00000007.00000002.2588686195.0000015A06FF0000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000007.00000003.1354748088.0000015A06FB0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000007.00000003.1354748088.0000015A06FB0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000007.00000003.1354748088.0000015A06FB0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:05:22
Start date:	24/12/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\pwn.dll.dll",LRDCP
Imagebase:	0x7ff752900000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 00000009.00000002.1383568977.00000013E3831000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 00000009.00000002.1383568977.00000013E3831000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 00000009.00000002.1383568977.00000013E3831000.00000004.00000010.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:05:22
Start date:	24/12/2024
Path:	C:\Windows\System32\wermgr.exe
Wow64 process (32bit):	false
Commandline:	wermgr.exe
Imagebase:	0x7ff61efb0000
File size:	229'728 bytes
MD5 hash:	74A0194782E039ACE1F7349544DC1CF4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 0000000A.00000002.2589449610.000002963D080000.00000020.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_b54b94ac, Description: Rule for beacon sleep obfuscation routine, Source: 0000000A.00000002.2589449610.000002963D080000.00000020.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_2, Description: Yara detected CobaltStrike, Source: 0000000A.00000003.1383681030.000002963CDA0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 0000000A.00000003.1383681030.000002963CDA0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_f0b627fc, Description: Rule for beacon reflective loader, Source: 0000000A.00000003.1383681030.000002963CDA0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CobaltStrike_3, Description: Yara detected CobaltStrike, Source: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_CobaltStrike_663fc95d, Description: Identifies CobaltStrike via unidentified function code, Source: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	563
Total number of Limit Nodes:	29

Executed Functions

Function 0000026E03794EA8 Relevance: 4.7, APIs: 3, Instructions: 190
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000026E0379506C: malloc.LIBCMT ref: 0000026E03795088

GetUserNameA.ADVAPI32(?,?,?,?,?,?,?,-00000001,?,-00000001,?,00000002,0000026E0378BD09), ref: 0000026E03794F2F
strrchr.LIBCMT ref: 0000026E03794F6D
_snprintf.LIBCMT ref: 0000026E0379501B

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: NameUser_snprintfmallocstrrchr
String ID:
API String ID: 1238167203-0
Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
Instruction ID: 0c3f4e3026576e247c10b60a56c2a125f9020503dce490c3c19e83826369de21
Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
Instruction Fuzzy Hash: 7751843071CE098FEE58AB6CA44A7BA72D2E789310F19462EE08ED32D6D975D8028741

Function 0000026E03400000 Relevance: 1.7, APIs: 1, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 0000026E034000D0

Memory Dump Source

Source File: 00000006.00000002.2588676723.0000026E03400000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000026E03400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03400000_wermgr.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 88e8bec169d31fc803aeef05fed04f98ffb8ac2501b92b4af572ff67ccb03544
Instruction ID: 69c343f566bd3c90451482b1cc186f3fdf793a230ab55e50ac7fdab7bfc11804
Opcode Fuzzy Hash: 88e8bec169d31fc803aeef05fed04f98ffb8ac2501b92b4af572ff67ccb03544
Instruction Fuzzy Hash: 49513138308A468FCB1CCE5C95C9B3173D5E785305B0692ACD59ADF2ABC972DC43C680

Function 0000026E0378E094 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketA.WS2_32 ref: 0000026E0378E0C2

Strings

_Cy, xrefs: 0000026E0378E121

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: Socket
String ID: _Cy
API String ID: 38366605-1085951347
Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction ID: 656b93fc515bb6126788c192276bbae924bda3fba546a8ec6c4336f7b84ee898
Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction Fuzzy Hash: AB31E83460CE498FDB94DF288888767B7E1FBA8315F15063EE44AD36E1DB75C5418741

Function 0000026E0378DAC8 Relevance: 3.2, APIs: 2, Instructions: 159
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 0000026E0378DB8C
InternetConnectA.WININET ref: 0000026E0378DBFA

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: c02896be98f17698b461471e8597e5ae08ffedd86d74317b17a8770a829ca45e
Instruction ID: 57f449066618ba702d53fd49ebe4bddad870e6fde5b78a98d38f6ce6f4724c7e
Opcode Fuzzy Hash: c02896be98f17698b461471e8597e5ae08ffedd86d74317b17a8770a829ca45e
Instruction Fuzzy Hash: A551B73461C605CFEF59DB1CD49976977D2FB48300F16052E908BD36E2DABD9902CB82

Function 0000026E0379C36C Relevance: 1.3, APIs: 1, Instructions: 75
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE ref: 0000026E0379C422

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 33013136f0bb95f1eb9f3645b418df4a5ff2efb559231014e174e8ee2656166c
Instruction ID: 36c6ba9cb44813718b1c7bed4cabb9dc19b0a3d33579223ec349bc8ccb122bd0
Opcode Fuzzy Hash: 33013136f0bb95f1eb9f3645b418df4a5ff2efb559231014e174e8ee2656166c
Instruction Fuzzy Hash: CF21623460CA0ACFEF95DB1CE44872A37E6F7AC345F150A3AD046D32A0C6B99940CB41

Non-executed Functions

Function 0000026E037A201C Relevance: 30.8, APIs: 15, Strings: 2, Instructions: 1030COMMON

Download Yara Rule

APIs

Part of subcall function 0000026E037A0680: _getptd.LIBCMT ref: 0000026E037A0696
Part of subcall function 0000026E037A0680: __updatetlocinfo.LIBCMT ref: 0000026E037A06CB
Part of subcall function 0000026E037A0680: __updatetmbcinfo.LIBCMT ref: 0000026E037A06F2

_errno.LIBCMT ref: 0000026E037A2082

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

_fileno.LIBCMT ref: 0000026E037A20AF

Part of subcall function 0000026E037A4AD4: _errno.LIBCMT ref: 0000026E037A4ADD
Part of subcall function 0000026E037A4AD4: _invalid_parameter_noinfo.LIBCMT ref: 0000026E037A4AE8

write_multi_char.LIBCMT ref: 0000026E037A26EB
write_string.LIBCMT ref: 0000026E037A2708
write_multi_char.LIBCMT ref: 0000026E037A2725
write_string.LIBCMT ref: 0000026E037A2784
write_multi_char.LIBCMT ref: 0000026E037A27DD
free.LIBCMT ref: 0000026E037A27F1
_isleadbyte_l.LIBCMT ref: 0000026E037A28C2
write_char.LIBCMT ref: 0000026E037A28D8
write_char.LIBCMT ref: 0000026E037A28F9
_errno.LIBCMT ref: 0000026E037A29FC
_invalid_parameter_noinfo.LIBCMT ref: 0000026E037A2A07

Strings

@, xrefs: 0000026E037A209B
, xrefs: 0000026E037A26BF

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID: $@
API String ID: 3613058218-1077428164
Opcode ID: 0599035506f01076b605f9026c3628a483f4ccd483033c44f83e2593a1d2db07
Instruction ID: c36ca68274534f0178068defedc0eb017c8bd8f1212462d8f25f1a802308fba1
Opcode Fuzzy Hash: 0599035506f01076b605f9026c3628a483f4ccd483033c44f83e2593a1d2db07
Instruction Fuzzy Hash: BD62F83991CE4ACAFF6C8A18C45936B77D1FBD5300F2A491DF986E31D3D6B69C028641

Function 0000026E037A15A8 Relevance: 29.0, APIs: 15, Strings: 1, Instructions: 1022COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000026E037A0680: _getptd.LIBCMT ref: 0000026E037A0696
Part of subcall function 0000026E037A0680: __updatetlocinfo.LIBCMT ref: 0000026E037A06CB
Part of subcall function 0000026E037A0680: __updatetmbcinfo.LIBCMT ref: 0000026E037A06F2

_errno.LIBCMT ref: 0000026E037A160E

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

_fileno.LIBCMT ref: 0000026E037A163B

Part of subcall function 0000026E037A4AD4: _errno.LIBCMT ref: 0000026E037A4ADD
Part of subcall function 0000026E037A4AD4: _invalid_parameter_noinfo.LIBCMT ref: 0000026E037A4AE8

write_multi_char.LIBCMT ref: 0000026E037A1C6B
write_string.LIBCMT ref: 0000026E037A1C88
write_multi_char.LIBCMT ref: 0000026E037A1CA5
write_string.LIBCMT ref: 0000026E037A1D04
write_multi_char.LIBCMT ref: 0000026E037A1D5D
free.LIBCMT ref: 0000026E037A1D71
_isleadbyte_l.LIBCMT ref: 0000026E037A1E42
write_char.LIBCMT ref: 0000026E037A1E58
write_char.LIBCMT ref: 0000026E037A1E79
_errno.LIBCMT ref: 0000026E037A1F73
_invalid_parameter_noinfo.LIBCMT ref: 0000026E037A1F7E

Strings

, xrefs: 0000026E037A1C3F

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_charwrite_string$__updatetlocinfo__updatetmbcinfo_fileno_getptd_getptd_noexit_isleadbyte_lfree
String ID:
API String ID: 3613058218-3916222277
Opcode ID: 99560b4e6a3ba651302837abcdacc877c80be0c82fbf8e81c16206e006ab6ccb
Instruction ID: 0b39d5b8c333214bfa32b01287f3cae5c117bfc2f7c9eba0669a2f6651e54135
Opcode Fuzzy Hash: 99560b4e6a3ba651302837abcdacc877c80be0c82fbf8e81c16206e006ab6ccb
Instruction Fuzzy Hash: 5362E73891CE46CAFF6C9A1884493BB77D1FBD5311FAE061DF497E31C2D6B698028642

Function 0000026E03796BB8 Relevance: 13.3, APIs: 10, Instructions: 790
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_snprintf.LIBCMT ref: 0000026E03796D25
_snprintf.LIBCMT ref: 0000026E03796DE6
_snprintf.LIBCMT ref: 0000026E03796E03
_snprintf.LIBCMT ref: 0000026E03797058
_snprintf.LIBCMT ref: 0000026E03797168
_snprintf.LIBCMT ref: 0000026E03797226
_snprintf.LIBCMT ref: 0000026E037972DE
_snprintf.LIBCMT ref: 0000026E03797082

Part of subcall function 0000026E0379E6BC: _errno.LIBCMT ref: 0000026E0379E6F3
Part of subcall function 0000026E0379E6BC: _invalid_parameter_noinfo.LIBCMT ref: 0000026E0379E6FE

_snprintf.LIBCMT ref: 0000026E037972F6
_snprintf.LIBCMT ref: 0000026E037973B4

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _snprintf$_errno_invalid_parameter_noinfo
String ID:
API String ID: 3442832105-0
Opcode ID: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction ID: b089f0ef8ac53714568473845b9db2f13cb25f69bbaaae5b211c61b30d4c82b3
Opcode Fuzzy Hash: 5c5fb6f4a09e06ccff5c46792293312cb34477fc99d63142bfc01bcec4b0117e
Instruction Fuzzy Hash: 8752023411CD8ACBEB5AEB2CD4067E2F3E1FFA8315F091309D88593592EB71E5828781

Function 0000026E033C4974 Relevance: 2.6, Strings: 2, Instructions: 142COMMON

Download Yara Rule

Strings

5F@4, xrefs: 0000026E033C4977
W#?`, xrefs: 0000026E033C49FF

Memory Dump Source

Source File: 00000006.00000003.1354728332.0000026E033C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026E033C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_26e033c0000_wermgr.jbxd

Yara matches

Similarity

API ID:
String ID: 5F@4$W#?`
API String ID: 0-4215367577
Opcode ID: 7ef5a4437f3000b6a2226bfe11f24cc41c5e315243d0a398e55b1c31b366f874
Instruction ID: 90defa94bd4a8814c47c1f1a37d30a2c073edbf7263ff41187166635d64eb291
Opcode Fuzzy Hash: 7ef5a4437f3000b6a2226bfe11f24cc41c5e315243d0a398e55b1c31b366f874
Instruction Fuzzy Hash: 67419DA742D5C78FDB02CA35D4F93E9BBA1EB17720F2A52D8C0B04F242C96A5807C764

Function 0000026E0379F228 Relevance: 1.8, APIs: 1, Instructions: 304COMMONLIBRARYCODE

Download Yara Rule

APIs

_initp_misc_winsig.LIBCMT ref: 0000026E0379F25C

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _initp_misc_winsig
String ID:
API String ID: 2710132595-0
Opcode ID: c8c90554330dcabd03fa81e8dd660722591610607187a6cda5de2b4df199049a
Instruction ID: 168d01585b2769e3a986565101d186f772155e879e86ab02445d94956870b501
Opcode Fuzzy Hash: c8c90554330dcabd03fa81e8dd660722591610607187a6cda5de2b4df199049a
Instruction Fuzzy Hash: EDA1EB71619A09CFFF94FF75E898AAA37B2F768301721893A900AD3174DABCD545CB40

Function 0000026E03799297 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

?, xrefs: 0000026E037992AA

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: daf65675f3bffc35005e75e7b4162ae52c388d63e550f19dd9eec779c8e99468
Instruction ID: 150938def8fcd2103730462edcf05a5b4552cbcc4994e085d8b32eb39ab3ccb0
Opcode Fuzzy Hash: daf65675f3bffc35005e75e7b4162ae52c388d63e550f19dd9eec779c8e99468
Instruction Fuzzy Hash: D931502240D7C58BEB525A38806C2D57FD09F5B204F5E07DCC6D24A7D3D6528407D392

Function 0000026E037ACC70 Relevance: .8, Instructions: 783COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction ID: 45ea27e68776238740392993e45f36c4cbfc9c2237472e23ddd366007c736312
Opcode Fuzzy Hash: 598c92a77d3f8dda66df7f00e42631b8bb25fed254ebd76fcbad8f8343bff3d7
Instruction Fuzzy Hash: 80620A31228A558FD31CCB1CC4B1B7AB7E1FB89340F44896DE287CB696C639DA45CB91

Function 0000026E037AC300 Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction ID: d5dd5c55ac266d130c752bd8f06d9a988cdb58b094c95dc04fbb2d01a149c9e0
Opcode Fuzzy Hash: b966ddc3a4a27f87df3b0e1d0093439f08c10720c9c40116a815356078c1d6ce
Instruction Fuzzy Hash: EC52EE312286558FD31CCF1CC5A1E7AB7E1FB8D340F448A6DE28ACB692C639E545CB91

Function 0000026E033C64DF Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1354728332.0000026E033C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026E033C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_26e033c0000_wermgr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d366354534a9572f79d4aff29333c7cafe5288c4e4458810ea210a06cb1389b2
Instruction ID: f9b3405f86c7f3644abc175d4b216797663bd7756370e6a9ec47f06c14ecb03d
Opcode Fuzzy Hash: d366354534a9572f79d4aff29333c7cafe5288c4e4458810ea210a06cb1389b2
Instruction Fuzzy Hash: C4519CBA90C6C79FEB069A3494ED3D47F619F67214F2D06ECC0928B693D9068407C791

Function 0000026E033C52AD Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000003.1354728332.0000026E033C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000026E033C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_3_26e033c0000_wermgr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9e49f682d3545870b6b9835a02302a39fde6194118b9a0fe97a137350e698a
Instruction ID: 57554eaf9c13187ba0c20f8cbabd793c87853b05428766a1184bcc7f428f93a4
Opcode Fuzzy Hash: 6f9e49f682d3545870b6b9835a02302a39fde6194118b9a0fe97a137350e698a
Instruction Fuzzy Hash: 5B51A72B60C2C69EEB16DF34D8C87D43FA1AB0B254B6A12DDC4A14B5A3DB675443DB80

Function 0000026E037986B0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb5025c488799d2f8a5c20adae6e44962d3733a5097a7cf8a007b1505b36c11
Instruction ID: 624ec4f89be9b2833750fe48e477a0fafa2b19c3e154e2e9d9c4e5825c9f140c
Opcode Fuzzy Hash: 4eb5025c488799d2f8a5c20adae6e44962d3733a5097a7cf8a007b1505b36c11
Instruction Fuzzy Hash: F841266640C9CAAAE7168F3484A83D57BA2AF57308F2D02CCC4D25B3E3D6A35402D351

Function 0000026E037991EF Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41537edae7fd09a1d0932e558d8ac235093b37a8380a38275133ea2c9a3a4088
Instruction ID: df1826fd5880bafe404092f72e82e64b4b6a12587f9bfeb3b56e821290a5ec8e
Opcode Fuzzy Hash: 41537edae7fd09a1d0932e558d8ac235093b37a8380a38275133ea2c9a3a4088
Instruction Fuzzy Hash: 6A01753240D3D2EFDB16EA78D0956D27FA16B1731472E21DDC0A18F163D2565047FB62

Function 0000026E037A5E9C Relevance: 16.6, APIs: 11, Instructions: 108
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 0000026E037A5ECE

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

__doserrno.LIBCMT ref: 0000026E037A5EC5

Part of subcall function 0000026E037A0D28: _getptd_noexit.LIBCMT ref: 0000026E037A0D2C

__doserrno.LIBCMT ref: 0000026E037A5F2B
_errno.LIBCMT ref: 0000026E037A5F32
_invalid_parameter_noinfo.LIBCMT ref: 0000026E037A5F96

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
Instruction ID: 9fcaaf80579f50104dd6ca1ad1f20479657563c75b361a5fc0cc43e169d218cb
Opcode Fuzzy Hash: 45b9cdfc7a25f1278b796800b15345f673bb2555b0332f4ab4807a0dfd005840
Instruction Fuzzy Hash: 3C31C53510CF06CEEB546F68988A26E3790EB87330F5A0A58F456B72D3D6B2A8014351

Function 0000026E037A6C88 Relevance: 15.1, APIs: 10, Instructions: 93
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 0000026E037A6CB3

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

__doserrno.LIBCMT ref: 0000026E037A6CAB

Part of subcall function 0000026E037A0D28: _getptd_noexit.LIBCMT ref: 0000026E037A0D2C

__lock_fhandle.LIBCMT ref: 0000026E037A6CF7
_lseeki64_nolock.LIBCMT ref: 0000026E037A6D10
_unlock_fhandle.LIBCMT ref: 0000026E037A6D33

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 4df773109a1628873075912f98a72f3a906b561885a4cc113f55c358271b2c3b
Instruction ID: d33f029e53677362413dadf019398569e543b8434566712c031c34215fecca1a
Opcode Fuzzy Hash: 4df773109a1628873075912f98a72f3a906b561885a4cc113f55c358271b2c3b
Instruction Fuzzy Hash: 1C21F33521CE068EFF596B68D84A3AA72D0EBC6360F5E0A49F015B71D3D6F258014662

Function 0000026E037A6B10 Relevance: 15.1, APIs: 10, Instructions: 89
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 0000026E037A6B3B

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

__doserrno.LIBCMT ref: 0000026E037A6B33

Part of subcall function 0000026E037A0D28: _getptd_noexit.LIBCMT ref: 0000026E037A0D2C

__lock_fhandle.LIBCMT ref: 0000026E037A6B7F
_lseek_nolock.LIBCMT ref: 0000026E037A6B98
_unlock_fhandle.LIBCMT ref: 0000026E037A6BB9

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
String ID:
API String ID: 1078912150-0
Opcode ID: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
Instruction ID: 7f2f7e7bd0739c4b477177ca2494ea4f3ac9c33ba7c6f75a86bf187727408c4a
Opcode Fuzzy Hash: 689a55ff460a42ab0e8479ad490ad51203e5d8515b6f39f729bbcfe6708b8e94
Instruction Fuzzy Hash: D621243560CA06CEFB196B28DC4A37E32C0EFC6320F2F0A58F016A71D3D6F658018662

Function 0000026E037A54B4 Relevance: 13.6, APIs: 9, Instructions: 89
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 0000026E037A54DF

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

__doserrno.LIBCMT ref: 0000026E037A54D7

Part of subcall function 0000026E037A0D28: _getptd_noexit.LIBCMT ref: 0000026E037A0D2C

__lock_fhandle.LIBCMT ref: 0000026E037A5523
_unlock_fhandle.LIBCMT ref: 0000026E037A555D

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
Instruction ID: 9b51cc0f64fba3658a3ba8928796d0a3cbddc45e42ca34748464cd5921e394bb
Opcode Fuzzy Hash: 1700ff755fa86426cee97dc6493a8bbd2f86863ab499d60c3e97554295ddf05f
Instruction Fuzzy Hash: 1321D63560CA058EFA556B68D84A3AA72D2DFC6331F1E0A4CF056A71D3D6F558018292

Function 0000026E037A4CD8 Relevance: 13.6, APIs: 9, Instructions: 71
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 0000026E037A4CF9

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

__doserrno.LIBCMT ref: 0000026E037A4CF1

Part of subcall function 0000026E037A0D28: _getptd_noexit.LIBCMT ref: 0000026E037A0D2C

__lock_fhandle.LIBCMT ref: 0000026E037A4D3D
_close_nolock.LIBCMT ref: 0000026E037A4D50
_unlock_fhandle.LIBCMT ref: 0000026E037A4D69

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: 33c656564c66f9f9654a7b196b7fb26e9ac042736a70bebf64fd6ea01e35a20d
Instruction ID: 7ff67d08418986dd3d5ef9d86d0ad3d05735f6fad36e88ef47c8078aad5b35df
Opcode Fuzzy Hash: 33c656564c66f9f9654a7b196b7fb26e9ac042736a70bebf64fd6ea01e35a20d
Instruction Fuzzy Hash: C521F03A10DE06DEFB156B65C88936A7690EFC6321F1B095CF11AB72E3C6F798008761

Function 0000026E0379EFEC Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000026E0379F01A

Part of subcall function 0000026E0379E2C4: RtlFreeHeap.NTDLL ref: 0000026E0379E2DA
Part of subcall function 0000026E0379E2C4: _errno.LIBCMT ref: 0000026E0379E2E4

free.LIBCMT ref: 0000026E0379F02F
free.LIBCMT ref: 0000026E0379F050
free.LIBCMT ref: 0000026E0379F065
free.LIBCMT ref: 0000026E0379F079
free.LIBCMT ref: 0000026E0379F085
free.LIBCMT ref: 0000026E0379F0B0
free.LIBCMT ref: 0000026E0379F0D1
free.LIBCMT ref: 0000026E0379F0EA
free.LIBCMT ref: 0000026E0379F11B

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: free$FreeHeap_errno
String ID:
API String ID: 2737118440-0
Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction ID: a91a23b296843b6403c2c546cf8ba7f5b36f876059cd5a555ed4ca97b585ee3e
Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction Fuzzy Hash: B841B434268E0FCFFF94EB58D899BA673E2F758312F5A01AAD005D21D1CABD8885C711

Function 0000026E0378368C Relevance: 11.6, APIs: 9, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000026E03783729

Part of subcall function 0000026E0379E304: _FF_MSGBANNER.LIBCMT ref: 0000026E0379E334
Part of subcall function 0000026E0379E304: _NMSG_WRITE.LIBCMT ref: 0000026E0379E33E
Part of subcall function 0000026E0379E304: _callnewh.LIBCMT ref: 0000026E0379E372
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E37D
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E388

malloc.LIBCMT ref: 0000026E03783733

Part of subcall function 0000026E0379E304: _callnewh.LIBCMT ref: 0000026E0379E398
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E39D

malloc.LIBCMT ref: 0000026E0378373E
free.LIBCMT ref: 0000026E037838FE
free.LIBCMT ref: 0000026E03783906
free.LIBCMT ref: 0000026E0378390E

Part of subcall function 0000026E03784570: malloc.LIBCMT ref: 0000026E037845BA
Part of subcall function 0000026E03784570: malloc.LIBCMT ref: 0000026E037845C5
Part of subcall function 0000026E03784570: free.LIBCMT ref: 0000026E037846AC
Part of subcall function 0000026E03784570: free.LIBCMT ref: 0000026E037846B4

free.LIBCMT ref: 0000026E0378391A
free.LIBCMT ref: 0000026E03783927
free.LIBCMT ref: 0000026E03783934

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
Instruction ID: 3b005ae4020546d12180d2c9607eedbec703aba36a6900425c4ac50b8886b8fe
Opcode Fuzzy Hash: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
Instruction Fuzzy Hash: CA91EA3C31CB0A8BFB59AB6C944977B73D1EB85B00F59065ED48AD36C2DE61DC028782

Function 0000026E0379EE90 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026E0379EEB6

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

_invalid_parameter_noinfo.LIBCMT ref: 0000026E0379EEC2
__crtIsPackagedApp.LIBCMT ref: 0000026E0379EED3
_dosmaperr.LIBCMT ref: 0000026E0379EF1D

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
Instruction ID: a4ff7acebfca594d74769336c29c5cbf1717add79ff681c4bbbbf83c0943ebf1
Opcode Fuzzy Hash: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
Instruction Fuzzy Hash: B931BB34618E0ACFFF94EF69980936A72D2FB88351F19465EB449D32D1D7B5C8418741

Function 0000026E037A97BC Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026E037A97D5

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

__lock_fhandle.LIBCMT ref: 0000026E037A981D
__doserrno.LIBCMT ref: 0000026E037A9852
_errno.LIBCMT ref: 0000026E037A9859
_unlock_fhandle.LIBCMT ref: 0000026E037A9869

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 4120058822-0
Opcode ID: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
Instruction ID: f5412671ed9dc517e58b999b684116ccac52a6e8d55f5c13b68035d167fbdda6
Opcode Fuzzy Hash: c8931cb6991e1dcdb4b4beaef908be2012675e49725fd5fc40ebfddcb96b8d14
Instruction Fuzzy Hash: C621D33960CE0ACEFA546F68989936E7690EFC6310F4E051CF21AA72D2D7F698508751

Function 0000026E0379FB90 Relevance: 9.3, APIs: 6, Instructions: 257COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026E0379FBCC

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

_invalid_parameter_noinfo.LIBCMT ref: 0000026E0379FBD7
memcpy_s.LIBCMT ref: 0000026E0379FC9C
_fileno.LIBCMT ref: 0000026E0379FD07
_filbuf.LIBCMT ref: 0000026E0379FD35
_errno.LIBCMT ref: 0000026E0379FD85

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction ID: d7b9b52e5b55fe01b9af6a9313f8bf69646d20010ddb7ea583b98588e965cab0
Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction Fuzzy Hash: 9961EA3821CF0B8AEB6C5A2C445D33772D2E795722F2E432FE455E32D1DAA2DC5246C1

Function 0000026E037AEC50 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 0000026E037A0680: _getptd.LIBCMT ref: 0000026E037A0696
Part of subcall function 0000026E037A0680: __updatetlocinfo.LIBCMT ref: 0000026E037A06CB
Part of subcall function 0000026E037A0680: __updatetmbcinfo.LIBCMT ref: 0000026E037A06F2

_errno.LIBCMT ref: 0000026E037AEC9F
_invalid_parameter_noinfo.LIBCMT ref: 0000026E037AECAA

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: __updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808835054-0
Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction ID: 6ff39678a9e75a6a8029ab0117f574fdd8dbc7224b209c7cce3ce8dcda78b93d
Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction Fuzzy Hash: 16318F7420CE0A8FEBA49F18908876A76D0FB98310F5A06ADF449E76D2DAB1DC408785

Function 0000026E0379F6A0 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026E0379F5F7

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

_invalid_parameter_noinfo.LIBCMT ref: 0000026E0379F602
_getstream.LIBCMT ref: 0000026E0379F622
_errno.LIBCMT ref: 0000026E0379F634
_errno.LIBCMT ref: 0000026E0379F646
_openfile.LIBCMT ref: 0000026E0379F674

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: aea42a6da675c9ef6e6bb8b8e91e805078560935a98c47ae5044fabd1e1da4ae
Instruction ID: c43d0c9dea45387da3b1ccafeed6fdef5c277f66cdd19796f842a89b5382fa68
Opcode Fuzzy Hash: aea42a6da675c9ef6e6bb8b8e91e805078560935a98c47ae5044fabd1e1da4ae
Instruction Fuzzy Hash: EE21A73461CB4BCFFB90AB28940936B77D1EB89351F1A0A5AE449E31E2DBB5CC404751

Function 0000026E03792274 Relevance: 9.0, APIs: 7, Instructions: 264stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 0000026E037922AE
strchr.LIBCMT ref: 0000026E037922CC
malloc.LIBCMT ref: 0000026E037922E4
malloc.LIBCMT ref: 0000026E037922F1
rand.LIBCMT ref: 0000026E037923BD
free.LIBCMT ref: 0000026E037924DB
free.LIBCMT ref: 0000026E037924E3

Part of subcall function 0000026E0379E2C4: RtlFreeHeap.NTDLL ref: 0000026E0379E2DA
Part of subcall function 0000026E0379E2C4: _errno.LIBCMT ref: 0000026E0379E2E4

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$FreeHeap_errnorand
String ID:
API String ID: 3504763109-0
Opcode ID: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
Instruction ID: 4e78bee3d14f0c5a590023e99cd65ede3a5fe804aff3377ecdf6d5c83111740d
Opcode Fuzzy Hash: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
Instruction Fuzzy Hash: BB81F63421CE9ECBEB65EB2C98093F7B3D2FF99305F09066AD589D71D3DA6188468341

Function 0000026E037831F0 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000026E0378323D

Part of subcall function 0000026E0379E304: _FF_MSGBANNER.LIBCMT ref: 0000026E0379E334
Part of subcall function 0000026E0379E304: _NMSG_WRITE.LIBCMT ref: 0000026E0379E33E
Part of subcall function 0000026E0379E304: _callnewh.LIBCMT ref: 0000026E0379E372
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E37D
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E388

malloc.LIBCMT ref: 0000026E03783248

Part of subcall function 0000026E0379E304: _callnewh.LIBCMT ref: 0000026E0379E398
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E39D

free.LIBCMT ref: 0000026E0378332F
free.LIBCMT ref: 0000026E03783337
free.LIBCMT ref: 0000026E0378333F
free.LIBCMT ref: 0000026E0378334B
free.LIBCMT ref: 0000026E03783358

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
Instruction ID: 14632bf119ce00e58495b709a7f2612d855b42f4a80556ac31f4d01fa53243e2
Opcode Fuzzy Hash: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
Instruction Fuzzy Hash: 2D51B03C21CF0A9BEB59EB2C944967B73D1FB49700F49016DD84AD36C7EEA1E8428781

Function 0000026E0378BAF4 Relevance: 7.9, APIs: 6, Instructions: 411COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000026E0379506C: malloc.LIBCMT ref: 0000026E03795088

malloc.LIBCMT ref: 0000026E0378BBBB

Part of subcall function 0000026E0379E304: _FF_MSGBANNER.LIBCMT ref: 0000026E0379E334
Part of subcall function 0000026E0379E304: _NMSG_WRITE.LIBCMT ref: 0000026E0379E33E
Part of subcall function 0000026E0379E304: _callnewh.LIBCMT ref: 0000026E0379E372
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E37D
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E388

Part of subcall function 0000026E0379B2B0: malloc.LIBCMT ref: 0000026E0379B31C

Part of subcall function 0000026E0379DB28: malloc.LIBCMT ref: 0000026E0379DB78

Part of subcall function 0000026E0379DB28: realloc.LIBCMT ref: 0000026E0379DB87

malloc.LIBCMT ref: 0000026E0378BCCA
_snprintf.LIBCMT ref: 0000026E0378BD41
_snprintf.LIBCMT ref: 0000026E0378BD67
_snprintf.LIBCMT ref: 0000026E0378BD8E
free.LIBCMT ref: 0000026E0378BF46

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno$_callnewhfreerealloc
String ID:
API String ID: 74200508-0
Opcode ID: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
Instruction ID: adabce9f07014f44a30d40d7f6f7c64047bea970851eb2750d6a894427806dfb
Opcode Fuzzy Hash: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
Instruction Fuzzy Hash: 8BD1AB3470CA06CBFF58B768845A3AF72D3EB84300F19062EA446E36D3DEB5D9058781

Function 0000026E03790714 Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0000026E0379506C: malloc.LIBCMT ref: 0000026E03795088

Part of subcall function 0000026E0379F6A0: _errno.LIBCMT ref: 0000026E0379F5F7
Part of subcall function 0000026E0379F6A0: _invalid_parameter_noinfo.LIBCMT ref: 0000026E0379F602

fseek.LIBCMT ref: 0000026E037907B0

Part of subcall function 0000026E0379FF24: _errno.LIBCMT ref: 0000026E0379FF4C
Part of subcall function 0000026E0379FF24: _invalid_parameter_noinfo.LIBCMT ref: 0000026E0379FF57

_ftelli64.LIBCMT ref: 0000026E037907B8

Part of subcall function 0000026E0379FF98: _errno.LIBCMT ref: 0000026E0379FFB6
Part of subcall function 0000026E0379FF98: _invalid_parameter_noinfo.LIBCMT ref: 0000026E0379FFC1

fseek.LIBCMT ref: 0000026E037907C8

Part of subcall function 0000026E0379FF24: _fseek_nolock.LIBCMT ref: 0000026E0379FF75

malloc.LIBCMT ref: 0000026E03790808

Part of subcall function 0000026E0379E304: _FF_MSGBANNER.LIBCMT ref: 0000026E0379E334
Part of subcall function 0000026E0379E304: _NMSG_WRITE.LIBCMT ref: 0000026E0379E33E
Part of subcall function 0000026E0379E304: _callnewh.LIBCMT ref: 0000026E0379E372
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E37D
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E388

fclose.LIBCMT ref: 0000026E037908C5

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$fseekmalloc$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 2887643383-0
Opcode ID: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
Instruction ID: 6d65d4f35e1996f3844783d479cbebb25b58f434bda4634eb9325218a088297b
Opcode Fuzzy Hash: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
Instruction Fuzzy Hash: 3C51053472CA098FEB49EB2894597BA72D2FB88310F55036EE48BD32D7DD65990287C1

Function 0000026E037A93C8 Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 0000026E037A93F5

Part of subcall function 0000026E037A2ED8: _FF_MSGBANNER.LIBCMT ref: 0000026E037A2EF5
Part of subcall function 0000026E037A2ED8: _NMSG_WRITE.LIBCMT ref: 0000026E037A2EFF

_lock.LIBCMT ref: 0000026E037A9408
_lock.LIBCMT ref: 0000026E037A9463
_calloc_crt.LIBCMT ref: 0000026E037A951A

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _lock$_calloc_crt_mtinitlocknum
String ID:
API String ID: 3962633935-0
Opcode ID: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
Instruction ID: 9de2868dd1fa9bb5b17bc6e5f52efc1e3e19d943b9f6359c439f57ed6e8ff48b
Opcode Fuzzy Hash: 37ad4fda8a075f5cd4d07cec490ae037cae96ac67048c51c0eece2b82dd4d161
Instruction Fuzzy Hash: 3251047451CE0ACBEB189F18C889367B3D0FB99310F1A065DF94AD32E2D7B5D852C682

Function 0000026E03784570 Relevance: 7.7, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000026E037845BA

Part of subcall function 0000026E0379E304: _FF_MSGBANNER.LIBCMT ref: 0000026E0379E334
Part of subcall function 0000026E0379E304: _NMSG_WRITE.LIBCMT ref: 0000026E0379E33E
Part of subcall function 0000026E0379E304: _callnewh.LIBCMT ref: 0000026E0379E372
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E37D
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E388

malloc.LIBCMT ref: 0000026E037845C5

Part of subcall function 0000026E0379E304: _callnewh.LIBCMT ref: 0000026E0379E398
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E39D

free.LIBCMT ref: 0000026E037846AC
free.LIBCMT ref: 0000026E037846B4
free.LIBCMT ref: 0000026E037846C0
free.LIBCMT ref: 0000026E037846CD

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
Instruction ID: 5447e98fe9f43af6245aa23b1907a4c3cbc0b4a7b48908448003c673df252776
Opcode Fuzzy Hash: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
Instruction Fuzzy Hash: BC41E23935CB0F8BEB289B29884937B77D5EB96310F19022ED886D36C3D9A1D8064381

Function 0000026E037A141C Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 0000026E037A1439

Part of subcall function 0000026E037A4AD4: _errno.LIBCMT ref: 0000026E037A4ADD
Part of subcall function 0000026E037A4AD4: _invalid_parameter_noinfo.LIBCMT ref: 0000026E037A4AE8

_errno.LIBCMT ref: 0000026E037A1449

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

_errno.LIBCMT ref: 0000026E037A1465
_isatty.LIBCMT ref: 0000026E037A14C6
_getbuf.LIBCMT ref: 0000026E037A14D2

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
String ID:
API String ID: 304646821-0
Opcode ID: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
Instruction ID: 7b012e93cbabe72532fe7e7e271a7cc3f00ec7cf1fcf02d998137b9a09951a40
Opcode Fuzzy Hash: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
Instruction Fuzzy Hash: 2651A134118E0A8FFF98EF18C49976677E1EB88310F5D0659F85ADB2D6D6B6C840C781

Function 0000026E037982A0 Relevance: 7.6, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000026E037982CF

Part of subcall function 0000026E0379E304: _FF_MSGBANNER.LIBCMT ref: 0000026E0379E334
Part of subcall function 0000026E0379E304: _NMSG_WRITE.LIBCMT ref: 0000026E0379E33E
Part of subcall function 0000026E0379E304: _callnewh.LIBCMT ref: 0000026E0379E372
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E37D
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E388

_snprintf.LIBCMT ref: 0000026E037982E7

Part of subcall function 0000026E0379E6BC: _errno.LIBCMT ref: 0000026E0379E6F3
Part of subcall function 0000026E0379E6BC: _invalid_parameter_noinfo.LIBCMT ref: 0000026E0379E6FE

free.LIBCMT ref: 0000026E037982FE

Part of subcall function 0000026E0379E2C4: RtlFreeHeap.NTDLL ref: 0000026E0379E2DA
Part of subcall function 0000026E0379E2C4: _errno.LIBCMT ref: 0000026E0379E2E4

malloc.LIBCMT ref: 0000026E0379834E
_snprintf.LIBCMT ref: 0000026E03798366
free.LIBCMT ref: 0000026E0379838E

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$FreeHeap_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 343393124-0
Opcode ID: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
Instruction ID: 89b33c898f4158340bf1cdd03c9e4a54a3e1dbc64a6aa189de17f188acf813b3
Opcode Fuzzy Hash: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
Instruction Fuzzy Hash: C541A33430CA494FEA98AB2C68197B977D3E79E310F49429ED08EC32D6DD659C428782

Function 0000026E0378ECE4 Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000026E0378ED05

Part of subcall function 0000026E0379E304: _FF_MSGBANNER.LIBCMT ref: 0000026E0379E334
Part of subcall function 0000026E0379E304: _NMSG_WRITE.LIBCMT ref: 0000026E0379E33E
Part of subcall function 0000026E0379E304: _callnewh.LIBCMT ref: 0000026E0379E372
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E37D
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E388

free.LIBCMT ref: 0000026E0378ED40
fwrite.LIBCMT ref: 0000026E0378ED81
fclose.LIBCMT ref: 0000026E0378ED89
free.LIBCMT ref: 0000026E0378ED96

Part of subcall function 0000026E0379E2C4: RtlFreeHeap.NTDLL ref: 0000026E0379E2DA
Part of subcall function 0000026E0379E2C4: _errno.LIBCMT ref: 0000026E0379E2E4

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$free$FreeHeap_callnewhfclosefwritemalloc
String ID:
API String ID: 415550720-0
Opcode ID: c287650ca013cd6fba82a94b2bfab312077d62521af6d54d1c0599a360ecab3d
Instruction ID: 9414624a55aa0166900a14ccda33db1cb1f82bc2b87749d4ccc5c0aaefd9fbe7
Opcode Fuzzy Hash: c287650ca013cd6fba82a94b2bfab312077d62521af6d54d1c0599a360ecab3d
Instruction Fuzzy Hash: 1E21B83421CE0A8BEF45FB2880597AF72D2FB98314F49065EB04AE36C6DDA589054342

Function 0000026E037A966C Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026E037A967D

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

__doserrno.LIBCMT ref: 0000026E037A9675

Part of subcall function 0000026E037A0D28: _getptd_noexit.LIBCMT ref: 0000026E037A0D2C

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction ID: 126242b72f7bc010acd8ea4333d7444039d200a60370ab6938c60eb9619beb04
Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction Fuzzy Hash: 5701213802DC0ECEFA95AB28C84839A3290FF8A321F9A4644B115F70E2D7BA14108712

Function 0000026E0378DC84 Relevance: 6.5, APIs: 5, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000026E0378DD53
_snprintf.LIBCMT ref: 0000026E0378DD7E
_snprintf.LIBCMT ref: 0000026E0378DD9A
_snprintf.LIBCMT ref: 0000026E0378DE4F
_snprintf.LIBCMT ref: 0000026E0378DE66

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _snprintf
String ID:
API String ID: 3512837008-0
Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction ID: 1e4c424b26a3356ce5079d67c214a12b20f9d20db675e28479af7d2556dd8fe7
Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction Fuzzy Hash: 9291C43421CA09CFEF55EF18D889BAA73E6FB95300F05066AE44AD32D2DE75D905CB81

Function 0000026E0379E06C Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000026E0379E08F

Part of subcall function 0000026E0379E304: _FF_MSGBANNER.LIBCMT ref: 0000026E0379E334
Part of subcall function 0000026E0379E304: _NMSG_WRITE.LIBCMT ref: 0000026E0379E33E
Part of subcall function 0000026E0379E304: _callnewh.LIBCMT ref: 0000026E0379E372
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E37D
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E388

malloc.LIBCMT ref: 0000026E0379E09D

Part of subcall function 0000026E0379E304: _callnewh.LIBCMT ref: 0000026E0379E398
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E39D

malloc.LIBCMT ref: 0000026E0379E0BF
_snprintf.LIBCMT ref: 0000026E0379E0DA

Part of subcall function 0000026E0379E6BC: _errno.LIBCMT ref: 0000026E0379E6F3
Part of subcall function 0000026E0379E6BC: _invalid_parameter_noinfo.LIBCMT ref: 0000026E0379E6FE

malloc.LIBCMT ref: 0000026E0379E0F5

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID:
API String ID: 2026495703-0
Opcode ID: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
Instruction ID: cba4ef76647bffdfc08239f50eff4d97521d402162f402dd821abeab8d0283ce
Opcode Fuzzy Hash: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
Instruction Fuzzy Hash: 4211513061CF094FEBA8EB6CA44936676E2EB8C310F15465FE09AC32D6DA749D4187C2

Function 0000026E0379F6AC Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026E0379F6E4

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

_invalid_parameter_noinfo.LIBCMT ref: 0000026E0379F6EF
_flush.LIBCMT ref: 0000026E0379F7A1
_fileno.LIBCMT ref: 0000026E0379F7C2

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 634798775-0
Opcode ID: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
Instruction ID: ec858b6d05bcdc3c78ba6d9d707fd83acdb6894f2d175d1cebbdbc4ffbb5dba5
Opcode Fuzzy Hash: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
Instruction Fuzzy Hash: 3F51F23421CF0B8BEF68696D584E33772C2E754711F6A036FD45AD31E6E5E2DC528181

Function 0000026E03780150 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 0000026E03780197
clock.LIBCMT ref: 0000026E037801A4
clock.LIBCMT ref: 0000026E037801AD
clock.LIBCMT ref: 0000026E037801BA

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction ID: 9d6bd945f1079e120cb38cf87aadd315d997174a97db52fb89791b9ff2ba48e1
Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction Fuzzy Hash: 5F212E3584C70EDFEF74AE9C548633BB7D0D794360F1A022EE8C6A3593E5A19C4682D2

Function 0000026E0379E8E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000026E0379E931

Part of subcall function 0000026E037A0D98: _getptd_noexit.LIBCMT ref: 0000026E037A0D9C

_invalid_parameter_noinfo.LIBCMT ref: 0000026E0379E93C

Strings

B, xrefs: 0000026E0379E968

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction ID: 7296438aa5192d8b143aff0a911a9e246734e37c30d14bcf93a462eaf5b13289
Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction Fuzzy Hash: 9811BF30228F098FEB54EF58948976AB3D2FB98324F5547AEA059D32E1DB74C844C782

Function 0000026E03799DC4 Relevance: 5.2, APIs: 4, Instructions: 226COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000026E03799DF8

Part of subcall function 0000026E0379E304: _FF_MSGBANNER.LIBCMT ref: 0000026E0379E334
Part of subcall function 0000026E0379E304: _NMSG_WRITE.LIBCMT ref: 0000026E0379E33E
Part of subcall function 0000026E0379E304: _callnewh.LIBCMT ref: 0000026E0379E372
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E37D
Part of subcall function 0000026E0379E304: _errno.LIBCMT ref: 0000026E0379E388

free.LIBCMT ref: 0000026E03799F3F
free.LIBCMT ref: 0000026E03799FA3
free.LIBCMT ref: 0000026E03799FAF

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
Instruction ID: ba9627371ca9059cc36e9e34edeef6ef714229c89d7d50fa905b5079ae4a1389
Opcode Fuzzy Hash: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
Instruction Fuzzy Hash: A861C83431C91ACBFE58EB18D4597AA73D3E789350F1A0A2EE546D31D3DFA698428381

Function 0000026E03783380 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000026E037833E3

Memory Dump Source

Source File: 00000006.00000002.2589409754.0000026E03780000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026E03780000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_26e03780000_wermgr.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
Instruction ID: 70a79e1486399c4c46e78f9e7629c768c4eaf2dfe1530103a1ed97c316a27580
Opcode Fuzzy Hash: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
Instruction Fuzzy Hash: B851A43C21CA068BEF59DF2CD48967B73D1EB89710F19455DD88FD36C6EA61DC028681

Analysis Process: wermgr.exePID: 8012, Parent PID: 7972COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	562
Total number of Limit Nodes:	29

Executed Functions

Function 0000015A06FF0000 Relevance: 1.7, APIs: 1, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 0000015A06FF00D0

Memory Dump Source

Source File: 00000007.00000002.2588686195.0000015A06FF0000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000015A06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a06ff0000_wermgr.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 88e8bec169d31fc803aeef05fed04f98ffb8ac2501b92b4af572ff67ccb03544
Instruction ID: 7948a8f4da15f0a948c99df06e363dfccd3a899b2f058f592fcb8360a545f94e
Opcode Fuzzy Hash: 88e8bec169d31fc803aeef05fed04f98ffb8ac2501b92b4af572ff67ccb03544
Instruction Fuzzy Hash: 20510130264E458FC71CCF1C88D1A3577D5EF8930AB65A26DE59ACF2ABCD70D862C681

Function 0000015A072E4EA8 Relevance: 4.7, APIs: 3, Instructions: 190
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000015A072E506C: malloc.LIBCMT ref: 0000015A072E5088

GetUserNameA.ADVAPI32(?,?,?,?,?,?,?,-00000001,?,-00000001,?,00000002,0000015A072DBD09), ref: 0000015A072E4F2F
strrchr.LIBCMT ref: 0000015A072E4F6D
_snprintf.LIBCMT ref: 0000015A072E501B

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: NameUser_snprintfmallocstrrchr
String ID:
API String ID: 1238167203-0
Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
Instruction ID: 7faa14c0e9ec1281d3a468686df765589dab0ef31a81fab6fcb0369816928b7b
Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
Instruction Fuzzy Hash: C7517330768E084FEA58AB6DA8567B977D6EBCD311F94462DF08AC72D3D934DC028742

Function 0000015A072DE094 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketA.WS2_32 ref: 0000015A072DE0C2

Strings

_Cy, xrefs: 0000015A072DE121

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: Socket
String ID: _Cy
API String ID: 38366605-1085951347
Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction ID: e1710c012568a5b23d1847c277132d4721335fc042a6c4d8173c3ed9da8ebbf1
Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction Fuzzy Hash: 6B318730658F488BD754DF2898847A6BBE1EBE8316F51167EE44AC72D1DB34CD418742

Function 0000015A072DDAC8 Relevance: 3.2, APIs: 2, Instructions: 159
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 0000015A072DDB8C
InternetConnectA.WININET ref: 0000015A072DDBFA

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: c02896be98f17698b461471e8597e5ae08ffedd86d74317b17a8770a829ca45e
Instruction ID: 5e849c8a901ee3466e7ca3b9f77c4373c1ba8a49690800b270bc62ca1bbf1762
Opcode Fuzzy Hash: c02896be98f17698b461471e8597e5ae08ffedd86d74317b17a8770a829ca45e
Instruction Fuzzy Hash: 0351D430768F048FEB59DB28D8957A877D5FB8C305F51552EA08BCB2D2CA3C99028743

Function 0000015A072EC36C Relevance: 1.3, APIs: 1, Instructions: 75
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE ref: 0000015A072EC422

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 33013136f0bb95f1eb9f3645b418df4a5ff2efb559231014e174e8ee2656166c
Instruction ID: eb08e8c4e51e17a8ade380384700d4eb671f3fb057a8a1634c498ca0039f7da8
Opcode Fuzzy Hash: 33013136f0bb95f1eb9f3645b418df4a5ff2efb559231014e174e8ee2656166c
Instruction Fuzzy Hash: 1A218730558E08CFEB94DF5CE8547693BE9F7DC356F900A3AE049C72A0C6789980CB52

Non-executed Functions

Function 0000015A072F5E9C Relevance: 16.6, APIs: 11, Instructions: 108
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 0000015A072F5ECE

Part of subcall function 0000015A072F0D98: _getptd_noexit.LIBCMT ref: 0000015A072F0D9C

__doserrno.LIBCMT ref: 0000015A072F5EC5

Part of subcall function 0000015A072F0D28: _getptd_noexit.LIBCMT ref: 0000015A072F0D2C

__doserrno.LIBCMT ref: 0000015A072F5F2B
_errno.LIBCMT ref: 0000015A072F5F32
_invalid_parameter_noinfo.LIBCMT ref: 0000015A072F5F96

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: f569b21a01fad2a92039226acf8a97d91cb16fac7f3924a9cc2c8e1a455bf938
Instruction ID: a1e18c907f6b2f98f87c9f97ad11501551c4f135ada62fab311a336908818059
Opcode Fuzzy Hash: f569b21a01fad2a92039226acf8a97d91cb16fac7f3924a9cc2c8e1a455bf938
Instruction Fuzzy Hash: 6731C430168F058EE3646F699C923E93BC0EF8A322F910769F4568F2D3D674A8214B53

Function 0000015A072F6C88 Relevance: 15.1, APIs: 10, Instructions: 93
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 0000015A072F6CB3

Part of subcall function 0000015A072F0D98: _getptd_noexit.LIBCMT ref: 0000015A072F0D9C

__doserrno.LIBCMT ref: 0000015A072F6CAB

Part of subcall function 0000015A072F0D28: _getptd_noexit.LIBCMT ref: 0000015A072F0D2C

__lock_fhandle.LIBCMT ref: 0000015A072F6CF7
_lseeki64_nolock.LIBCMT ref: 0000015A072F6D10
_unlock_fhandle.LIBCMT ref: 0000015A072F6D33

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 1a0056bbafc3a7faafb75a0a5683c60387dc6450d26c6e1c9b28f7a797692c5c
Instruction ID: 6e1729650435362ee5541461f08f4f70e90c743e1aa0708a629fab7b85fd77a8
Opcode Fuzzy Hash: 1a0056bbafc3a7faafb75a0a5683c60387dc6450d26c6e1c9b28f7a797692c5c
Instruction Fuzzy Hash: AC21F630668E048EF3656B58DC423E97BD0EFCD322F95076AF0558B1D3D67068614E63

Function 0000015A072F6B10 Relevance: 15.1, APIs: 10, Instructions: 88
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 0000015A072F6B3B

Part of subcall function 0000015A072F0D98: _getptd_noexit.LIBCMT ref: 0000015A072F0D9C

__doserrno.LIBCMT ref: 0000015A072F6B33

Part of subcall function 0000015A072F0D28: _getptd_noexit.LIBCMT ref: 0000015A072F0D2C

__lock_fhandle.LIBCMT ref: 0000015A072F6B7F
_lseek_nolock.LIBCMT ref: 0000015A072F6B98
_unlock_fhandle.LIBCMT ref: 0000015A072F6BB9

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
String ID:
API String ID: 1078912150-0
Opcode ID: af586274eb7c0247a5ed565ce490a43ddd2b1adc4c580e4a875ff27a69eb19f0
Instruction ID: 41517f3da120aea2747ab5e0150afff7a85ad8a240c11c13b58e82242d98b14a
Opcode Fuzzy Hash: af586274eb7c0247a5ed565ce490a43ddd2b1adc4c580e4a875ff27a69eb19f0
Instruction Fuzzy Hash: A421E5316A8A048EE3256B58DC523FD3BC0DFCA322F950769F4568F2D3D67468614A53

Function 0000015A072F54B4 Relevance: 13.6, APIs: 9, Instructions: 89
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 0000015A072F54DF

Part of subcall function 0000015A072F0D98: _getptd_noexit.LIBCMT ref: 0000015A072F0D9C

__doserrno.LIBCMT ref: 0000015A072F54D7

Part of subcall function 0000015A072F0D28: _getptd_noexit.LIBCMT ref: 0000015A072F0D2C

__lock_fhandle.LIBCMT ref: 0000015A072F5523
_unlock_fhandle.LIBCMT ref: 0000015A072F555D

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: c89056d156aae0bb9c491ae48c02d203d405bbf82af9f534bcd04b22b5544d86
Instruction ID: 8022aa2a895725ecdaeb84831b408e836a73c3f3c2dda3b686dc1885ec34a606
Opcode Fuzzy Hash: c89056d156aae0bb9c491ae48c02d203d405bbf82af9f534bcd04b22b5544d86
Instruction Fuzzy Hash: 5821F630668A048EF3656B58DC523E83BC1DFC9322F950729F0168F1D3D674A8214E93

Function 0000015A072F4CD8 Relevance: 13.6, APIs: 9, Instructions: 71
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 0000015A072F4CF9

Part of subcall function 0000015A072F0D98: _getptd_noexit.LIBCMT ref: 0000015A072F0D9C

__doserrno.LIBCMT ref: 0000015A072F4CF1

Part of subcall function 0000015A072F0D28: _getptd_noexit.LIBCMT ref: 0000015A072F0D2C

__lock_fhandle.LIBCMT ref: 0000015A072F4D3D
_close_nolock.LIBCMT ref: 0000015A072F4D50
_unlock_fhandle.LIBCMT ref: 0000015A072F4D69

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: d63a0d9a057a00514656f61d256491cfcc4309f98023220473e92bade8306c33
Instruction ID: c70035d8d496e164544748c7067cea28d02eb125b84b6dda475614cb06b0bde7
Opcode Fuzzy Hash: d63a0d9a057a00514656f61d256491cfcc4309f98023220473e92bade8306c33
Instruction Fuzzy Hash: 6621D4315A5E84CEE3656B64CC517E97F90EFC9322F91077AB0168F1D3C6B498508F52

Function 0000015A072EEFEC Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 0000015A072EF01A

Part of subcall function 0000015A072EE2C4: RtlFreeHeap.NTDLL ref: 0000015A072EE2DA
Part of subcall function 0000015A072EE2C4: _errno.LIBCMT ref: 0000015A072EE2E4

free.LIBCMT ref: 0000015A072EF02F
free.LIBCMT ref: 0000015A072EF050
free.LIBCMT ref: 0000015A072EF065
free.LIBCMT ref: 0000015A072EF079
free.LIBCMT ref: 0000015A072EF085
free.LIBCMT ref: 0000015A072EF0B0
free.LIBCMT ref: 0000015A072EF0D1
free.LIBCMT ref: 0000015A072EF0EA
free.LIBCMT ref: 0000015A072EF11B

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: free$FreeHeap_errno
String ID:
API String ID: 2737118440-0
Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction ID: 241a5d806c154299e19ec06bdd8c3868eaf1a4ed05fb939576f23d8f26e0e5b3
Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction Fuzzy Hash: C3415C306A0E0ACFFB95EB58DCA4BE577E5EB98312FD0016DA009C61D1CA3C89458712

Function 0000015A072D368C Relevance: 11.6, APIs: 9, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000015A072D3729

Part of subcall function 0000015A072EE304: _FF_MSGBANNER.LIBCMT ref: 0000015A072EE334
Part of subcall function 0000015A072EE304: _NMSG_WRITE.LIBCMT ref: 0000015A072EE33E
Part of subcall function 0000015A072EE304: _callnewh.LIBCMT ref: 0000015A072EE372
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE37D
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE388

malloc.LIBCMT ref: 0000015A072D3733

Part of subcall function 0000015A072EE304: _callnewh.LIBCMT ref: 0000015A072EE398
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE39D

malloc.LIBCMT ref: 0000015A072D373E
free.LIBCMT ref: 0000015A072D38FE
free.LIBCMT ref: 0000015A072D3906
free.LIBCMT ref: 0000015A072D390E

Part of subcall function 0000015A072D4570: malloc.LIBCMT ref: 0000015A072D45BA
Part of subcall function 0000015A072D4570: malloc.LIBCMT ref: 0000015A072D45C5
Part of subcall function 0000015A072D4570: free.LIBCMT ref: 0000015A072D46AC
Part of subcall function 0000015A072D4570: free.LIBCMT ref: 0000015A072D46B4

free.LIBCMT ref: 0000015A072D391A
free.LIBCMT ref: 0000015A072D3927
free.LIBCMT ref: 0000015A072D3934

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
Instruction ID: a67122ddaca9efe5435ab7f20c0a1f6b8ae440d12d6dff2d6016a8b302a29d3b
Opcode Fuzzy Hash: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
Instruction Fuzzy Hash: 2F91A130768F488BE759EA2898517F977D5EBC9711F80035EA48ACB2C3DE309D028687

Function 0000015A072EEE90 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000015A072EEEB6

Part of subcall function 0000015A072F0D98: _getptd_noexit.LIBCMT ref: 0000015A072F0D9C

_invalid_parameter_noinfo.LIBCMT ref: 0000015A072EEEC2
__crtIsPackagedApp.LIBCMT ref: 0000015A072EEED3
_dosmaperr.LIBCMT ref: 0000015A072EEF1D

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
Instruction ID: e1805d10b2485d84c56426d8f17c33baf92bcb4b4e1376fec3d2c2787d527143
Opcode Fuzzy Hash: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
Instruction Fuzzy Hash: 96319230A64E098FFB54AB699C153A97BD4FFCC322F95466DB44AC72E2D738C8408742

Function 0000015A072F97BC Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000015A072F97D5

Part of subcall function 0000015A072F0D98: _getptd_noexit.LIBCMT ref: 0000015A072F0D9C

__lock_fhandle.LIBCMT ref: 0000015A072F981D
__doserrno.LIBCMT ref: 0000015A072F9852
_errno.LIBCMT ref: 0000015A072F9859
_unlock_fhandle.LIBCMT ref: 0000015A072F9869

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 4120058822-0
Opcode ID: 9341880fa3ae8ea43da77f4714028596b22b009dd5c4526b8d460d71b2af8a07
Instruction ID: fadd7047ad3d1bb00822e684db3f2f79c8b4c7fdaafbce8ee07b15d5c66b6106
Opcode Fuzzy Hash: 9341880fa3ae8ea43da77f4714028596b22b009dd5c4526b8d460d71b2af8a07
Instruction Fuzzy Hash: 1B21B2706A4E04CEE6246B689C913E96F90EFC9312F84073DF156CF2D3D674A8904B53

Function 0000015A072EFB90 Relevance: 9.3, APIs: 6, Instructions: 257COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000015A072EFBCC

Part of subcall function 0000015A072F0D98: _getptd_noexit.LIBCMT ref: 0000015A072F0D9C

_invalid_parameter_noinfo.LIBCMT ref: 0000015A072EFBD7
memcpy_s.LIBCMT ref: 0000015A072EFC9C
_fileno.LIBCMT ref: 0000015A072EFD07
_filbuf.LIBCMT ref: 0000015A072EFD35
_errno.LIBCMT ref: 0000015A072EFD85

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction ID: 4468efc52605274b8ea82ab9f8582f21e1a951792c496d3a5ee85110245651e6
Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction Fuzzy Hash: 17610630278F098AE3A8962C4D653B57BC5EFDD722FE4072EF456C62D1EA70985246C3

Function 0000015A072FEC50 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 0000015A072F0680: _getptd.LIBCMT ref: 0000015A072F0696
Part of subcall function 0000015A072F0680: __updatetlocinfo.LIBCMT ref: 0000015A072F06CB
Part of subcall function 0000015A072F0680: __updatetmbcinfo.LIBCMT ref: 0000015A072F06F2

_errno.LIBCMT ref: 0000015A072FEC9F
_invalid_parameter_noinfo.LIBCMT ref: 0000015A072FECAA

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: __updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808835054-0
Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction ID: 0658d90dc6a033120620924562baf9c29e07740e020c7b5c557f52a43467cd6b
Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction Fuzzy Hash: 7C316030668E088FD7659F1894807A97BD0EF9C311F95037AB449CB2E2DA70D8508B86

Function 0000015A072EF6A0 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000015A072EF5F7

Part of subcall function 0000015A072F0D98: _getptd_noexit.LIBCMT ref: 0000015A072F0D9C

_invalid_parameter_noinfo.LIBCMT ref: 0000015A072EF602
_getstream.LIBCMT ref: 0000015A072EF622
_errno.LIBCMT ref: 0000015A072EF634
_errno.LIBCMT ref: 0000015A072EF646
_openfile.LIBCMT ref: 0000015A072EF674

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 25a8bf288fd42ce426ab2ae56b53d18e2e8359fd32586f4ae3706e9ff750b65b
Instruction ID: d5103d62e6f85452b11414fc19c9ffd7c82bc6013f45d7d1fd00ebfa865f0cac
Opcode Fuzzy Hash: 25a8bf288fd42ce426ab2ae56b53d18e2e8359fd32586f4ae3706e9ff750b65b
Instruction Fuzzy Hash: B8219130668E498FF790AB2848113AA6BD1EFDD302FD5066EB449CB1D2DB34C8504B52

Function 0000015A072E2274 Relevance: 9.0, APIs: 7, Instructions: 264stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 0000015A072E22AE
strchr.LIBCMT ref: 0000015A072E22CC
malloc.LIBCMT ref: 0000015A072E22E4
malloc.LIBCMT ref: 0000015A072E22F1
rand.LIBCMT ref: 0000015A072E23BD
free.LIBCMT ref: 0000015A072E24DB
free.LIBCMT ref: 0000015A072E24E3

Part of subcall function 0000015A072EE2C4: RtlFreeHeap.NTDLL ref: 0000015A072EE2DA
Part of subcall function 0000015A072EE2C4: _errno.LIBCMT ref: 0000015A072EE2E4

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$FreeHeap_errnorand
String ID:
API String ID: 3504763109-0
Opcode ID: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
Instruction ID: 95e8e3f54d591631d9b238393236ab1ef1488cd97c8eb6fabfcfca404b057795
Opcode Fuzzy Hash: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
Instruction Fuzzy Hash: 7881EA30668E58CBF765AB2C9C217F5B7D9FFDD306FC00269A58ACB1D2DA3485468342

Function 0000015A072D31F0 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000015A072D323D

Part of subcall function 0000015A072EE304: _FF_MSGBANNER.LIBCMT ref: 0000015A072EE334
Part of subcall function 0000015A072EE304: _NMSG_WRITE.LIBCMT ref: 0000015A072EE33E
Part of subcall function 0000015A072EE304: _callnewh.LIBCMT ref: 0000015A072EE372
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE37D
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE388

malloc.LIBCMT ref: 0000015A072D3248

Part of subcall function 0000015A072EE304: _callnewh.LIBCMT ref: 0000015A072EE398
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE39D

free.LIBCMT ref: 0000015A072D332F
free.LIBCMT ref: 0000015A072D3337
free.LIBCMT ref: 0000015A072D333F
free.LIBCMT ref: 0000015A072D334B
free.LIBCMT ref: 0000015A072D3358

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
Instruction ID: bc60b755446fcd6f21f8c2fc3669456853051c5caf583bfdfec99efc60c580a1
Opcode Fuzzy Hash: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
Instruction Fuzzy Hash: 6851A330668F499BE799DA28D8552B977D4FB89301FC0422DE84AC62C7EE70DC0286C2

Function 0000015A072DBAF4 Relevance: 7.9, APIs: 6, Instructions: 411COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000015A072E506C: malloc.LIBCMT ref: 0000015A072E5088

malloc.LIBCMT ref: 0000015A072DBBBB

Part of subcall function 0000015A072EE304: _FF_MSGBANNER.LIBCMT ref: 0000015A072EE334
Part of subcall function 0000015A072EE304: _NMSG_WRITE.LIBCMT ref: 0000015A072EE33E
Part of subcall function 0000015A072EE304: _callnewh.LIBCMT ref: 0000015A072EE372
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE37D
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE388

Part of subcall function 0000015A072EB2B0: malloc.LIBCMT ref: 0000015A072EB31C

Part of subcall function 0000015A072EDB28: malloc.LIBCMT ref: 0000015A072EDB78

Part of subcall function 0000015A072EDB28: realloc.LIBCMT ref: 0000015A072EDB87

malloc.LIBCMT ref: 0000015A072DBCCA
_snprintf.LIBCMT ref: 0000015A072DBD41
_snprintf.LIBCMT ref: 0000015A072DBD67
_snprintf.LIBCMT ref: 0000015A072DBD8E
free.LIBCMT ref: 0000015A072DBF46

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno$_callnewhfreerealloc
String ID:
API String ID: 74200508-0
Opcode ID: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
Instruction ID: bb411cba331572dc832c12d37ad9e0f1191fd2d191189d07e3a80bc6ff844d4d
Opcode Fuzzy Hash: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
Instruction Fuzzy Hash: 1DD14E70664E448AEB58AB648C667E977D6EFCC302FD0462DB446CB2D3DE389D058683

Function 0000015A072E0714 Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0000015A072E506C: malloc.LIBCMT ref: 0000015A072E5088

Part of subcall function 0000015A072EF6A0: _errno.LIBCMT ref: 0000015A072EF5F7
Part of subcall function 0000015A072EF6A0: _invalid_parameter_noinfo.LIBCMT ref: 0000015A072EF602

fseek.LIBCMT ref: 0000015A072E07B0

Part of subcall function 0000015A072EFF24: _errno.LIBCMT ref: 0000015A072EFF4C
Part of subcall function 0000015A072EFF24: _invalid_parameter_noinfo.LIBCMT ref: 0000015A072EFF57

_ftelli64.LIBCMT ref: 0000015A072E07B8

Part of subcall function 0000015A072EFF98: _errno.LIBCMT ref: 0000015A072EFFB6
Part of subcall function 0000015A072EFF98: _invalid_parameter_noinfo.LIBCMT ref: 0000015A072EFFC1

fseek.LIBCMT ref: 0000015A072E07C8

Part of subcall function 0000015A072EFF24: _fseek_nolock.LIBCMT ref: 0000015A072EFF75

malloc.LIBCMT ref: 0000015A072E0808

Part of subcall function 0000015A072EE304: _FF_MSGBANNER.LIBCMT ref: 0000015A072EE334
Part of subcall function 0000015A072EE304: _NMSG_WRITE.LIBCMT ref: 0000015A072EE33E
Part of subcall function 0000015A072EE304: _callnewh.LIBCMT ref: 0000015A072EE372
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE37D
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE388

fclose.LIBCMT ref: 0000015A072E08C5

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$fseekmalloc$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 2887643383-0
Opcode ID: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
Instruction ID: d49c57b6cfd325fd71a4eb21b17e9699eaf9cf1d6548044bc520f98c7730ac7b
Opcode Fuzzy Hash: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
Instruction Fuzzy Hash: 26518D31668E088FE758EB2898657E977D5EFCC301F90436EB48BC72D7DD7499028682

Function 0000015A072F93C8 Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 0000015A072F93F5

Part of subcall function 0000015A072F2ED8: _FF_MSGBANNER.LIBCMT ref: 0000015A072F2EF5
Part of subcall function 0000015A072F2ED8: _NMSG_WRITE.LIBCMT ref: 0000015A072F2EFF

_lock.LIBCMT ref: 0000015A072F9408
_lock.LIBCMT ref: 0000015A072F9463
_calloc_crt.LIBCMT ref: 0000015A072F951A

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _lock$_calloc_crt_mtinitlocknum
String ID:
API String ID: 3962633935-0
Opcode ID: b1e94c722dda090378a8e761eed7513b06593d91ccd6790d0d4411b736f80c7c
Instruction ID: ab93a03f45b2d280bc8397489215d7ab2b58d9638cc81de63d741d673e23f2d4
Opcode Fuzzy Hash: b1e94c722dda090378a8e761eed7513b06593d91ccd6790d0d4411b736f80c7c
Instruction Fuzzy Hash: 4251C870568E04CFE754AF18DC453A5BBD0FF98311F91036DE88ACB1D2D674E8928A82

Function 0000015A072D4570 Relevance: 7.7, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000015A072D45BA

Part of subcall function 0000015A072EE304: _FF_MSGBANNER.LIBCMT ref: 0000015A072EE334
Part of subcall function 0000015A072EE304: _NMSG_WRITE.LIBCMT ref: 0000015A072EE33E
Part of subcall function 0000015A072EE304: _callnewh.LIBCMT ref: 0000015A072EE372
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE37D
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE388

malloc.LIBCMT ref: 0000015A072D45C5

Part of subcall function 0000015A072EE304: _callnewh.LIBCMT ref: 0000015A072EE398
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE39D

free.LIBCMT ref: 0000015A072D46AC
free.LIBCMT ref: 0000015A072D46B4
free.LIBCMT ref: 0000015A072D46C0
free.LIBCMT ref: 0000015A072D46CD

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
Instruction ID: b5064eb5c33eac2e159e54149f56c28913b3254cddf79a98987f070d25d84916
Opcode Fuzzy Hash: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
Instruction Fuzzy Hash: BC41D270668F498BEB18EA684C452B67BD5EBDA312F90022DE887C72C3D930DC0646C2

Function 0000015A072F141C Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 0000015A072F1439

Part of subcall function 0000015A072F4AD4: _errno.LIBCMT ref: 0000015A072F4ADD
Part of subcall function 0000015A072F4AD4: _invalid_parameter_noinfo.LIBCMT ref: 0000015A072F4AE8

_errno.LIBCMT ref: 0000015A072F1449

Part of subcall function 0000015A072F0D98: _getptd_noexit.LIBCMT ref: 0000015A072F0D9C

_errno.LIBCMT ref: 0000015A072F1465
_isatty.LIBCMT ref: 0000015A072F14C6
_getbuf.LIBCMT ref: 0000015A072F14D2

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
String ID:
API String ID: 304646821-0
Opcode ID: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
Instruction ID: 55e14f33be7adea7a0922452b95aa8a551afe3dc3422a9e6d49fc1c34ad76ba2
Opcode Fuzzy Hash: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
Instruction Fuzzy Hash: B6516130164E0CCFEB58AF1888917A57BE1EFD8311FD40769E456CF2D6E674C8618B82

Function 0000015A072E82A0 Relevance: 7.6, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000015A072E82CF

Part of subcall function 0000015A072EE304: _FF_MSGBANNER.LIBCMT ref: 0000015A072EE334
Part of subcall function 0000015A072EE304: _NMSG_WRITE.LIBCMT ref: 0000015A072EE33E
Part of subcall function 0000015A072EE304: _callnewh.LIBCMT ref: 0000015A072EE372
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE37D
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE388

_snprintf.LIBCMT ref: 0000015A072E82E7

Part of subcall function 0000015A072EE6BC: _errno.LIBCMT ref: 0000015A072EE6F3
Part of subcall function 0000015A072EE6BC: _invalid_parameter_noinfo.LIBCMT ref: 0000015A072EE6FE

free.LIBCMT ref: 0000015A072E82FE

Part of subcall function 0000015A072EE2C4: RtlFreeHeap.NTDLL ref: 0000015A072EE2DA
Part of subcall function 0000015A072EE2C4: _errno.LIBCMT ref: 0000015A072EE2E4

malloc.LIBCMT ref: 0000015A072E834E
_snprintf.LIBCMT ref: 0000015A072E8366
free.LIBCMT ref: 0000015A072E838E

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$FreeHeap_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 343393124-0
Opcode ID: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
Instruction ID: e3375b20979edfd715472d4fc508134433c45119133140e52e5949e9bcefa8a2
Opcode Fuzzy Hash: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
Instruction Fuzzy Hash: AD41A03065CE484FEA98AB2C68253F87BD6EBCD311B84529DE0CEC72D6D9349C024782

Function 0000015A072DECE4 Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000015A072DED05

Part of subcall function 0000015A072EE304: _FF_MSGBANNER.LIBCMT ref: 0000015A072EE334
Part of subcall function 0000015A072EE304: _NMSG_WRITE.LIBCMT ref: 0000015A072EE33E
Part of subcall function 0000015A072EE304: _callnewh.LIBCMT ref: 0000015A072EE372
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE37D
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE388

free.LIBCMT ref: 0000015A072DED40
fwrite.LIBCMT ref: 0000015A072DED81
fclose.LIBCMT ref: 0000015A072DED89
free.LIBCMT ref: 0000015A072DED96

Part of subcall function 0000015A072EE2C4: RtlFreeHeap.NTDLL ref: 0000015A072EE2DA
Part of subcall function 0000015A072EE2C4: _errno.LIBCMT ref: 0000015A072EE2E4

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$free$FreeHeap_callnewhfclosefwritemalloc
String ID:
API String ID: 415550720-0
Opcode ID: c287650ca013cd6fba82a94b2bfab312077d62521af6d54d1c0599a360ecab3d
Instruction ID: 46cef6411deb2c1aaa6d477597314087925e3addbed415cb8c197086ed338569
Opcode Fuzzy Hash: c287650ca013cd6fba82a94b2bfab312077d62521af6d54d1c0599a360ecab3d
Instruction Fuzzy Hash: 6E213030A78E088BE684EB2888653EA7BD5FFDC305FD4066D704ACB2C6DD348D014283

Function 0000015A072F966C Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000015A072F967D

Part of subcall function 0000015A072F0D98: _getptd_noexit.LIBCMT ref: 0000015A072F0D9C

__doserrno.LIBCMT ref: 0000015A072F9675

Part of subcall function 0000015A072F0D28: _getptd_noexit.LIBCMT ref: 0000015A072F0D2C

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction ID: 1d339c966242085c79826949a4ed98990b7ebd22ed81ffabe206f6d05a881c43
Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction Fuzzy Hash: F3014B305B5D08CEE2A5AB68CC513D83B90EF99326FD54369B416CA1E6D67864A08E13

Function 0000015A072DDC84 Relevance: 6.5, APIs: 5, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 0000015A072DDD53
_snprintf.LIBCMT ref: 0000015A072DDD7E
_snprintf.LIBCMT ref: 0000015A072DDD9A
_snprintf.LIBCMT ref: 0000015A072DDE4F
_snprintf.LIBCMT ref: 0000015A072DDE66

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _snprintf
String ID:
API String ID: 3512837008-0
Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction ID: 7bc889ff86b3d3ac79096939ada7bc321f158be31cf3c96a2fcbcf9da021d85c
Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction Fuzzy Hash: ED91B130668E48CFEB55EB18DC95BEA77E5FF99301F80066AE446C71D2DA38D901CB42

Function 0000015A072EE06C Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000015A072EE08F

Part of subcall function 0000015A072EE304: _FF_MSGBANNER.LIBCMT ref: 0000015A072EE334
Part of subcall function 0000015A072EE304: _NMSG_WRITE.LIBCMT ref: 0000015A072EE33E
Part of subcall function 0000015A072EE304: _callnewh.LIBCMT ref: 0000015A072EE372
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE37D
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE388

malloc.LIBCMT ref: 0000015A072EE09D

Part of subcall function 0000015A072EE304: _callnewh.LIBCMT ref: 0000015A072EE398
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE39D

malloc.LIBCMT ref: 0000015A072EE0BF
_snprintf.LIBCMT ref: 0000015A072EE0DA

Part of subcall function 0000015A072EE6BC: _errno.LIBCMT ref: 0000015A072EE6F3
Part of subcall function 0000015A072EE6BC: _invalid_parameter_noinfo.LIBCMT ref: 0000015A072EE6FE

malloc.LIBCMT ref: 0000015A072EE0F5

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID:
API String ID: 2026495703-0
Opcode ID: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
Instruction ID: c487c1295622fa933c8bf2181720c967597e9c42a26fed5beaf657e487e960b6
Opcode Fuzzy Hash: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
Instruction Fuzzy Hash: 31114C30A2CF084FE7A8EB68A4553A57BD1EBCC711F91465EF09AC32D6DA349D4187C2

Function 0000015A072EF6AC Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000015A072EF6E4

Part of subcall function 0000015A072F0D98: _getptd_noexit.LIBCMT ref: 0000015A072F0D9C

_invalid_parameter_noinfo.LIBCMT ref: 0000015A072EF6EF
_flush.LIBCMT ref: 0000015A072EF7A1
_fileno.LIBCMT ref: 0000015A072EF7C2

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 634798775-0
Opcode ID: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
Instruction ID: 9dff9510c80799304cb1207f5fa0e78890414f663c75da1414e3f2ea7ceba51c
Opcode Fuzzy Hash: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
Instruction Fuzzy Hash: 8851E830268E098BE6A869695D653A57BC4EFDC312FE1033EF45AC71D6EA70DC528183

Function 0000015A072D0150 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 0000015A072D0197
clock.LIBCMT ref: 0000015A072D01A4
clock.LIBCMT ref: 0000015A072D01AD
clock.LIBCMT ref: 0000015A072D01BA

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction ID: 0f57356304c79f982ccf113865bf6f5d0d90c502a2ae3ba4cf9b4ae4f3174c4c
Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction Fuzzy Hash: 6C21293245CB088AE774E99C68423AABBD0DFC8351F51132EF896872A3F570DC4286D3

Function 0000015A072EE8E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 0000015A072EE931

Part of subcall function 0000015A072F0D98: _getptd_noexit.LIBCMT ref: 0000015A072F0D9C

_invalid_parameter_noinfo.LIBCMT ref: 0000015A072EE93C

Strings

B, xrefs: 0000015A072EE968

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction ID: 408326a91d4eb11d82aa56e0772a8410c71f2229bfdc494dee57c83327968e11
Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction Fuzzy Hash: 7D11B230628F0C8FE754EF1898857A9B7D1FB98325F9047AEA019C72E5CB74C944CB82

Function 0000015A072E9DC4 Relevance: 5.2, APIs: 4, Instructions: 226COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000015A072E9DF8

Part of subcall function 0000015A072EE304: _FF_MSGBANNER.LIBCMT ref: 0000015A072EE334
Part of subcall function 0000015A072EE304: _NMSG_WRITE.LIBCMT ref: 0000015A072EE33E
Part of subcall function 0000015A072EE304: _callnewh.LIBCMT ref: 0000015A072EE372
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE37D
Part of subcall function 0000015A072EE304: _errno.LIBCMT ref: 0000015A072EE388

free.LIBCMT ref: 0000015A072E9F3F
free.LIBCMT ref: 0000015A072E9FA3
free.LIBCMT ref: 0000015A072E9FAF

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
Instruction ID: 2c0e307e7941ea4081656bbfe8ec329454eab74bad1e09c29c324a4e8e72bacb
Opcode Fuzzy Hash: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
Instruction Fuzzy Hash: D261A530268E098BEA58EB188C617E977D5EFCC341FD04B2DB546CB1D6DA3499418683

Function 0000015A072D3380 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 0000015A072D33E3

Memory Dump Source

Source File: 00000007.00000002.2589411150.0000015A072D0000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000015A072D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a072d0000_wermgr.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
Instruction ID: d52283d05780fb55e1e2b681d159821cffe8c6714df81305cd38376497685e90
Opcode Fuzzy Hash: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
Instruction Fuzzy Hash: DB518130668F05CBEB59DE28DC556AA77D1EFC9311F80465DE84BC72C7EA34DC028682

Analysis Process: wermgr.exePID: 7172, Parent PID: 8176COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	563
Total number of Limit Nodes:	29

Executed Functions

Function 000002963D080000 Relevance: 1.7, APIs: 1, Instructions: 211
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNELBASE ref: 000002963D0800D0

Memory Dump Source

Source File: 0000000A.00000002.2589449610.000002963D080000.00000020.00001000.00020000.00000000.sdmp, Offset: 000002963D080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d080000_wermgr.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 88e8bec169d31fc803aeef05fed04f98ffb8ac2501b92b4af572ff67ccb03544
Instruction ID: 203fd0e71b8c5c23d959a2efaec593ad49aecaa19972f1693b9016a9c2a1c2f5
Opcode Fuzzy Hash: 88e8bec169d31fc803aeef05fed04f98ffb8ac2501b92b4af572ff67ccb03544
Instruction Fuzzy Hash: 4C515630204B858FCB1DCE1C86E9A3573D1FB85705F0592ACE59BCB26BCA30DC62CA84

Function 000002963D224EA8 Relevance: 4.7, APIs: 3, Instructions: 190
stringCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000002963D22506C: malloc.LIBCMT ref: 000002963D225088

GetUserNameA.ADVAPI32(?,?,?,?,?,?,?,-00000001,?,-00000001,?,00000002,000002963D21BD09), ref: 000002963D224F2F
strrchr.LIBCMT ref: 000002963D224F6D
_snprintf.LIBCMT ref: 000002963D22501B

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: NameUser_snprintfmallocstrrchr
String ID:
API String ID: 1238167203-0
Opcode ID: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
Instruction ID: 8bb87ac86b4089532780ea885f17821a7a7fde3fec89ed73d75ddc7b81460bcd
Opcode Fuzzy Hash: d69273eeb4579e6a96eb8d0c87a60564a21875d7210b55cf29d23a145d20b21e
Instruction Fuzzy Hash: E751853071CA084FEB48AB69A45E7B972D2EBC8710F14856DF19EC32D7DA38DC029745

Function 000002963D21E094 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASocketA.WS2_32 ref: 000002963D21E0C2

Strings

_Cy, xrefs: 000002963D21E121

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: Socket
String ID: _Cy
API String ID: 38366605-1085951347
Opcode ID: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction ID: 27adf02e566ad2d33d11eba32164dfb0aa46f5c3c23465e91cc3ef39343ab086
Opcode Fuzzy Hash: 9f6035121241c12ff71e8e552415c275c25b201d0c9d2d3551ffb33b20d91594
Instruction Fuzzy Hash: 9A31D430608E484BDBA4DF29988C76AB7E1FBE8315F104A7EE58AC3291DB35C9428745

Function 000002963D21DAC8 Relevance: 3.2, APIs: 2, Instructions: 159
networkCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 000002963D21DB8C
InternetConnectA.WININET ref: 000002963D21DBFA

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: Internet$ConnectOpen
String ID:
API String ID: 2790792615-0
Opcode ID: c02896be98f17698b461471e8597e5ae08ffedd86d74317b17a8770a829ca45e
Instruction ID: 0de48a7c749c718627e545f3c4d5d0493388088e1033bbacb8d25b90c9353472
Opcode Fuzzy Hash: c02896be98f17698b461471e8597e5ae08ffedd86d74317b17a8770a829ca45e
Instruction Fuzzy Hash: 3F51B530618A048FEB59DF29D4AE76973D1FF88704F11446DB18BC3692DA3CD902D786

Function 000002963D22C36C Relevance: 1.3, APIs: 1, Instructions: 75
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE ref: 000002963D22C422

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 33013136f0bb95f1eb9f3645b418df4a5ff2efb559231014e174e8ee2656166c
Instruction ID: 5e745c1a148c9123b8911de5b916103889e07953894a94e481abad76af1125aa
Opcode Fuzzy Hash: 33013136f0bb95f1eb9f3645b418df4a5ff2efb559231014e174e8ee2656166c
Instruction Fuzzy Hash: 91218130628A488FEBD5DF1DE45C72A37E5FBAC719F00097AF189C32A0C6799940EB45

Non-executed Functions

Function 000002963D235E9C Relevance: 16.6, APIs: 11, Instructions: 108
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 000002963D235ECE

Part of subcall function 000002963D230D98: _getptd_noexit.LIBCMT ref: 000002963D230D9C

__doserrno.LIBCMT ref: 000002963D235EC5

Part of subcall function 000002963D230D28: _getptd_noexit.LIBCMT ref: 000002963D230D2C

__doserrno.LIBCMT ref: 000002963D235F2B
_errno.LIBCMT ref: 000002963D235F32
_invalid_parameter_noinfo.LIBCMT ref: 000002963D235F96

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: __doserrno_errno_getptd_noexit$_invalid_parameter_noinfo
String ID:
API String ID: 388111225-0
Opcode ID: f569b21a01fad2a92039226acf8a97d91cb16fac7f3924a9cc2c8e1a455bf938
Instruction ID: f91deddb079e299563dd2fbfc5cd22de2d31181a1b7d90d8dd765610c665285e
Opcode Fuzzy Hash: f569b21a01fad2a92039226acf8a97d91cb16fac7f3924a9cc2c8e1a455bf938
Instruction Fuzzy Hash: FB312970118B084FF3556F6A9CAE37C37D0EF47B20F510698F656872D3D634A8015355

Function 000002963D236C88 Relevance: 15.1, APIs: 10, Instructions: 93
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 000002963D236CB3

Part of subcall function 000002963D230D98: _getptd_noexit.LIBCMT ref: 000002963D230D9C

__doserrno.LIBCMT ref: 000002963D236CAB

Part of subcall function 000002963D230D28: _getptd_noexit.LIBCMT ref: 000002963D230D2C

__lock_fhandle.LIBCMT ref: 000002963D236CF7
_lseeki64_nolock.LIBCMT ref: 000002963D236D10
_unlock_fhandle.LIBCMT ref: 000002963D236D33

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 1a0056bbafc3a7faafb75a0a5683c60387dc6450d26c6e1c9b28f7a797692c5c
Instruction ID: 78a40841da3c3c34af022294edc563f1b94ac3855abf76a59947aa83af363634
Opcode Fuzzy Hash: 1a0056bbafc3a7faafb75a0a5683c60387dc6450d26c6e1c9b28f7a797692c5c
Instruction Fuzzy Hash: A7216830618A080FF3996F1EDC6E3BC72D4EF86B21F5506CCF256C71D7C66158015269

Function 000002963D236B10 Relevance: 15.1, APIs: 10, Instructions: 88
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 000002963D236B3B

Part of subcall function 000002963D230D98: _getptd_noexit.LIBCMT ref: 000002963D230D9C

__doserrno.LIBCMT ref: 000002963D236B33

Part of subcall function 000002963D230D28: _getptd_noexit.LIBCMT ref: 000002963D230D2C

__lock_fhandle.LIBCMT ref: 000002963D236B7F
_lseek_nolock.LIBCMT ref: 000002963D236B98
_unlock_fhandle.LIBCMT ref: 000002963D236BB9

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseek_nolock_unlock_fhandle
String ID:
API String ID: 1078912150-0
Opcode ID: af586274eb7c0247a5ed565ce490a43ddd2b1adc4c580e4a875ff27a69eb19f0
Instruction ID: b676e980c0282a221d516dc6dd0a280ce3415ff8180e3efbc91f534ed3ba1262
Opcode Fuzzy Hash: af586274eb7c0247a5ed565ce490a43ddd2b1adc4c580e4a875ff27a69eb19f0
Instruction Fuzzy Hash: 272168306082040FF3596F1ACC6E3BC33D9DF82B21F0506D8F296871E3C6605801566A

Function 000002963D2354B4 Relevance: 13.6, APIs: 9, Instructions: 89
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 000002963D2354DF

Part of subcall function 000002963D230D98: _getptd_noexit.LIBCMT ref: 000002963D230D9C

__doserrno.LIBCMT ref: 000002963D2354D7

Part of subcall function 000002963D230D28: _getptd_noexit.LIBCMT ref: 000002963D230D2C

__lock_fhandle.LIBCMT ref: 000002963D235523
_unlock_fhandle.LIBCMT ref: 000002963D23555D

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: c89056d156aae0bb9c491ae48c02d203d405bbf82af9f534bcd04b22b5544d86
Instruction ID: 84ddb89d9b7093decfc1c5aeb947b034e6557df2bc37af1e1d4f91dab3512ee0
Opcode Fuzzy Hash: c89056d156aae0bb9c491ae48c02d203d405bbf82af9f534bcd04b22b5544d86
Instruction Fuzzy Hash: E12124706197044FF35A6F6ADCAE3BC32D1EF86B30F15068CF25A872D3D664AC0152A9

Function 000002963D234CD8 Relevance: 13.6, APIs: 9, Instructions: 71
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_errno.LIBCMT ref: 000002963D234CF9

Part of subcall function 000002963D230D98: _getptd_noexit.LIBCMT ref: 000002963D230D9C

__doserrno.LIBCMT ref: 000002963D234CF1

Part of subcall function 000002963D230D28: _getptd_noexit.LIBCMT ref: 000002963D230D2C

__lock_fhandle.LIBCMT ref: 000002963D234D3D
_close_nolock.LIBCMT ref: 000002963D234D50
_unlock_fhandle.LIBCMT ref: 000002963D234D69

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: d63a0d9a057a00514656f61d256491cfcc4309f98023220473e92bade8306c33
Instruction ID: cf2dfd6fa8247ee760f69dd4ea19e2c55a6e92bb9398d70d03993e05d129f444
Opcode Fuzzy Hash: d63a0d9a057a00514656f61d256491cfcc4309f98023220473e92bade8306c33
Instruction Fuzzy Hash: E1212431515A084FF3156F76CCAD3A87AE0EF46B20F1109DCF25A872E3C676D8019768

Function 000002963D22EFEC Relevance: 12.6, APIs: 10, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 000002963D22F01A

Part of subcall function 000002963D22E2C4: RtlFreeHeap.NTDLL ref: 000002963D22E2DA
Part of subcall function 000002963D22E2C4: _errno.LIBCMT ref: 000002963D22E2E4

free.LIBCMT ref: 000002963D22F02F
free.LIBCMT ref: 000002963D22F050
free.LIBCMT ref: 000002963D22F065
free.LIBCMT ref: 000002963D22F079
free.LIBCMT ref: 000002963D22F085
free.LIBCMT ref: 000002963D22F0B0
free.LIBCMT ref: 000002963D22F0D1
free.LIBCMT ref: 000002963D22F0EA
free.LIBCMT ref: 000002963D22F11B

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: free$FreeHeap_errno
String ID:
API String ID: 2737118440-0
Opcode ID: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction ID: 90bf34d28893db083770ca3ff163240ae02216b1130ec6451bbaad24404f3aa1
Opcode Fuzzy Hash: f2c387d57ff385ba375dc00a6173171a26f2c39e06d74853e0125178de0f68c4
Instruction Fuzzy Hash: DE41A530270A0A8FFBD4EB5AD8ADB6572F1FF58719F5000A9B206C22D1CA2C8945E719

Function 000002963D21368C Relevance: 11.6, APIs: 9, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000002963D213729

Part of subcall function 000002963D22E304: _FF_MSGBANNER.LIBCMT ref: 000002963D22E334
Part of subcall function 000002963D22E304: _NMSG_WRITE.LIBCMT ref: 000002963D22E33E
Part of subcall function 000002963D22E304: _callnewh.LIBCMT ref: 000002963D22E372
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E37D
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E388

malloc.LIBCMT ref: 000002963D213733

Part of subcall function 000002963D22E304: _callnewh.LIBCMT ref: 000002963D22E398
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E39D

malloc.LIBCMT ref: 000002963D21373E
free.LIBCMT ref: 000002963D2138FE
free.LIBCMT ref: 000002963D213906
free.LIBCMT ref: 000002963D21390E

Part of subcall function 000002963D214570: malloc.LIBCMT ref: 000002963D2145BA
Part of subcall function 000002963D214570: malloc.LIBCMT ref: 000002963D2145C5
Part of subcall function 000002963D214570: free.LIBCMT ref: 000002963D2146AC
Part of subcall function 000002963D214570: free.LIBCMT ref: 000002963D2146B4

free.LIBCMT ref: 000002963D21391A
free.LIBCMT ref: 000002963D213927
free.LIBCMT ref: 000002963D213934

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: free$malloc$_errno$_callnewh
String ID:
API String ID: 4160633307-0
Opcode ID: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
Instruction ID: f2779e4aea8c63bad784f158d92e6b81fae6e61256d9dab0c3bd832b4f8fcebd
Opcode Fuzzy Hash: 78c5723810e6e6d18fab4a62d391ea0db65c57382cb75ed74f6abc212771b6cb
Instruction Fuzzy Hash: BD910C30718B484BD759AB6D946D77A73D2EF89B10F40429EF58AC32C3DE21DC02968A

Function 000002963D22EE90 Relevance: 10.6, APIs: 7, Instructions: 107COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000002963D22EEB6

Part of subcall function 000002963D230D98: _getptd_noexit.LIBCMT ref: 000002963D230D9C

_invalid_parameter_noinfo.LIBCMT ref: 000002963D22EEC2
__crtIsPackagedApp.LIBCMT ref: 000002963D22EED3
_dosmaperr.LIBCMT ref: 000002963D22EF1D

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: Packaged__crt_dosmaperr_errno_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 2917016420-0
Opcode ID: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
Instruction ID: d415dcca59d071fa4950b32a3f49c6435258806dd40ea330b84812700e04228d
Opcode Fuzzy Hash: cfbfe809ff06962f400f8854e8dfaca57605153f463412cb5835124c7fa4a529
Instruction Fuzzy Hash: 7631F730624A094FFB88AF7E986D36972D0FF8C725F14459DB54AC32E2DB78C840A746

Function 000002963D2397BC Relevance: 10.6, APIs: 7, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000002963D2397D5

Part of subcall function 000002963D230D98: _getptd_noexit.LIBCMT ref: 000002963D230D9C

__lock_fhandle.LIBCMT ref: 000002963D23981D
__doserrno.LIBCMT ref: 000002963D239852
_errno.LIBCMT ref: 000002963D239859
_unlock_fhandle.LIBCMT ref: 000002963D239869

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 4120058822-0
Opcode ID: 9341880fa3ae8ea43da77f4714028596b22b009dd5c4526b8d460d71b2af8a07
Instruction ID: 2cbe8f83252e6caa6c0441c0e26378e53698c27e2d3643fd69e21a2a8ded1cff
Opcode Fuzzy Hash: 9341880fa3ae8ea43da77f4714028596b22b009dd5c4526b8d460d71b2af8a07
Instruction Fuzzy Hash: F721F2A0A08A044FF7146F6B9CBD36D76D0EF87B10F44059CF25A872D3D6689800A369

Function 000002963D22FB90 Relevance: 9.3, APIs: 6, Instructions: 257COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000002963D22FBCC

Part of subcall function 000002963D230D98: _getptd_noexit.LIBCMT ref: 000002963D230D9C

_invalid_parameter_noinfo.LIBCMT ref: 000002963D22FBD7
memcpy_s.LIBCMT ref: 000002963D22FC9C
_fileno.LIBCMT ref: 000002963D22FD07
_filbuf.LIBCMT ref: 000002963D22FD35
_errno.LIBCMT ref: 000002963D22FD85

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_filbuf_fileno_getptd_noexit_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 2328795619-0
Opcode ID: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction ID: 8989224457fe31f1b4e5a8992061903656f803f1fa8a0e6e5f09188f9ef62847
Opcode Fuzzy Hash: 4bbdce99b29ecd3e24264ac9f3b66a56e11342a03ebc5466d7d382185dba5216
Instruction Fuzzy Hash: F7610830238F090AE7AC962F486D33972C1EF94B25F2403AEF656C36D5EE21DC5252C9

Function 000002963D23EC50 Relevance: 9.1, APIs: 6, Instructions: 108COMMON

Download Yara Rule

APIs

Part of subcall function 000002963D230680: _getptd.LIBCMT ref: 000002963D230696
Part of subcall function 000002963D230680: __updatetlocinfo.LIBCMT ref: 000002963D2306CB
Part of subcall function 000002963D230680: __updatetmbcinfo.LIBCMT ref: 000002963D2306F2

_errno.LIBCMT ref: 000002963D23EC9F
_invalid_parameter_noinfo.LIBCMT ref: 000002963D23ECAA

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: __updatetlocinfo__updatetmbcinfo_errno_getptd_invalid_parameter_noinfo
String ID:
API String ID: 2808835054-0
Opcode ID: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction ID: 4a965b2513fdbb3337f7dd26c6a6b5f36e9089aaf7a95bc8e0e696c6ea27cc97
Opcode Fuzzy Hash: 04a51c6534ba67d8c2ce71a0e6c0b8946822a3beaaa0ad6abf8e1e016199c0f5
Instruction Fuzzy Hash: B4319A30618A0C8FE7A89F19989C76A72E0FF58B10F1107E9B549C72D2DA30DC449799

Function 000002963D22F6A0 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000002963D22F5F7

Part of subcall function 000002963D230D98: _getptd_noexit.LIBCMT ref: 000002963D230D9C

_invalid_parameter_noinfo.LIBCMT ref: 000002963D22F602
_getstream.LIBCMT ref: 000002963D22F622
_errno.LIBCMT ref: 000002963D22F634
_errno.LIBCMT ref: 000002963D22F646
_openfile.LIBCMT ref: 000002963D22F674

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_getptd_noexit_getstream_invalid_parameter_noinfo_openfile
String ID:
API String ID: 1547050394-0
Opcode ID: 25a8bf288fd42ce426ab2ae56b53d18e2e8359fd32586f4ae3706e9ff750b65b
Instruction ID: 77f6158c377f1df349f32ae470f3df67412fcd9455c238c1f53723eeb61ede74
Opcode Fuzzy Hash: 25a8bf288fd42ce426ab2ae56b53d18e2e8359fd32586f4ae3706e9ff750b65b
Instruction Fuzzy Hash: 6421D630618A0D4FF7D1AB3A882D36A76D1FF89B04F0509DAB549C31A2DF24CC406799

Function 000002963D222274 Relevance: 9.0, APIs: 7, Instructions: 264stringCOMMONLIBRARYCODE

Download Yara Rule

APIs

strchr.LIBCMT ref: 000002963D2222AE
strchr.LIBCMT ref: 000002963D2222CC
malloc.LIBCMT ref: 000002963D2222E4
malloc.LIBCMT ref: 000002963D2222F1
rand.LIBCMT ref: 000002963D2223BD
free.LIBCMT ref: 000002963D2224DB
free.LIBCMT ref: 000002963D2224E3

Part of subcall function 000002963D22E2C4: RtlFreeHeap.NTDLL ref: 000002963D22E2DA
Part of subcall function 000002963D22E2C4: _errno.LIBCMT ref: 000002963D22E2E4

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: freemallocstrchr$FreeHeap_errnorand
String ID:
API String ID: 3504763109-0
Opcode ID: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
Instruction ID: a03d93ad50780eadd706967ffb410500d4d28a4612cd4102cd8ce61b33191019
Opcode Fuzzy Hash: f35e4bf4a30ec4413237561f10dac7197b8990473e0b46e11b580f4fb44e5963
Instruction Fuzzy Hash: 2B812B2022CE9C4BE7E5AB2D842D3F6B3D1FF9D709F4001ADF689C7192DA258646E345

Function 000002963D2131F0 Relevance: 8.9, APIs: 7, Instructions: 181COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000002963D21323D

Part of subcall function 000002963D22E304: _FF_MSGBANNER.LIBCMT ref: 000002963D22E334
Part of subcall function 000002963D22E304: _NMSG_WRITE.LIBCMT ref: 000002963D22E33E
Part of subcall function 000002963D22E304: _callnewh.LIBCMT ref: 000002963D22E372
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E37D
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E388

malloc.LIBCMT ref: 000002963D213248

Part of subcall function 000002963D22E304: _callnewh.LIBCMT ref: 000002963D22E398
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E39D

free.LIBCMT ref: 000002963D21332F
free.LIBCMT ref: 000002963D213337
free.LIBCMT ref: 000002963D21333F
free.LIBCMT ref: 000002963D21334B
free.LIBCMT ref: 000002963D213358

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
Instruction ID: f7783d9fb172960adc9b835608025c13d00868723a7ca2515342ac7faf369fb5
Opcode Fuzzy Hash: a46d6df1e63736bbf5e6f8efd513222b2720334364c4a35ae3722e37f335d37b
Instruction Fuzzy Hash: AA51E330618F495BE799EB29986D67A73D1FF49704F4041ADF94BC3293EE20DC0296C9

Function 000002963D21BAF4 Relevance: 7.9, APIs: 6, Instructions: 411COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000002963D22506C: malloc.LIBCMT ref: 000002963D225088

malloc.LIBCMT ref: 000002963D21BBBB

Part of subcall function 000002963D22E304: _FF_MSGBANNER.LIBCMT ref: 000002963D22E334
Part of subcall function 000002963D22E304: _NMSG_WRITE.LIBCMT ref: 000002963D22E33E
Part of subcall function 000002963D22E304: _callnewh.LIBCMT ref: 000002963D22E372
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E37D
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E388

Part of subcall function 000002963D22B2B0: malloc.LIBCMT ref: 000002963D22B31C

Part of subcall function 000002963D22DB28: malloc.LIBCMT ref: 000002963D22DB78

Part of subcall function 000002963D22DB28: realloc.LIBCMT ref: 000002963D22DB87

malloc.LIBCMT ref: 000002963D21BCCA
_snprintf.LIBCMT ref: 000002963D21BD41
_snprintf.LIBCMT ref: 000002963D21BD67
_snprintf.LIBCMT ref: 000002963D21BD8E
free.LIBCMT ref: 000002963D21BF46

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: malloc$_snprintf$_errno$_callnewhfreerealloc
String ID:
API String ID: 74200508-0
Opcode ID: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
Instruction ID: 338f815dc093de29a199876208d339a101d64415022348bd9337a92e1be2d16c
Opcode Fuzzy Hash: fd4b1ce187cf5d2c7b3c7d1d5f2f485ec143d87fcb2d796d9dd721ce5a89571b
Instruction Fuzzy Hash: 0DD1EA30714A044BFB99BB36887E3A972D2FF85B04F5045ADB646C32C3DE39D905A74A

Function 000002963D220714 Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 000002963D22506C: malloc.LIBCMT ref: 000002963D225088

Part of subcall function 000002963D22F6A0: _errno.LIBCMT ref: 000002963D22F5F7
Part of subcall function 000002963D22F6A0: _invalid_parameter_noinfo.LIBCMT ref: 000002963D22F602

fseek.LIBCMT ref: 000002963D2207B0

Part of subcall function 000002963D22FF24: _errno.LIBCMT ref: 000002963D22FF4C
Part of subcall function 000002963D22FF24: _invalid_parameter_noinfo.LIBCMT ref: 000002963D22FF57

_ftelli64.LIBCMT ref: 000002963D2207B8

Part of subcall function 000002963D22FF98: _errno.LIBCMT ref: 000002963D22FFB6
Part of subcall function 000002963D22FF98: _invalid_parameter_noinfo.LIBCMT ref: 000002963D22FFC1

fseek.LIBCMT ref: 000002963D2207C8

Part of subcall function 000002963D22FF24: _fseek_nolock.LIBCMT ref: 000002963D22FF75

malloc.LIBCMT ref: 000002963D220808

Part of subcall function 000002963D22E304: _FF_MSGBANNER.LIBCMT ref: 000002963D22E334
Part of subcall function 000002963D22E304: _NMSG_WRITE.LIBCMT ref: 000002963D22E33E
Part of subcall function 000002963D22E304: _callnewh.LIBCMT ref: 000002963D22E372
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E37D
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E388

fclose.LIBCMT ref: 000002963D2208C5

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_invalid_parameter_noinfo$fseekmalloc$_callnewh_fseek_nolock_ftelli64fclose
String ID:
API String ID: 2887643383-0
Opcode ID: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
Instruction ID: 19f697fb5abb9825c3f921d80b8c689830cda33bbbd56d40b3573a7fb54c881e
Opcode Fuzzy Hash: f1c4e02295faa99f8843714657dd5281141177bf23df19fa39898597ddf49910
Instruction Fuzzy Hash: 9151E831628A084FE788EB29946E7BA72D1FF88714F5042ADF54BC32D7DD24990296C5

Function 000002963D2393C8 Relevance: 7.7, APIs: 5, Instructions: 201COMMON

Download Yara Rule

APIs

_mtinitlocknum.LIBCMT ref: 000002963D2393F5

Part of subcall function 000002963D232ED8: _FF_MSGBANNER.LIBCMT ref: 000002963D232EF5
Part of subcall function 000002963D232ED8: _NMSG_WRITE.LIBCMT ref: 000002963D232EFF

_lock.LIBCMT ref: 000002963D239408
_lock.LIBCMT ref: 000002963D239463
_calloc_crt.LIBCMT ref: 000002963D23951A

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _lock$_calloc_crt_mtinitlocknum
String ID:
API String ID: 3962633935-0
Opcode ID: b1e94c722dda090378a8e761eed7513b06593d91ccd6790d0d4411b736f80c7c
Instruction ID: 64551ebf0a4ffc6a5ee7488314677e2cbd9cd5bff3e0a02bc0140168b06da85d
Opcode Fuzzy Hash: b1e94c722dda090378a8e761eed7513b06593d91ccd6790d0d4411b736f80c7c
Instruction Fuzzy Hash: D65125B0518B088FE7689F1ACC9D366B7D0FF59710F10029DFA4AC32A2D674D842DB86

Function 000002963D214570 Relevance: 7.7, APIs: 6, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000002963D2145BA

Part of subcall function 000002963D22E304: _FF_MSGBANNER.LIBCMT ref: 000002963D22E334
Part of subcall function 000002963D22E304: _NMSG_WRITE.LIBCMT ref: 000002963D22E33E
Part of subcall function 000002963D22E304: _callnewh.LIBCMT ref: 000002963D22E372
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E37D
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E388

malloc.LIBCMT ref: 000002963D2145C5

Part of subcall function 000002963D22E304: _callnewh.LIBCMT ref: 000002963D22E398
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E39D

free.LIBCMT ref: 000002963D2146AC
free.LIBCMT ref: 000002963D2146B4
free.LIBCMT ref: 000002963D2146C0
free.LIBCMT ref: 000002963D2146CD

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
Instruction ID: 699de7269abf41a41006ac51d74a60b8dbd8d873894b191cad1f0b55e717265b
Opcode Fuzzy Hash: 9dd44889f23309e2c133c4e883ac3d7c03cf28f4ebc62bcd805b5d39935d1e2d
Instruction Fuzzy Hash: 45413A30318B4D4BE7689A3A885D27673D5EF96714F1081AEF98BC3283DD21D8075789

Function 000002963D23141C Relevance: 7.6, APIs: 5, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

_fileno.LIBCMT ref: 000002963D231439

Part of subcall function 000002963D234AD4: _errno.LIBCMT ref: 000002963D234ADD
Part of subcall function 000002963D234AD4: _invalid_parameter_noinfo.LIBCMT ref: 000002963D234AE8

_errno.LIBCMT ref: 000002963D231449

Part of subcall function 000002963D230D98: _getptd_noexit.LIBCMT ref: 000002963D230D9C

_errno.LIBCMT ref: 000002963D231465
_isatty.LIBCMT ref: 000002963D2314C6
_getbuf.LIBCMT ref: 000002963D2314D2

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_fileno_getbuf_getptd_noexit_invalid_parameter_noinfo_isatty
String ID:
API String ID: 304646821-0
Opcode ID: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
Instruction ID: 7cbfd3024fbcaa6aec853bdf8db335216e5c43e40fb7341245e40856ef2bb404
Opcode Fuzzy Hash: c35e8c2de9f02937b40d8dcb44627bb11330896f7d068decc206105344bae12a
Instruction Fuzzy Hash: 59519030114A084FEB9AEF2AC8AD76577E1FF48B10F1406D9EA5ACB2DBD734C8459784

Function 000002963D2282A0 Relevance: 7.6, APIs: 6, Instructions: 142COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000002963D2282CF

Part of subcall function 000002963D22E304: _FF_MSGBANNER.LIBCMT ref: 000002963D22E334
Part of subcall function 000002963D22E304: _NMSG_WRITE.LIBCMT ref: 000002963D22E33E
Part of subcall function 000002963D22E304: _callnewh.LIBCMT ref: 000002963D22E372
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E37D
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E388

_snprintf.LIBCMT ref: 000002963D2282E7

Part of subcall function 000002963D22E6BC: _errno.LIBCMT ref: 000002963D22E6F3
Part of subcall function 000002963D22E6BC: _invalid_parameter_noinfo.LIBCMT ref: 000002963D22E6FE

free.LIBCMT ref: 000002963D2282FE

Part of subcall function 000002963D22E2C4: RtlFreeHeap.NTDLL ref: 000002963D22E2DA
Part of subcall function 000002963D22E2C4: _errno.LIBCMT ref: 000002963D22E2E4

malloc.LIBCMT ref: 000002963D22834E
_snprintf.LIBCMT ref: 000002963D228366
free.LIBCMT ref: 000002963D22838E

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$_snprintffreemalloc$FreeHeap_callnewh_invalid_parameter_noinfo
String ID:
API String ID: 343393124-0
Opcode ID: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
Instruction ID: 9de6c318437518a3835d5be521b96ba783a09caa3d2ebf351de0c7a1dc5690f5
Opcode Fuzzy Hash: faf2166294d0965833cb84c6e7fe882f3c5ed13ceeefabe40a4c11aee224dca5
Instruction Fuzzy Hash: 2C41C22071CA480FE698AB2D682D3B8B7D2EB89714F4442DDF58EC3396DD24DD029789

Function 000002963D21ECE4 Relevance: 7.6, APIs: 5, Instructions: 90fileCOMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000002963D21ED05

Part of subcall function 000002963D22E304: _FF_MSGBANNER.LIBCMT ref: 000002963D22E334
Part of subcall function 000002963D22E304: _NMSG_WRITE.LIBCMT ref: 000002963D22E33E
Part of subcall function 000002963D22E304: _callnewh.LIBCMT ref: 000002963D22E372
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E37D
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E388

free.LIBCMT ref: 000002963D21ED40
fwrite.LIBCMT ref: 000002963D21ED81
fclose.LIBCMT ref: 000002963D21ED89
free.LIBCMT ref: 000002963D21ED96

Part of subcall function 000002963D22E2C4: RtlFreeHeap.NTDLL ref: 000002963D22E2DA
Part of subcall function 000002963D22E2C4: _errno.LIBCMT ref: 000002963D22E2E4

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno$free$FreeHeap_callnewhfclosefwritemalloc
String ID:
API String ID: 415550720-0
Opcode ID: c287650ca013cd6fba82a94b2bfab312077d62521af6d54d1c0599a360ecab3d
Instruction ID: e2f827608893ca5212cffe58b05a408ab6703c178544fbe44c6b8d21631411c2
Opcode Fuzzy Hash: c287650ca013cd6fba82a94b2bfab312077d62521af6d54d1c0599a360ecab3d
Instruction Fuzzy Hash: D6216B20738A084FE784F72A846D7AEB2D1FF9CB14F54459D764AC32D6DD258901534A

Function 000002963D23966C Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000002963D23967D

Part of subcall function 000002963D230D98: _getptd_noexit.LIBCMT ref: 000002963D230D9C

__doserrno.LIBCMT ref: 000002963D239675

Part of subcall function 000002963D230D28: _getptd_noexit.LIBCMT ref: 000002963D230D2C

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction ID: 5e36c00b9d6aa337774d678eae0dc06b705208c4485f4db1757f36d0a6d5cc9c
Opcode Fuzzy Hash: 7de39b626677fa29025c8f4af27b0a540db68e2d6824cc23474586602198323a
Instruction Fuzzy Hash: DD01F47012680C4FF399AB6BCD6D39832E0FF06B21F9042D4F615870E6D7391460AB2A

Function 000002963D21DC84 Relevance: 6.5, APIs: 5, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

_snprintf.LIBCMT ref: 000002963D21DD53
_snprintf.LIBCMT ref: 000002963D21DD7E
_snprintf.LIBCMT ref: 000002963D21DD9A
_snprintf.LIBCMT ref: 000002963D21DE4F
_snprintf.LIBCMT ref: 000002963D21DE66

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _snprintf
String ID:
API String ID: 3512837008-0
Opcode ID: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction ID: a789523f4e68bd86b19ac7c54523a2c285aea40a984387c74bf5a70c849d2113
Opcode Fuzzy Hash: 72e4e973a1d0442b98f7febb78707b45b3081222fbe35b5ecbc6412512dc3076
Instruction Fuzzy Hash: 8B91D430228A088FEB95EF19D89DBAA73E5FF98704F0045A9F546C31D2DE38D905DB85

Function 000002963D22E06C Relevance: 6.3, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

malloc.LIBCMT ref: 000002963D22E08F

Part of subcall function 000002963D22E304: _FF_MSGBANNER.LIBCMT ref: 000002963D22E334
Part of subcall function 000002963D22E304: _NMSG_WRITE.LIBCMT ref: 000002963D22E33E
Part of subcall function 000002963D22E304: _callnewh.LIBCMT ref: 000002963D22E372
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E37D
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E388

malloc.LIBCMT ref: 000002963D22E09D

Part of subcall function 000002963D22E304: _callnewh.LIBCMT ref: 000002963D22E398
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E39D

malloc.LIBCMT ref: 000002963D22E0BF
_snprintf.LIBCMT ref: 000002963D22E0DA

Part of subcall function 000002963D22E6BC: _errno.LIBCMT ref: 000002963D22E6F3
Part of subcall function 000002963D22E6BC: _invalid_parameter_noinfo.LIBCMT ref: 000002963D22E6FE

malloc.LIBCMT ref: 000002963D22E0F5

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _errnomalloc$_callnewh$_invalid_parameter_noinfo_snprintf
String ID:
API String ID: 2026495703-0
Opcode ID: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
Instruction ID: 66d995854a731ba09c64a797ee8a497bd77e2610aaed528182aaa8574c0fb2a8
Opcode Fuzzy Hash: b352101c7262c8bcb4a5e96376bd10b91777e0dce9561e268234f3b9efdf5141
Instruction Fuzzy Hash: 50118B30A2CF080FE7A8EB2DA05936576D1EB8C720F10459EF18AC3396DA349E4197C6

Function 000002963D22F6AC Relevance: 6.2, APIs: 4, Instructions: 194COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 000002963D22F6E4

Part of subcall function 000002963D230D98: _getptd_noexit.LIBCMT ref: 000002963D230D9C

_invalid_parameter_noinfo.LIBCMT ref: 000002963D22F6EF
_flush.LIBCMT ref: 000002963D22F7A1
_fileno.LIBCMT ref: 000002963D22F7C2

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno_fileno_flush_getptd_noexit_invalid_parameter_noinfo
String ID:
API String ID: 634798775-0
Opcode ID: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
Instruction ID: 4f7348e334fdc942116f3c3f808a77c077dcbe0ad36d32b740de3d6ff5c97675
Opcode Fuzzy Hash: 34e7f92ebff520e6a17a4e985317f9f17b8bd586bad3667c73d28a98cf0395a5
Instruction Fuzzy Hash: 1851FF30228F094FE7E8596F546D33672C0EF58B14F2502AEF55AC31E6EA50DC52528A

Function 000002963D210150 Relevance: 6.1, APIs: 4, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

clock.LIBCMT ref: 000002963D210197
clock.LIBCMT ref: 000002963D2101A4
clock.LIBCMT ref: 000002963D2101AD
clock.LIBCMT ref: 000002963D2101BA

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: clock
String ID:
API String ID: 3195780754-0
Opcode ID: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction ID: 25fc6fb4e31ec2280cb57c9a5f2c0d17dd36149c7f0199cd4467cfa686bbf7ca
Opcode Fuzzy Hash: 88d80a52c757cc5c40c2c6d70a970e4954adb33c3b78b443ec03df4506b3ea8d
Instruction Fuzzy Hash: C521383240C70C4FE768AD9F948E336B3D0EFC4750F11426DFACA83157E956985692DA

Function 000002963D22E8E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 000002963D22E931

Part of subcall function 000002963D230D98: _getptd_noexit.LIBCMT ref: 000002963D230D9C

_invalid_parameter_noinfo.LIBCMT ref: 000002963D22E93C

Strings

B, xrefs: 000002963D22E968

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction ID: 6461d973329f1f8b36340a729bd8c681af0873830b5ccd5dbd4b7a88bcc19952
Opcode Fuzzy Hash: c02d2d703cad3fde31994e70e132d1470a84cf0b2fdde3fa0011d2dc5e3ae6ea
Instruction Fuzzy Hash: 1011B270228B084FD794EF1994897A9B3D1FB98724F5047AEB159C32A5CB34C844D786

Function 000002963D229DC4 Relevance: 5.2, APIs: 4, Instructions: 226COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000002963D229DF8

Part of subcall function 000002963D22E304: _FF_MSGBANNER.LIBCMT ref: 000002963D22E334
Part of subcall function 000002963D22E304: _NMSG_WRITE.LIBCMT ref: 000002963D22E33E
Part of subcall function 000002963D22E304: _callnewh.LIBCMT ref: 000002963D22E372
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E37D
Part of subcall function 000002963D22E304: _errno.LIBCMT ref: 000002963D22E388

free.LIBCMT ref: 000002963D229F3F
free.LIBCMT ref: 000002963D229FA3
free.LIBCMT ref: 000002963D229FAF

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: free$_errno$_callnewhmalloc
String ID:
API String ID: 2761444284-0
Opcode ID: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
Instruction ID: 8306dbf88aae6703295ea2ea9f2bb294024821981c08df5ad95d5ac77066a471
Opcode Fuzzy Hash: 220d10eecca3932b28677e19a5d899b4e1de467fae96e5e6bbac4d4284393be2
Instruction Fuzzy Hash: 5461E8303285084BEBD8EB1AC4AD7AD72D1FF88B14F1049ADF646C31D7DE6499029689

Function 000002963D213380 Relevance: 5.2, APIs: 4, Instructions: 179COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 000002963D2133E3

Memory Dump Source

Source File: 0000000A.00000002.2589648151.000002963D210000.00000040.00000020.00020000.00000000.sdmp, Offset: 000002963D210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_2963d210000_wermgr.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
Instruction ID: 788d7bdecc3db4a01e7b1eb6825777e2565eaf35e378e4250fd43841a577b3c7
Opcode Fuzzy Hash: eb22e79342f6c44f5990d3d93bc1acaf377093f70efb3d4e41a798bd81bbd69f
Instruction Fuzzy Hash: D151C830618A054BDB59DF2DD46D67A73D2FF89710F1045ADF98BC3286EE31DC029689

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report pwn.dll.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: CobaltStrike

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Windows Analysis Report
pwn.dll.dll

Function 0000026E03794EA8 Relevance: 4.7, APIs: 3, Instructions: 190
stringCOMMONLIBRARYCODE

Function 0000026E03400000 Relevance: 1.7, APIs: 1, Instructions: 211
COMMON

Function 0000026E0378E094 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
networkCOMMONLIBRARYCODE

Function 0000026E0378DAC8 Relevance: 3.2, APIs: 2, Instructions: 159
networkCOMMONLIBRARYCODE

Function 0000026E0379C36C Relevance: 1.3, APIs: 1, Instructions: 75
COMMONLIBRARYCODE

Function 0000026E03796BB8 Relevance: 13.3, APIs: 10, Instructions: 790
COMMONLIBRARYCODE

Function 0000026E037A5E9C Relevance: 16.6, APIs: 11, Instructions: 108
COMMONLIBRARYCODE

Function 0000026E037A6C88 Relevance: 15.1, APIs: 10, Instructions: 93
COMMONLIBRARYCODE

Function 0000026E037A6B10 Relevance: 15.1, APIs: 10, Instructions: 89
COMMONLIBRARYCODE

Function 0000026E037A54B4 Relevance: 13.6, APIs: 9, Instructions: 89
COMMONLIBRARYCODE

Function 0000026E037A4CD8 Relevance: 13.6, APIs: 9, Instructions: 71
COMMONLIBRARYCODE