Edit tour

Windows Analysis Report
f3fBEUL66b.exe

Overview

General Information

Sample name:	f3fBEUL66b.exe renamed because original name is a hash value
Original sample name:	77dd16d7ed3758bd83e04514f6e84f58.exe
Analysis ID:	1583153
MD5:	77dd16d7ed3758bd83e04514f6e84f58
SHA1:	d1a4c38fe1626e8c66ff3d30e89c65610d49bc0e
SHA256:	7a668e696fe58365c3dff7e74162976e07deb2c766dd173ec4db09ff40eac47f
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GhostRat

AI detected suspicious sample

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found stalling execution ending in API Sleep call

Sample is not signed and drops a device driver

Sigma detected: Potentially Suspicious Malware Callback Communication

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates driver files

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Stores large binary data to the registry

Classification

Process Tree

System is w10x64

f3fBEUL66b.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\f3fBEUL66b.exe" MD5: 77DD16D7ED3758BD83E04514F6E84F58)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: f3fBEUL66b.exe PID: 7340	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 192.238.134.113, DestinationIsIpv6: false, DestinationPort: 4433, EventID: 3, Image: C:\Users\user\Desktop\f3fBEUL66b.exe, Initiated: true, ProcessId: 7340, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T05:02:04.835711+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49730	192.238.134.113	4433	TCP
2025-01-02T05:03:10.595580+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49730	192.238.134.113	4433	TCP
2025-01-02T05:04:23.048842+0100	2052875	1	A Network Trojan was detected	192.168.2.4	50004	192.238.134.113	10443	TCP
2025-01-02T05:05:24.189552+0100	2052875	1	A Network Trojan was detected	192.168.2.4	50006	192.238.134.113	10443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: f3fBEUL66b.exe	ReversingLabs: Detection: 52%
Source: f3fBEUL66b.exe	Virustotal: Detection: 67%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: f3fBEUL66b.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20EF410 GetLastInputInfo,GetTickCount,wsprintfW,GetForegroundWindow,GetWindowTextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SHGetFolderPathW,lstrcatW,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,		0_2_00007FF6C20EF410
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C2114190 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF6C2114190

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C20E6370 gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,GetSystemInfo,wsprintfW,GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,GetForegroundWindow,GetWindowTextW,lstrlenW,GetLocalTime,wsprintfW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,CloseHandle,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,RegOpenKeyExW,RegQueryInfoKeyW,RegEnumKeyExW,lstrlenW,lstrlenW,RegCloseKey,lstrlenW,GetTickCount,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,lstrcpyW,lstrcatW,lstrlenW,GetLocalTime,wsprintfW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegCreateKeyW,lstrlenW,RegSetValueExW,RegCloseKey,RegCloseKey,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

0_2_00007FF6C20E6370

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49730 -> 192.238.134.113:4433
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:50004 -> 192.238.134.113:10443
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:50006 -> 192.238.134.113:10443

Source: Joe Sandbox View

ASN Name: LEASEWEB-USA-LAX-11US LEASEWEB-USA-LAX-11US

Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C20E3B00 select,recv,timeGetTime,

0_2_00007FF6C20E3B00

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: [esc]

0_2_00007FF6C20EADB0

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C20EADB0 Sleep,GetTickCount,GetTickCount,OpenClipboard,GetClipboardData,GlobalSize,GlobalLock,wsprintfW,WaitForSingleObject,CreateFileW,SetFilePointer,lstrlenW,WriteFile,CloseHandle,ReleaseMutex,GlobalUnlock,CloseClipboard,GetForegroundWindow,GetWindowTextW,lstrlenW,GetLocalTime,wsprintfW,GetKeyState,lstrlenW,lstrlenW,lstrlenW,wsprintfW,wsprintfW,wsprintfW,lstrlenW,

0_2_00007FF6C20EADB0

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C20F0DA0 _invalid_parameter_noinfo_noreturn,lstrlenW,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6C20F0DA0

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6C20EADB0

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C20EFD10 GetDesktopWindow,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,GetDIBits,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6C20EFD10

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C20E72D0 MultiByteToWideChar,MultiByteToWideChar,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,CreateMutexExW,GetLastError,Sleep,CreateMutexW,GetLastError,lstrlenW,lstrcmpW,SleepEx,GetModuleHandleW,GetConsoleWindow,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

0_2_00007FF6C20E72D0

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C20FC400: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,

0_2_00007FF6C20FC400

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20EE3E9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_00007FF6C20EE3E9
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20EE46D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF6C20EE46D
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20EE4EE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF6C20EE4EE

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

File created: C:\ProgramData\kernelquick.sys

Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20E6370	0_2_00007FF6C20E6370
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20EB410	0_2_00007FF6C20EB410
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20EF410	0_2_00007FF6C20EF410
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20EFD10	0_2_00007FF6C20EFD10
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20E1500	0_2_00007FF6C20E1500
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20E7A60	0_2_00007FF6C20E7A60
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20E72D0	0_2_00007FF6C20E72D0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C2112048	0_2_00007FF6C2112048
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20E80C0	0_2_00007FF6C20E80C0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20FB5E0	0_2_00007FF6C20FB5E0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20FAE60	0_2_00007FF6C20FAE60
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C2108EB0	0_2_00007FF6C2108EB0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C21173EC	0_2_00007FF6C21173EC
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20ED410	0_2_00007FF6C20ED410
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C2105408	0_2_00007FF6C2105408
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20E9480	0_2_00007FF6C20E9480
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C21064C8	0_2_00007FF6C21064C8
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C210F4BC	0_2_00007FF6C210F4BC
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C210F950	0_2_00007FF6C210F950
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C2114190	0_2_00007FF6C2114190
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20F79D0	0_2_00007FF6C20F79D0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C21129E4	0_2_00007FF6C21129E4
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C21071DC	0_2_00007FF6C21071DC
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C21051FC	0_2_00007FF6C21051FC
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C2113A00	0_2_00007FF6C2113A00
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C2105A1C	0_2_00007FF6C2105A1C
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C21122C4	0_2_00007FF6C21122C4
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20F9330	0_2_00007FF6C20F9330
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C210A798	0_2_00007FF6C210A798
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20F2FA0	0_2_00007FF6C20F2FA0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C210C7BC	0_2_00007FF6C210C7BC
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C210FFD0	0_2_00007FF6C210FFD0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C2115FD4	0_2_00007FF6C2115FD4
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C2118824	0_2_00007FF6C2118824
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C2104FF8	0_2_00007FF6C2104FF8
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C2105818	0_2_00007FF6C2105818
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C210684C	0_2_00007FF6C210684C
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20F0880	0_2_00007FF6C20F0880
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20E9900	0_2_00007FF6C20E9900
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20ECD40	0_2_00007FF6C20ECD40
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20EADB0	0_2_00007FF6C20EADB0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C210B5F0	0_2_00007FF6C210B5F0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C210D5C0	0_2_00007FF6C210D5C0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C21075E0	0_2_00007FF6C21075E0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C210560C	0_2_00007FF6C210560C
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20E2E50	0_2_00007FF6C20E2E50
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20FA680	0_2_00007FF6C20FA680
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C210AF20	0_2_00007FF6C210AF20

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20FB5E0 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,	0_2_00007FF6C20FB5E0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20EE3E9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_00007FF6C20EE3E9
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20EE46D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF6C20EE46D
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20E9480 GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,	0_2_00007FF6C20E9480
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20EE4EE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF6C20EE4EE

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6C20E6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6C20E6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6C20E6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Mutant created: \Sessions\1\BaseNamedObjects\????

Source: f3fBEUL66b.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: f3fBEUL66b.exe	ReversingLabs: Detection: 52%
Source: f3fBEUL66b.exe	Virustotal: Detection: 67%

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: f3fBEUL66b.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: f3fBEUL66b.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: f3fBEUL66b.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6C20E6370

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

File created: C:\ProgramData\kernelquick.sys

Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C20EE36A OpenEventLogW,ClearEventLogW,CloseEventLog,

0_2_00007FF6C20EE36A

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE VenkernalData_info

Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-21668

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05DF8D13-C355-47F4-A11E-851B338CEFB8}

Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6C20E6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Window / User API: threadDelayed 3327			Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Window / User API: threadDelayed 6070			Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-22081

Source: C:\Users\user\Desktop\f3fBEUL66b.exe TID: 7408	Thread sleep count: 58 > 30	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe TID: 7408	Thread sleep time: -58000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe TID: 7432	Thread sleep count: 3327 > 30	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe TID: 7432	Thread sleep time: -33270s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe TID: 7408	Thread sleep count: 6070 > 30	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe TID: 7408	Thread sleep time: -6070000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20EF410 GetLastInputInfo,GetTickCount,wsprintfW,GetForegroundWindow,GetWindowTextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SHGetFolderPathW,lstrcatW,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,		0_2_00007FF6C20EF410
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C2114190 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF6C2114190

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6C20E6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6C20E6370

Source: f3fBEUL66b.exe, 00000000.00000002.4116954354.000002AB494CC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C20FB5E0 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,

0_2_00007FF6C20FB5E0

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C20FC82C GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF6C20FC82C

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6C20E6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6C20E6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C20E8710 SysAllocString,SysAllocString,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,SysAllocString,SysAllocString,GetProcessHeap,HeapFree,GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,

0_2_00007FF6C20E8710

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20FBDF0 SetUnhandledExceptionFilter,GetConsoleWindow,ShowWindow,GetCurrentThreadId,PostThreadMessageA,GetInputState,CreateThread,WaitForSingleObject,CloseHandle,Sleep,	0_2_00007FF6C20FBDF0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20FB5E0 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,	0_2_00007FF6C20FB5E0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C2103D0C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6C2103D0C
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20FEA00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6C20FEA00
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20FE814 SetUnhandledExceptionFilter,	0_2_00007FF6C20FE814
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6C20FE66C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6C20FE66C

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C20E9480 GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,

0_2_00007FF6C20E9480

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6C20E9480

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe

0_2_00007FF6C20E9480

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6C20FB5E0

Source: f3fBEUL66b.exe, 00000000.00000002.4116954354.000002AB49555000.00000004.00000020.00020000.00000000.sdmp, f3fBEUL66b.exe, 00000000.00000003.3395235193.000002AB4958A000.00000004.00000020.00020000.00000000.sdmp, f3fBEUL66b.exe, 00000000.00000002.4116954354.000002AB494CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 minProgram Manager
Source: f3fBEUL66b.exe, 00000000.00000002.4116954354.000002AB4959F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: f3fBEUL66b.exe, 00000000.00000003.1719210194.000002AB49575000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 minProgram ManagerM91

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C211CB60 cpuid

0_2_00007FF6C211CB60

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,GetSystemInfo,wsprintfW,GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,GetForegroundWindow,GetWindowTextW,lstrlenW,GetLocalTime,wsprintfW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,CloseHandle,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,RegOpenKeyExW,RegQueryInfoKeyW,RegEnumKeyExW,lstrlenW,lstrlenW,RegCloseKey,lstrlenW,GetTickCount,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,lstrcpyW,lstrcatW,lstrlenW,GetLocalTime,wsprintfW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegCreateKeyW,lstrlenW,RegSetValueExW,RegCloseKey,RegCloseKey,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,	0_2_00007FF6C20E6370
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6C21183C4
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6C2117CD8
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF6C211797C
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF6C21181E0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: GetLocaleInfoW,	0_2_00007FF6C2118290
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6C2110AD8
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: GetLocaleInfoW,	0_2_00007FF6C2110FB0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: GetLocaleInfoW,	0_2_00007FF6C2118088
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6C2117DA8
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6C2117E40

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6C20E6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C2112048 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6C2112048

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6C20E8A40 GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,SysStringLen,SysStringLen,CloseHandle,CloseHandle,SysFreeString,SysFreeString,GetCurrentProcessId,wsprintfW,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW,

0_2_00007FF6C20E8A40

Source: f3fBEUL66b.exe, 00000000.00000000.1644091595.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmp, f3fBEUL66b.exe, 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: KSafeTray.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: f3fBEUL66b.exe PID: 7340, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: f3fBEUL66b.exe PID: 7340, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Native API	1 Windows Service	1 Access Token Manipulation	1 Modify Registry	121 Input Capture	2 System Time Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Windows Service	1 Virtualization/Sandbox Evasion	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	121 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	211 Process Injection	1 Access Token Manipulation	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	211 Process Injection	NTDS	3 Process Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Indicator Removal	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 Peripheral Device Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	26 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
f3fBEUL66b.exe	53%	ReversingLabs	Win64.Trojan.SpywareX
f3fBEUL66b.exe	67%	Virustotal		Browse

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.238.134.113	unknown	United States		395954	LEASEWEB-USA-LAX-11US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583153
Start date and time:	2025-01-02 05:01:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	f3fBEUL66b.exe renamed because original name is a hash value
Original Sample Name:	77dd16d7ed3758bd83e04514f6e84f58.exe
Detection:	MAL
Classification:	mal96.troj.spyw.evad.winEXE@1/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 45 Number of non-executed functions: 117
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.

Simulations

Behavior and APIs

Time	Type	Description
23:02:31	API Interceptor	5806977x Sleep call for process: f3fBEUL66b.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEASEWEB-USA-LAX-11US	nabarm7.elf	Get hash	malicious	Unknown	Browse	23.84.102.105
	52C660192933BE09807FC4895F376764A2BE35AA68567819BB854E83CF5F9E5C.dll	Get hash	malicious	Unknown	Browse	192.238.132.206
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.87.203.7
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	108.187.71.205
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	23.87.103.174
	arm5.nn-20241218-1651.elf	Get hash	malicious	Mirai, Okiru	Browse	23.86.199.44
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	23.86.161.151
	jew.sh4.elf	Get hash	malicious	Unknown	Browse	23.104.13.203
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	172.255.161.127
	1.elf	Get hash	malicious	Unknown	Browse	23.84.57.61

Process:	C:\Users\user\Desktop\f3fBEUL66b.exe
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	2.6616157143988106
Encrypted:	false
SSDEEP:	3:tblM6lEjln:tbhEZn
MD5:	AE50B29A0B8DCC411F24F1863B0EAFDE
SHA1:	D415A55627B1ADED8E4B2CBBA402F816B0461155
SHA-256:	6B4BBBCE480FBC50D39A8EC4B72CDB7D781B151921E063DD899FD9B736ADCF68
SHA-512:	D9A9BA42D99BE32D26667060BE1D523DCD20EAFA187A67F7919002CC6DA349FD058053C9C6F721D6FDB730EA02FBAA3013E51C0C653368BD6B3F57A4C0FCABA8
Malicious:	true
Reputation:	low
Preview:	C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.060311148694131
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	f3fBEUL66b.exe
File size:	390'656 bytes
MD5:	77dd16d7ed3758bd83e04514f6e84f58
SHA1:	d1a4c38fe1626e8c66ff3d30e89c65610d49bc0e
SHA256:	7a668e696fe58365c3dff7e74162976e07deb2c766dd173ec4db09ff40eac47f
SHA512:	9496abdd711b43e88d36c5c2aad0c7338296239e3486eebb6b2715395ffaf452b7ab737417e3cb784fdf9c0c14028602ced9fa4fff665abf16cb75d9f47f06bf
SSDEEP:	6144:Qvy/g/Oe2CZNHfXmv9m7tvT7DYewsPJimwi9vrBP2k1u0ZLjNy:1/KlpTXmv9mpvv0iPJPtr99Ny
TLSH:	C1847E49FB9409F8E467C138C9A34916EBB27C5913A09BDF33A4466A2F237D05D3EB11
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..R............M.......M.......M.......M........O.......O.......O..S...M.......M...........3...MN......MN......Rich...........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14001e25c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x676FAD5C [Sat Dec 28 07:48:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	1db3bac59c066f9b53b8b3b6b99b874b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FEB94C8B6E0h
dec eax
add esp, 28h
jmp 00007FEB94C8AF37h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007FEB94C8B0D2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007FEB94C8B0D5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007FEB94C8B0CDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007FEB94C8B0DAh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00036D39h]
jne 00007FEB94C8B0D2h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007FEB94C8B0C3h
ret
dec eax
ror ecx, 10h
jmp 00007FEB94C8B7DBh
int3
int3
dec eax
mov dword ptr [esp+00h], ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x52400	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x60000	0x3450	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0xc8c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4c7c0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4c980	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4c680	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3f000	0x920	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3df70	0x3e000	2b6c6c8b93239d65e2449c4cc33eda20	False	0.5452683971774194	data	6.461526088950339	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3f000	0x151e8	0x15200	530663d6c229cb4dbaf0a1dc62a8561d	False	0.4157151442307692	data	4.936178076870312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x55000	0xaa9c	0x7c00	9ce9d6ecd277af9d66cef31780bbf5ef	False	0.10660282258064516	DOS executable (block device driver \377\3)	1.588705678471102	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x60000	0x3450	0x3600	b6a68cd5b1e86136baf9e34e01cfad8b	False	0.4622395833333333	data	5.530289196450094	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0xc8c	0xe00	a952b87812e4781581800f8699e0d5a4	False	0.49302455357142855	data	5.228153224182403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	QueryDosDeviceW, WriteProcessMemory, GetCommandLineW, GetCurrentProcess, WriteFile, OutputDebugStringA, GetModuleFileNameW, GetProcessId, CreateMutexW, GetLocaleInfoW, LocalAlloc, CreateFileW, GetVersionExW, K32GetProcessImageFileNameW, GetSystemDirectoryW, ResumeThread, GetModuleHandleA, OpenProcess, GetLogicalDriveStringsW, CreateToolhelp32Snapshot, MultiByteToWideChar, Process32NextW, GetDiskFreeSpaceExW, GetSystemDirectoryA, LoadLibraryA, lstrcatW, GlobalAlloc, Process32FirstW, GlobalFree, GetSystemInfo, LoadLibraryW, GetLocalTime, VirtualProtectEx, GetThreadContext, GetProcAddress, VirtualAllocEx, LocalFree, ExitProcess, GetCurrentProcessId, GlobalMemoryStatusEx, CreateProcessW, GetModuleHandleW, FreeLibrary, GetConsoleWindow, lstrcpyW, CreateRemoteThread, CreateProcessA, SetThreadContext, GetModuleFileNameA, GetTickCount, lstrcmpW, GetDriveTypeW, GetExitCodeProcess, SetFilePointer, ReleaseMutex, GlobalSize, DeleteFileW, GlobalLock, GetFileSize, GlobalUnlock, FindFirstFileW, ExpandEnvironmentStringsW, FindClose, GetFileAttributesW, TerminateThread, VirtualProtect, IsBadReadPtr, CreateThread, IsDebuggerPresent, SetUnhandledExceptionFilter, WriteConsoleW, GetCurrentThreadId, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, SetFilePointerEx, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, GetStartupInfoW, CreateWaitableTimerW, SetWaitableTimer, TryEnterCriticalSection, WideCharToMultiByte, ResetEvent, CreateEventW, lstrlenW, CancelIo, GetNativeSystemInfo, SetLastError, lstrcmpiW, CreateEventA, CloseHandle, SetEvent, Sleep, WaitForSingleObject, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, HeapCreate, HeapFree, GetProcessHeap, DeleteCriticalSection, HeapDestroy, DecodePointer, HeapAlloc, HeapReAlloc, GetLastError, HeapSize, InitializeCriticalSectionEx, VirtualAlloc, VirtualFree, FlsGetValue, FlsAlloc, GetFileType, GetCommandLineA, GetStdHandle, VirtualQuery, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlPcToFileHeader, RtlUnwindEx, lstrcpyA, CreateFileA, GetSystemDefaultLangID, DeviceIoControl, TerminateProcess, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, IsProcessorFeaturePresent, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetCPInfo, LCMapStringEx, EncodePointer, CompareStringEx, GetStringTypeW, RaiseException, OutputDebugStringW, SwitchToThread
USER32.dll	GetForegroundWindow, GetLastInputInfo, GetClipboardData, GetWindowTextW, GetKeyState, ReleaseDC, GetDesktopWindow, SetClipboardData, CloseClipboard, wsprintfW, ExitWindowsEx, ShowWindow, PostThreadMessageA, GetInputState, GetDC, GetSystemMetrics, EmptyClipboard, MsgWaitForMultipleObjects, DispatchMessageW, PeekMessageW, TranslateMessage, OpenClipboard
GDI32.dll	CreateCompatibleBitmap, SelectObject, CreateDIBSection, SetDIBColorTable, CreateCompatibleDC, StretchBlt, GetDIBits, GetDeviceCaps, GetObjectW, SetStretchBltMode, DeleteObject, DeleteDC
ADVAPI32.dll	RegQueryInfoKeyW, RegQueryValueExW, AllocateAndInitializeSid, FreeSid, CheckTokenMembership, ClearEventLogW, CloseEventLog, OpenEventLogW, LookupPrivilegeValueW, AdjustTokenPrivileges, GetCurrentHwProfileW, RegCloseKey, GetSidSubAuthorityCount, GetSidSubAuthority, RegEnumKeyExW, RegSetValueExW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, LookupAccountSidW, GetTokenInformation
SHELL32.dll	SHGetFolderPathW
ole32.dll	CreateStreamOnHGlobal, GetHGlobalFromStream, CoCreateInstance, CoUninitialize, CoInitialize
OLEAUT32.dll	SysFreeString, SysAllocString, SysStringLen
WS2_32.dll	select, WSAStartup, send, socket, connect, recv, htons, setsockopt, WSAIoctl, gethostbyname, WSAGetLastError, WSAEnumNetworkEvents, WSAWaitForMultipleEvents, WSAResetEvent, WSAEventSelect, WSASetLastError, WSACloseEvent, shutdown, gethostname, inet_ntoa, WSACleanup, closesocket, WSACreateEvent
WINMM.dll	timeGetTime
gdiplus.dll	GdipDisposeImage, GdipCreateBitmapFromHBITMAP, GdipGetImagePixelFormat, GdiplusShutdown, GdipDrawImageI, GdipFree, GdipSaveImageToStream, GdipGetImageWidth, GdipGetImagePalette, GdipDeleteGraphics, GdipGetImageEncodersSize, GdipGetImageGraphicsContext, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipAlloc, GdiplusStartup, GdipGetImageHeight, GdipGetImageEncoders, GdipGetImagePaletteSize, GdipCloneImage, GdipBitmapUnlockBits, GdipCreateBitmapFromStream
dxgi.dll	CreateDXGIFactory
DINPUT8.dll	DirectInput8Create

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 05:02:03.376938105 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:02:03.381911993 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:03.381993055 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:02:04.183337927 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:02:04.188291073 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:04.188303947 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:04.188319921 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:04.188447952 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:04.722479105 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:04.767036915 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:02:04.830801964 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:02:04.835634947 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:04.835645914 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:04.835653067 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:04.835663080 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:04.835711002 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:02:04.840442896 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:19.564090014 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:02:19.568985939 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:19.876605034 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:19.923454046 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:02:36.689302921 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:02:36.694272041 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:37.001828909 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:37.048477888 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:02:53.532918930 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:02:53.537831068 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:53.845304966 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:02:53.892199993 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:10.595580101 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:10.600349903 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:10.907946110 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:10.985980034 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:27.939212084 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:27.944365978 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:28.251787901 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:28.470406055 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:43.564315081 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:43.564372063 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:43.569267988 CET	4433	49730	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:43.569372892 CET	49730	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:48.517891884 CET	50004	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:48.522821903 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:48.522905111 CET	50004	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:49.468806982 CET	50004	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:49.473747969 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:49.473761082 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:49.473771095 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:49.473891973 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:50.853332043 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:50.853348017 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:50.853404999 CET	50004	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:50.853457928 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:50.853494883 CET	50004	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:50.853498936 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:50.853537083 CET	50004	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:51.222213984 CET	50004	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:51.227236032 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:51.227251053 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:51.227272034 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:51.227281094 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:03:51.227303982 CET	50004	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:03:51.232090950 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:06.165435076 CET	50004	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:06.170305967 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:06.485790968 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:06.619050980 CET	50004	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:23.048841953 CET	50004	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:23.048887968 CET	50004	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:23.053757906 CET	10443	50004	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:23.053813934 CET	50004	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:28.002249002 CET	50005	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:28.007092953 CET	4433	50005	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:28.007160902 CET	50005	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:29.123802900 CET	50005	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:29.128777027 CET	4433	50005	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:29.128788948 CET	4433	50005	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:29.128797054 CET	4433	50005	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:29.128808022 CET	4433	50005	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:29.490169048 CET	4433	50005	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:29.533090115 CET	50005	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:29.599318981 CET	50005	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:29.604183912 CET	4433	50005	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:29.604195118 CET	4433	50005	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:29.604222059 CET	4433	50005	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:29.604232073 CET	50005	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:29.604252100 CET	4433	50005	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:29.608961105 CET	4433	50005	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:45.064603090 CET	50005	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:45.064661980 CET	50005	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:45.069474936 CET	4433	50005	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:45.069530964 CET	50005	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:50.152935982 CET	50006	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:50.157892942 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:50.157957077 CET	50006	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:51.734955072 CET	50006	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:51.739873886 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:51.739890099 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:51.739902973 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:51.740164042 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:52.322285891 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:52.414297104 CET	50006	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:52.420104980 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:52.420115948 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:52.420125961 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:52.420137882 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:04:52.420973063 CET	50006	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:04:52.426590919 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:05:07.142625093 CET	50006	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:05:07.148457050 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:05:07.460359097 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:05:07.683345079 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:05:07.683518887 CET	50006	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:05:24.189552069 CET	50006	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:05:24.194520950 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:05:24.506412029 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:05:24.548841000 CET	50006	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:05:39.955187082 CET	50006	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:05:39.960654974 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:05:40.272653103 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:05:40.330135107 CET	50006	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:05:56.145700932 CET	50006	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:05:56.145700932 CET	50006	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:05:56.150602102 CET	10443	50006	192.238.134.113	192.168.2.4
Jan 2, 2025 05:05:56.150664091 CET	50006	10443	192.168.2.4	192.238.134.113
Jan 2, 2025 05:06:01.096538067 CET	50007	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:06:01.101458073 CET	4433	50007	192.238.134.113	192.168.2.4
Jan 2, 2025 05:06:01.101541996 CET	50007	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:06:02.543073893 CET	50007	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:06:02.547993898 CET	4433	50007	192.238.134.113	192.168.2.4
Jan 2, 2025 05:06:02.548006058 CET	4433	50007	192.238.134.113	192.168.2.4
Jan 2, 2025 05:06:02.548013926 CET	4433	50007	192.238.134.113	192.168.2.4
Jan 2, 2025 05:06:02.548063040 CET	4433	50007	192.238.134.113	192.168.2.4
Jan 2, 2025 05:06:03.131248951 CET	4433	50007	192.238.134.113	192.168.2.4
Jan 2, 2025 05:06:03.223927021 CET	50007	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:06:03.228796959 CET	4433	50007	192.238.134.113	192.168.2.4
Jan 2, 2025 05:06:03.228807926 CET	4433	50007	192.238.134.113	192.168.2.4
Jan 2, 2025 05:06:03.228822947 CET	4433	50007	192.238.134.113	192.168.2.4
Jan 2, 2025 05:06:03.228840113 CET	50007	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:06:03.228909016 CET	4433	50007	192.238.134.113	192.168.2.4
Jan 2, 2025 05:06:03.233637094 CET	4433	50007	192.238.134.113	192.168.2.4

Target ID:	0
Start time:	23:01:56
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\f3fBEUL66b.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\f3fBEUL66b.exe"
Imagebase:	0x7ff6c20e0000
File size:	390'656 bytes
MD5 hash:	77DD16D7ED3758BD83E04514F6E84F58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	46%
Total number of Nodes:	1164
Total number of Limit Nodes:	47

Executed Functions

Function 00007FF6C20E6370 Relevance: 193.3, APIs: 81, Strings: 29, Instructions: 845
registrystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

gethostname.WS2_32 ref: 00007FF6C20E6414
gethostbyname.WS2_32 ref: 00007FF6C20E641E
inet_ntoa.WS2_32 ref: 00007FF6C20E643B
inet_ntoa.WS2_32 ref: 00007FF6C20E648B
MultiByteToWideChar.KERNEL32 ref: 00007FF6C20E64E9
MultiByteToWideChar.KERNEL32 ref: 00007FF6C20E650D
GetLastInputInfo.USER32 ref: 00007FF6C20E6525
GetTickCount.KERNEL32 ref: 00007FF6C20E652B
wsprintfW.USER32 ref: 00007FF6C20E655E
MultiByteToWideChar.KERNEL32 ref: 00007FF6C20E659F
LoadLibraryW.KERNEL32 ref: 00007FF6C20E65AC
GetProcAddress.KERNEL32 ref: 00007FF6C20E65C8
RegOpenKeyExW.KERNEL32 ref: 00007FF6C20E666D
RegQueryValueExW.KERNEL32 ref: 00007FF6C20E6698
RegCloseKey.KERNEL32 ref: 00007FF6C20E66C5
FreeLibrary.KERNEL32 ref: 00007FF6C20E66D6
GetSystemInfo.KERNEL32 ref: 00007FF6C20E66EF
wsprintfW.USER32 ref: 00007FF6C20E6707
GetDriveTypeW.KERNEL32 ref: 00007FF6C20E6736
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FF6C20E6759
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF6C20E679D
GetForegroundWindow.USER32 ref: 00007FF6C20E6819
GetWindowTextW.USER32 ref: 00007FF6C20E6834
lstrlenW.KERNEL32 ref: 00007FF6C20E6844
GetLocalTime.KERNEL32 ref: 00007FF6C20E6883
wsprintfW.USER32 ref: 00007FF6C20E689D
MultiByteToWideChar.KERNEL32 ref: 00007FF6C20E657B

Part of subcall function 00007FF6C2108A40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2108A66

lstrlenW.KERNEL32 ref: 00007FF6C20E68C5
GetModuleHandleW.KERNEL32 ref: 00007FF6C20E690E
GetProcAddress.KERNEL32 ref: 00007FF6C20E691E
GetNativeSystemInfo.KERNEL32 ref: 00007FF6C20E692D
GetSystemInfo.KERNEL32 ref: 00007FF6C20E6931
wsprintfW.USER32 ref: 00007FF6C20E6978
GetCurrentProcessId.KERNEL32 ref: 00007FF6C20E698D
OpenProcess.KERNEL32 ref: 00007FF6C20E69AB
K32GetProcessImageFileNameW.KERNEL32 ref: 00007FF6C20E69CD
GetLogicalDriveStringsW.KERNEL32 ref: 00007FF6C20E69E7
lstrcmpiW.KERNEL32 ref: 00007FF6C20E6A28
lstrcmpiW.KERNEL32 ref: 00007FF6C20E6A3C
QueryDosDeviceW.KERNEL32 ref: 00007FF6C20E6A76

Part of subcall function 00007FF6C20FDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C20FDFE8
Part of subcall function 00007FF6C20FDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C20FDFEE

Part of subcall function 00007FF6C20E9300: GetModuleHandleW.KERNEL32 ref: 00007FF6C20E931D
Part of subcall function 00007FF6C20E9300: GetProcAddress.KERNEL32 ref: 00007FF6C20E932D
Part of subcall function 00007FF6C20E9300: GetNativeSystemInfo.KERNEL32 ref: 00007FF6C20E933D

lstrlenW.KERNEL32 ref: 00007FF6C20E6A87
lstrcpyW.KERNEL32 ref: 00007FF6C20E6AC8
CloseHandle.KERNEL32 ref: 00007FF6C20E6AD1
CoInitializeEx.COMBASE ref: 00007FF6C20E6AE2
CoCreateInstance.COMBASE ref: 00007FF6C20E6B07
SysFreeString.OLEAUT32 ref: 00007FF6C20E6BBC
CoUninitialize.OLE32 ref: 00007FF6C20E6BFE
RegOpenKeyExW.KERNEL32 ref: 00007FF6C20E6C67
RegQueryInfoKeyW.ADVAPI32 ref: 00007FF6C20E6CC7
RegEnumKeyExW.ADVAPI32 ref: 00007FF6C20E6D5F
lstrlenW.KERNEL32 ref: 00007FF6C20E6D6C
lstrlenW.KERNEL32 ref: 00007FF6C20E6D7E
RegCloseKey.ADVAPI32 ref: 00007FF6C20E6DCC
lstrlenW.KERNEL32 ref: 00007FF6C20E6DD9

Part of subcall function 00007FF6C21094E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C210951B

Part of subcall function 00007FF6C20E7A60: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6C20E7AEB
Part of subcall function 00007FF6C20E7A60: Process32FirstW.KERNEL32 ref: 00007FF6C20E7B08
Part of subcall function 00007FF6C20E7A60: Process32NextW.KERNEL32 ref: 00007FF6C20E7B43
Part of subcall function 00007FF6C20E7A60: CloseHandle.KERNEL32 ref: 00007FF6C20E7B50
Part of subcall function 00007FF6C20E7A60: CoCreateInstance.COMBASE ref: 00007FF6C20E7B9F

GetTickCount.KERNEL32 ref: 00007FF6C20E6E21

Part of subcall function 00007FF6C2108E3C: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6C2108E50

wsprintfW.USER32 ref: 00007FF6C20E6E99
GetLocaleInfoW.KERNEL32 ref: 00007FF6C20E6EB6
GetSystemDirectoryW.KERNEL32 ref: 00007FF6C20E6EC8
GetCurrentHwProfileW.ADVAPI32 ref: 00007FF6C20E6EDC
lstrlenW.KERNEL32 ref: 00007FF6C20E6F5B
GetLocalTime.KERNEL32 ref: 00007FF6C20E6F97
wsprintfW.USER32 ref: 00007FF6C20E6FB1
RegOpenKeyExW.KERNEL32 ref: 00007FF6C20E6FD6
RegDeleteValueW.KERNEL32 ref: 00007FF6C20E6FEA
RegCloseKey.ADVAPI32 ref: 00007FF6C20E6FF7
RegCreateKeyW.ADVAPI32 ref: 00007FF6C20E700E
lstrlenW.KERNEL32 ref: 00007FF6C20E701B
RegSetValueExW.KERNEL32 ref: 00007FF6C20E7043
RegCloseKey.ADVAPI32 ref: 00007FF6C20E7054
RegCloseKey.ADVAPI32 ref: 00007FF6C20E7061
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6C20E706E
Process32FirstW.KERNEL32 ref: 00007FF6C20E70A9
Process32NextW.KERNEL32 ref: 00007FF6C20E70FE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6C20E7118
Process32FirstW.KERNEL32 ref: 00007FF6C20E7153
Process32NextW.KERNEL32 ref: 00007FF6C20E71AE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6C20E71C8
Process32FirstW.KERNEL32 ref: 00007FF6C20E7203
Process32NextW.KERNEL32 ref: 00007FF6C20E725A

Strings

kernel32.dll, xrefs: 00007FF6C20E68FB
Software\Tencent\Plugin\VAS, xrefs: 00007FF6C20E6C59
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF6C20E6645
Telegram.exe, xrefs: 00007FF6C20E720D
A:\, xrefs: 00007FF6C20E6A1A
RtlGetNtVersionNumbers, xrefs: 00007FF6C20E65BE
GetNativeSystemInfo, xrefs: 00007FF6C20E6917
INSTALLTIME, xrefs: 00007FF6C20E6F77, 00007FF6C20E6FE3, 00007FF6C20E7028
%sFree%d Gb , xrefs: 00007FF6C20E67EE
VenNetwork, xrefs: 00007FF6C20E6860
ProductName, xrefs: 00007FF6C20E667F
%d.%d, xrefs: 00007FF6C20E688E, 00007FF6C20E6FA2
WxWork.exe, xrefs: 00007FF6C20E70B3
VenREMARK, xrefs: 00007FF6C20E68CB
B:\, xrefs: 00007FF6C20E6A32
FriendlyName, xrefs: 00007FF6C20E6BA2
x64, xrefs: 00007FF6C20E6958
HDD:%d, xrefs: 00007FF6C20E67A7
3b6311a8-7ec5-474e-9db0-a86adda60c45, xrefs: 00007FF6C20E63D2
%d min, xrefs: 00007FF6C20E6557
VenGROUP, xrefs: 00007FF6C20E686B
AppEvents, xrefs: 00007FF6C20E6F61
ntdll.dll, xrefs: 00007FF6C20E65A5
WeChat.exe, xrefs: 00007FF6C20E715D
x86, xrefs: 00007FF6C20E695F
Network, xrefs: 00007FF6C20E6F70
Software, xrefs: 00007FF6C20E6851
%d.%d.%d, xrefs: 00007FF6C20E65FD
X64 %s, xrefs: 00007FF6C20E696A

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Process32lstrlen$CloseCreateInfo$Systemwsprintf$ByteCharFirstHandleMultiNextOpenSnapshotTimeToolhelp32Wide$AddressFreeProcProcessQueryValue$Concurrency::cancel_current_taskCountCurrentDriveFileInstanceLibraryLocalModuleNativeTickWindow_invalid_parameter_noinfoinet_ntoalstrcmpi$DeleteDeviceDirectoryDiskEnumForegroundGlobalImageInitializeInputLastLoadLocaleLogicalMemoryNameProfileSpaceStatusStringStringsTextTypeUninitializegethostbynamegethostnamelstrcpy
String ID: %d min$%d.%d$%d.%d.%d$%sFree%d Gb $3b6311a8-7ec5-474e-9db0-a86adda60c45$A:\$AppEvents$B:\$FriendlyName$GetNativeSystemInfo$HDD:%d$INSTALLTIME$Network$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software$Software\Tencent\Plugin\VAS$Telegram.exe$VenGROUP$VenNetwork$VenREMARK$WeChat.exe$WxWork.exe$X64 %s$kernel32.dll$ntdll.dll$x64$x86
API String ID: 4136965836-2430981841
Opcode ID: baafd4b893ac4f89cafd32f5bb9b4dad6c00bfcc7aeefeacfe09a16904dd0568
Instruction ID: ad3b52b079104dbc05fa676bf0a4df29a0258a257b77dc04e8111a383b5c932a
Opcode Fuzzy Hash: baafd4b893ac4f89cafd32f5bb9b4dad6c00bfcc7aeefeacfe09a16904dd0568
Instruction Fuzzy Hash: C3926272B08B8285EB20DF25E8442E92361FB54B5AF814132DE9DC7BA4EF7CD685C740

Function 00007FF6C20FB5E0 Relevance: 103.7, APIs: 41, Strings: 18, Instructions: 429
registrylibrarysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00007FF6C20FB611
CloseHandle.KERNEL32 ref: 00007FF6C20FB64D
GetCurrentProcess.KERNEL32 ref: 00007FF6C20FB660
OpenProcessToken.ADVAPI32 ref: 00007FF6C20FB675
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6C20FB695
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6C20FB6C1
CloseHandle.KERNEL32 ref: 00007FF6C20FB6CE
GetModuleHandleA.KERNEL32 ref: 00007FF6C20FB6DB
GetProcAddress.KERNEL32 ref: 00007FF6C20FB6EB
GetCurrentProcessId.KERNEL32 ref: 00007FF6C20FB703
OpenProcess.KERNEL32 ref: 00007FF6C20FB712
GetLocalTime.KERNEL32 ref: 00007FF6C20FB734
wsprintfW.USER32 ref: 00007FF6C20FB77A
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6C20FB787
CloseHandle.KERNEL32 ref: 00007FF6C20FB7AD
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6C20FB850

Part of subcall function 00007FF6C2108BE0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2108C0B

CheckTokenMembership.KERNELBASE ref: 00007FF6C20FB86A
FreeSid.ADVAPI32 ref: 00007FF6C20FB882
RegOpenKeyExW.KERNEL32 ref: 00007FF6C20FB8B4
RegDeleteValueW.KERNEL32 ref: 00007FF6C20FB8C8
RegSetValueExW.KERNEL32 ref: 00007FF6C20FB8F9
RegCloseKey.ADVAPI32 ref: 00007FF6C20FB906
SleepEx.KERNEL32 ref: 00007FF6C20FBA29
CreateEventA.KERNEL32 ref: 00007FF6C20FBAA5
Sleep.KERNEL32 ref: 00007FF6C20FBB4E
Sleep.KERNEL32 ref: 00007FF6C20FBB84
CloseHandle.KERNEL32 ref: 00007FF6C20FBBF2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20FBBFD
IsDebuggerPresent.KERNEL32 ref: 00007FF6C20FBC1C
LoadLibraryW.KERNEL32 ref: 00007FF6C20FBC48
GetProcAddress.KERNEL32 ref: 00007FF6C20FBC72
FreeLibrary.KERNEL32 ref: 00007FF6C20FBC83

Strings

4433, xrefs: 00007FF6C20FB940, 00007FF6C20FB96C, 00007FF6C20FB9CD, 00007FF6C20FBA39, 00007FF6C20FBA6D
192.238.134.113, xrefs: 00007FF6C20FB954
NtDll.dll, xrefs: 00007FF6C20FB6D4
DbgHelp.dll, xrefs: 00007FF6C20FBC39
192.238.134.113, xrefs: 00007FF6C20FB918, 00007FF6C20FB9B5, 00007FF6C20FBA48, 00007FF6C20FBADE
loginconfig, xrefs: 00007FF6C20FB8D6
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 00007FF6C20FB76C
SOFTWARE, xrefs: 00007FF6C20FB8A6
VenkernalData_info, xrefs: 00007FF6C20FB8BA, 00007FF6C20FB8EB
192.238.134.113, xrefs: 00007FF6C20FB9A9
4433, xrefs: 00007FF6C20FB934
NtSetInformationProcess, xrefs: 00007FF6C20FB6E4
192.238.134.113, xrefs: 00007FF6C20FB928
MiniDumpWriteDump, xrefs: 00007FF6C20FBC60
!analyze -v, xrefs: 00007FF6C20FBCFE
10443, xrefs: 00007FF6C20FB960
SeDebugPrivilege, xrefs: 00007FF6C20FB68C
%s-%04d%02d%02d-%02d%02d%02d.dmp, xrefs: 00007FF6C20FBCF2

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CloseHandle$ProcessSleep$OpenTokenValue$AddressCurrentFreeLibraryProc$AdjustAllocateCheckCreateDebuggerDeleteEventExceptionFilterInitializeLoadLocalLookupMembershipModulePresentPrivilegePrivilegesTimeUnhandled_invalid_parameter_noinfo_invalid_parameter_noinfo_noreturnwsprintf
String ID: !analyze -v$%4d.%2d.%2d-%2d:%2d:%2d$%s-%04d%02d%02d-%02d%02d%02d.dmp$10443$192.238.134.113$192.238.134.113$192.238.134.113$192.238.134.113$4433$4433$DbgHelp.dll$MiniDumpWriteDump$NtDll.dll$NtSetInformationProcess$SOFTWARE$SeDebugPrivilege$VenkernalData_info$loginconfig
API String ID: 2641691789-2327769729
Opcode ID: 77c7ebbd6b1270c41e18ab2e88367418a2e18304979642d2bf76458933601cb2
Instruction ID: 02fd5c40f19893d42db3890cfc81aa7ebf0e55feb43f6e7ed0ed2ceb13635978
Opcode Fuzzy Hash: 77c7ebbd6b1270c41e18ab2e88367418a2e18304979642d2bf76458933601cb2
Instruction Fuzzy Hash: 69222F71A08B8286E720DF25E8442AA73A5FB98B5AF500136DECDC7BA4DFBCD154C744

Function 00007FF6C20EF410 Relevance: 81.0, APIs: 35, Strings: 11, Instructions: 532
registryprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastInputInfo.USER32 ref: 00007FF6C20EF45C
GetTickCount.KERNEL32 ref: 00007FF6C20EF462
wsprintfW.USER32 ref: 00007FF6C20EF490
GetForegroundWindow.USER32 ref: 00007FF6C20EF496
GetWindowTextW.USER32 ref: 00007FF6C20EF4AE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6C20EF4C3
Process32FirstW.KERNEL32 ref: 00007FF6C20EF4F7
Process32NextW.KERNEL32 ref: 00007FF6C20EF54B
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6C20EF565
Process32FirstW.KERNEL32 ref: 00007FF6C20EF59F
Process32NextW.KERNEL32 ref: 00007FF6C20EF5EE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6C20EF608
Process32FirstW.KERNEL32 ref: 00007FF6C20EF642
Process32NextW.KERNEL32 ref: 00007FF6C20EF69E
RegOpenKeyExW.ADVAPI32 ref: 00007FF6C20EF6EC
RegQueryValueExW.KERNEL32 ref: 00007FF6C20EF71F
RegQueryValueExW.KERNEL32 ref: 00007FF6C20EF783
RegCloseKey.ADVAPI32 ref: 00007FF6C20EF90D
RegOpenKeyExW.ADVAPI32 ref: 00007FF6C20EF943
RegQueryValueExW.KERNEL32 ref: 00007FF6C20EF976
RegQueryValueExW.ADVAPI32 ref: 00007FF6C20EF9D5
RegCloseKey.ADVAPI32 ref: 00007FF6C20EF9EC
RegOpenKeyExW.ADVAPI32 ref: 00007FF6C20EFA22
RegQueryValueExW.KERNEL32 ref: 00007FF6C20EFA55
RegCloseKey.ADVAPI32 ref: 00007FF6C20EFACB

Part of subcall function 00007FF6C20FDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C20FDFE8
Part of subcall function 00007FF6C20FDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C20FDFEE

RegQueryValueExW.ADVAPI32 ref: 00007FF6C20EFAB4
SHGetFolderPathW.SHELL32 ref: 00007FF6C20EFAEF
lstrcatW.KERNEL32 ref: 00007FF6C20EFB03
CreateFileW.KERNEL32 ref: 00007FF6C20EFB34
lstrlenW.KERNEL32 ref: 00007FF6C20EFB44
WriteFile.KERNEL32 ref: 00007FF6C20EFB61
CloseHandle.KERNEL32 ref: 00007FF6C20EFB6A
FindFirstFileW.KERNEL32 ref: 00007FF6C20EFB7E
FindClose.KERNEL32 ref: 00007FF6C20EFB94
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20EFCFE

Strings

\kernelquick.sys, xrefs: 00007FF6C20EFAF5
WeChat.exe, xrefs: 00007FF6C20EF5A9
C:\ProgramData\Mylnk, xrefs: 00007FF6C20EF896
WXWork.exe, xrefs: 00007FF6C20EF501
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 00007FF6C20EF6B1
%d min, xrefs: 00007FF6C20EF489
C:\Users, xrefs: 00007FF6C20EF812
Telegram.exe, xrefs: 00007FF6C20EF64C
Startup, xrefs: 00007FF6C20EF718, 00007FF6C20EF77C
OpenAi_Service, xrefs: 00007FF6C20EF96F, 00007FF6C20EF9CE, 00007FF6C20EFA4E, 00007FF6C20EFAAD
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 00007FF6C20EF935, 00007FF6C20EFA14

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Process32QueryValue$Close$CreateFirst$FileNextOpenSnapshotToolhelp32$Concurrency::cancel_current_taskFindWindow$CountFolderForegroundHandleInfoInputLastPathTextTickWrite_invalid_parameter_noinfo_noreturnlstrcatlstrlenwsprintf
String ID: %d min$C:\ProgramData\Mylnk$C:\Users$OpenAi_Service$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Startup$Telegram.exe$WXWork.exe$WeChat.exe$\kernelquick.sys
API String ID: 3029130142-1423135667
Opcode ID: 77770f3fe4e5ae1fd40f8f499dfc1e97523b9b5445e13bf16ce9108d366140f7
Instruction ID: 98eeaffea96d4f61188c62ce469dc6c9f8c1c70a98138c20653957c3a0284466
Opcode Fuzzy Hash: 77770f3fe4e5ae1fd40f8f499dfc1e97523b9b5445e13bf16ce9108d366140f7
Instruction Fuzzy Hash: 2E329062B0868285EB20CF24D4086B977A1FB95B89F855132DFDD87B94DFBCE684C740

Function 00007FF6C20FAE60 Relevance: 75.8, APIs: 27, Strings: 16, Instructions: 529stringregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF6C20FAE95
RegQueryValueExW.KERNEL32 ref: 00007FF6C20FAEC6
RegQueryValueExW.ADVAPI32 ref: 00007FF6C20FAF25
lstrlenW.KERNEL32 ref: 00007FF6C20FAF32
lstrlenW.KERNEL32 ref: 00007FF6C20FAF53
lstrlenW.KERNEL32 ref: 00007FF6C20FAF66
lstrlenW.KERNEL32 ref: 00007FF6C20FAFFF
lstrlenW.KERNEL32 ref: 00007FF6C20FB020
lstrlenW.KERNEL32 ref: 00007FF6C20FB033
lstrlenW.KERNEL32 ref: 00007FF6C20FB0CB
lstrlenW.KERNEL32 ref: 00007FF6C20FB0DE
lstrlenW.KERNEL32 ref: 00007FF6C20FB161
lstrlenW.KERNEL32 ref: 00007FF6C20FB182
lstrlenW.KERNEL32 ref: 00007FF6C20FB195
lstrlenW.KERNEL32 ref: 00007FF6C20FB22F
lstrlenW.KERNEL32 ref: 00007FF6C20FB250
lstrlenW.KERNEL32 ref: 00007FF6C20FB263
lstrlenW.KERNEL32 ref: 00007FF6C20FB2FB
lstrlenW.KERNEL32 ref: 00007FF6C20FB30E
lstrlenW.KERNEL32 ref: 00007FF6C20FB391
lstrlenW.KERNEL32 ref: 00007FF6C20FB3B2
lstrlenW.KERNEL32 ref: 00007FF6C20FB3C5
lstrlenW.KERNEL32 ref: 00007FF6C20FB45F
lstrlenW.KERNEL32 ref: 00007FF6C20FB480
lstrlenW.KERNEL32 ref: 00007FF6C20FB493
lstrlenW.KERNEL32 ref: 00007FF6C20FB52B
lstrlenW.KERNEL32 ref: 00007FF6C20FB53E

Strings

Console, xrefs: 00007FF6C20FAE87
192.238.134.113, xrefs: 00007FF6C20FB15A, 00007FF6C20FB169, 00007FF6C20FB219
t3:, xrefs: 00007FF6C20FB531
o1:, xrefs: 00007FF6C20FB026
t1:, xrefs: 00007FF6C20FB0D1
Vendata, xrefs: 00007FF6C20FAEBF, 00007FF6C20FAF1E
p2:, xrefs: 00007FF6C20FB188
o3:, xrefs: 00007FF6C20FB486
p3:, xrefs: 00007FF6C20FB3B8
192.238.134.113, xrefs: 00007FF6C20FB38A, 00007FF6C20FB399, 00007FF6C20FB449
4433, xrefs: 00007FF6C20FAFF8, 00007FF6C20FB007, 00007FF6C20FB0B9
192.238.134.113, xrefs: 00007FF6C20FAF2B, 00007FF6C20FAF3A, 00007FF6C20FAFE9
o2:, xrefs: 00007FF6C20FB256
p1:, xrefs: 00007FF6C20FAF59
t2:, xrefs: 00007FF6C20FB301
10443, xrefs: 00007FF6C20FB228, 00007FF6C20FB237, 00007FF6C20FB2E9

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: lstrlen$QueryValue$Open
String ID: 10443$192.238.134.113$192.238.134.113$192.238.134.113$4433$Console$Vendata$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
API String ID: 1772312705-4199381161
Opcode ID: e9763d1a573506a6c5f52fab13ecf1f8c208e4fec7a72f7b0df219955d443a2f
Instruction ID: c43804cfd9aea00b590c7280c69a9559ed9df134567b8a2df73ccd81255cc6d2
Opcode Fuzzy Hash: e9763d1a573506a6c5f52fab13ecf1f8c208e4fec7a72f7b0df219955d443a2f
Instruction Fuzzy Hash: 8522B761F5862781EA249F18E55467A63A1FF98B4EF825032CECEC2F91DFBCE1458704

Function 00007FF6C20E72D0 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6C20EA300: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20EA4A0
Part of subcall function 00007FF6C20EA300: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C20EA4A6

MultiByteToWideChar.KERNEL32 ref: 00007FF6C20E767F
MultiByteToWideChar.KERNEL32 ref: 00007FF6C20E76A6

Strings

X64, xrefs: 00007FF6C20E74F1, 00007FF6C20E750E
<, xrefs: 00007FF6C20E79DD
\DisplaySessionContainers.log, xrefs: 00007FF6C20E78A3
key, xrefs: 00007FF6C20E7832
open, xrefs: 00007FF6C20E7826

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ByteCharMultiWide$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: <$X64$\DisplaySessionContainers.log$key$open
API String ID: 143101810-941791203
Opcode ID: a156107f8c53ddcc210f2a4acee747cea3435655495c8a579799f45f1d1ec670
Instruction ID: 222c5f6db26c35bf7761cafd26a4b136e2d3666e373a4184dc7bd33db9bddb31
Opcode Fuzzy Hash: a156107f8c53ddcc210f2a4acee747cea3435655495c8a579799f45f1d1ec670
Instruction Fuzzy Hash: D3227162B18B8192EB10DF25E4442AE6361FB94B99F504232EFDD83BA4DF7CD585C780

Function 00007FF6C20EFD10 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 00007FF6C20EFD3C
GetDC.USER32 ref: 00007FF6C20EFD45
CreateCompatibleDC.GDI32 ref: 00007FF6C20EFD51
GetDC.USER32 ref: 00007FF6C20EFD5C
GetDeviceCaps.GDI32 ref: 00007FF6C20EFD6D
GetDeviceCaps.GDI32 ref: 00007FF6C20EFD7D
ReleaseDC.USER32 ref: 00007FF6C20EFD9A
GetSystemMetrics.USER32 ref: 00007FF6C20EFDC3
GetSystemMetrics.USER32 ref: 00007FF6C20EFDFE
GetSystemMetrics.USER32 ref: 00007FF6C20EFE4C
GetSystemMetrics.USER32 ref: 00007FF6C20EFE66
CreateCompatibleBitmap.GDI32 ref: 00007FF6C20EFE84
SelectObject.GDI32 ref: 00007FF6C20EFE98
SetStretchBltMode.GDI32 ref: 00007FF6C20EFEA6
GetSystemMetrics.USER32 ref: 00007FF6C20EFEB1
GetSystemMetrics.USER32 ref: 00007FF6C20EFECB
StretchBlt.GDI32 ref: 00007FF6C20EFF0C
GetDIBits.GDI32 ref: 00007FF6C20EFFD2

Part of subcall function 00007FF6C20FDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C20FDFE8
Part of subcall function 00007FF6C20FDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C20FDFEE

Part of subcall function 00007FF6C20F0220: GlobalAlloc.KERNEL32 ref: 00007FF6C20F0258
Part of subcall function 00007FF6C20F0220: GlobalLock.KERNEL32 ref: 00007FF6C20F0264
Part of subcall function 00007FF6C20F0220: GlobalUnlock.KERNEL32 ref: 00007FF6C20F027B
Part of subcall function 00007FF6C20F0220: CreateStreamOnHGlobal.OLE32 ref: 00007FF6C20F0291
Part of subcall function 00007FF6C20F0220: EnterCriticalSection.KERNEL32 ref: 00007FF6C20F02DF
Part of subcall function 00007FF6C20F0220: LeaveCriticalSection.KERNEL32 ref: 00007FF6C20F02EC
Part of subcall function 00007FF6C20F0220: GdipCreateBitmapFromStream.GDIPLUS ref: 00007FF6C20F031A
Part of subcall function 00007FF6C20F0220: GdipDisposeImage.GDIPLUS ref: 00007FF6C20F0330
Part of subcall function 00007FF6C20F0220: DeleteObject.GDI32 ref: 00007FF6C20F05A4
Part of subcall function 00007FF6C20F0220: EnterCriticalSection.KERNEL32 ref: 00007FF6C20F05B6
Part of subcall function 00007FF6C20F0220: EnterCriticalSection.KERNEL32 ref: 00007FF6C20F05C6
Part of subcall function 00007FF6C20F0220: GdiplusShutdown.GDIPLUS ref: 00007FF6C20F05D4

DeleteObject.GDI32 ref: 00007FF6C20F0091
DeleteObject.GDI32 ref: 00007FF6C20F009A
ReleaseDC.USER32 ref: 00007FF6C20F00A5
DeleteObject.GDI32 ref: 00007FF6C20F0165
DeleteObject.GDI32 ref: 00007FF6C20F016E
ReleaseDC.USER32 ref: 00007FF6C20F0179
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20F020D

Strings

gfff, xrefs: 00007FF6C20EFE08
(, xrefs: 00007FF6C20EFF15
gfff, xrefs: 00007FF6C20EFDE2
, xrefs: 00007FF6C20EFED1
6, xrefs: 00007FF6C20EFF72

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: MetricsObjectSystem$Delete$CreateCriticalGlobalSection$EnterRelease$BitmapCapsCompatibleConcurrency::cancel_current_taskDeviceGdipStreamStretch$AllocBitsDesktopDisposeFromGdiplusImageLeaveLockModeSelectShutdownUnlockWindow_invalid_parameter_noinfo_noreturn
String ID: $($6$gfff$gfff
API String ID: 1610826097-2922166585
Opcode ID: 9268ed5fa4fae6bcec40410b5ce8732adc3c7e98fe7ceeb40a54cfb4e8bb88cd
Instruction ID: e6d1faefa36bac5f054bba11e845981d8f415eab111be0b3ef9506385a0b614f
Opcode Fuzzy Hash: 9268ed5fa4fae6bcec40410b5ce8732adc3c7e98fe7ceeb40a54cfb4e8bb88cd
Instruction Fuzzy Hash: E1D1C371A1878182E7159F35E40436AA2A2FF99F89F018236DE8D97B55DF7CD4C4C740

Function 00007FF6C20E8A40 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(00001334,00000000,00000000,00001334,?,00007FF6C20E8C70), ref: 00007FF6C20E8A53
OpenProcess.KERNEL32 ref: 00007FF6C20E8A63
OpenProcessToken.ADVAPI32 ref: 00007FF6C20E8A86
CloseHandle.KERNEL32 ref: 00007FF6C20E8A93
SysStringLen.OLEAUT32 ref: 00007FF6C20E8AE1
SysStringLen.OLEAUT32 ref: 00007FF6C20E8AF9
CloseHandle.KERNEL32 ref: 00007FF6C20E8B5F
CloseHandle.KERNEL32 ref: 00007FF6C20E8B68
SysFreeString.OLEAUT32 ref: 00007FF6C20E8BA1
SysFreeString.OLEAUT32 ref: 00007FF6C20E8BE5
GetCurrentProcessId.KERNEL32 ref: 00007FF6C20E8C4B
wsprintfW.USER32 ref: 00007FF6C20E8C62

Part of subcall function 00007FF6C20E8A40: GetVersionExW.KERNEL32 ref: 00007FF6C20E8C91
Part of subcall function 00007FF6C20E8A40: GetCurrentProcess.KERNEL32 ref: 00007FF6C20E8CBD
Part of subcall function 00007FF6C20E8A40: OpenProcessToken.ADVAPI32 ref: 00007FF6C20E8CD3
Part of subcall function 00007FF6C20E8A40: GetTokenInformation.KERNELBASE ref: 00007FF6C20E8D08
Part of subcall function 00007FF6C20E8A40: GetLastError.KERNEL32 ref: 00007FF6C20E8D16
Part of subcall function 00007FF6C20E8A40: LocalAlloc.KERNEL32 ref: 00007FF6C20E8D35
Part of subcall function 00007FF6C20E8A40: GetTokenInformation.KERNELBASE ref: 00007FF6C20E8D68
Part of subcall function 00007FF6C20E8A40: GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF6C20E8D75
Part of subcall function 00007FF6C20E8A40: GetSidSubAuthority.ADVAPI32 ref: 00007FF6C20E8D83
Part of subcall function 00007FF6C20E8A40: LocalFree.KERNEL32 ref: 00007FF6C20E8D8E
Part of subcall function 00007FF6C20E8A40: CloseHandle.KERNEL32 ref: 00007FF6C20E8DA4
Part of subcall function 00007FF6C20E8A40: wsprintfW.USER32 ref: 00007FF6C20E8E03

Strings

None/%s, xrefs: 00007FF6C20E8DF2
NO/, xrefs: 00007FF6C20E8DE9
-N/, xrefs: 00007FF6C20E8DE0
VenNetwork, xrefs: 00007FF6C20E8C30

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Process$CloseHandleStringToken$CurrentFreeOpen$AuthorityInformationLocalwsprintf$AllocCountErrorLastVersion
String ID: -N/$NO/$None/%s$VenNetwork
API String ID: 166307840-819860926
Opcode ID: 718425a93fc7a6cb4dcfacf082e235d535518e74dea5eaa6a08581fcc943249b
Instruction ID: 2746cadc0bf08dd7ab8911977de76cce357c54aa9c0d75730a8877cf7111d1b0
Opcode Fuzzy Hash: 718425a93fc7a6cb4dcfacf082e235d535518e74dea5eaa6a08581fcc943249b
Instruction Fuzzy Hash: DEB15F25B0974282FA259F21E4502B963A1FF94B8AF054436DECEC7BA4DFBCD585C780

Function 00007FF6C20E8710 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 244
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00007FF6C20E8782
SysAllocString.OLEAUT32 ref: 00007FF6C20E87DF
GetTokenInformation.KERNELBASE ref: 00007FF6C20E8829
GetLastError.KERNEL32 ref: 00007FF6C20E8833
GetProcessHeap.KERNEL32 ref: 00007FF6C20E8849
HeapAlloc.KERNEL32 ref: 00007FF6C20E885A
GetTokenInformation.KERNELBASE ref: 00007FF6C20E888C
LookupAccountSidW.ADVAPI32 ref: 00007FF6C20E88CA
GetLastError.KERNEL32 ref: 00007FF6C20E88D4
SysAllocString.OLEAUT32 ref: 00007FF6C20E895C
SysAllocString.OLEAUT32 ref: 00007FF6C20E89C6
GetProcessHeap.KERNEL32 ref: 00007FF6C20E89EB
HeapFree.KERNEL32 ref: 00007FF6C20E89F9
GetCurrentProcessId.KERNEL32(00001334,00000000,00000000,00001334,?,00007FF6C20E8C70), ref: 00007FF6C20E8A53
OpenProcess.KERNEL32 ref: 00007FF6C20E8A63
OpenProcessToken.ADVAPI32 ref: 00007FF6C20E8A86
CloseHandle.KERNEL32 ref: 00007FF6C20E8A93

Strings

NONE_MAPPED, xrefs: 00007FF6C20E88E1

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: AllocProcess$HeapString$Token$ErrorInformationLastOpen$AccountCloseCurrentFreeHandleLookup
String ID: NONE_MAPPED
API String ID: 1410310566-2950899194
Opcode ID: 153f7837cc86bcbbc492fb4a375331227a21e9cb239b2b2f7dd34d1ee50442fc
Instruction ID: 532b0d3777d17678cea468492d73ace10dc5a6ea14269f981bd4dba623873f5c
Opcode Fuzzy Hash: 153f7837cc86bcbbc492fb4a375331227a21e9cb239b2b2f7dd34d1ee50442fc
Instruction Fuzzy Hash: C6A18331B09B4281FA558F11E41427962E5FF94B89F5A4436DECD87BA0EFBCE885C350

Function 00007FF6C20E7A60 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 216
stringregistrycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6C20E7AEB
Process32FirstW.KERNEL32 ref: 00007FF6C20E7B08
Process32NextW.KERNEL32 ref: 00007FF6C20E7B43
CloseHandle.KERNEL32 ref: 00007FF6C20E7B50
CoCreateInstance.COMBASE ref: 00007FF6C20E7B9F
wsprintfW.USER32 ref: 00007FF6C20E7CA5
RegOpenKeyExW.ADVAPI32 ref: 00007FF6C20E7CD5
RegQueryValueExW.KERNEL32 ref: 00007FF6C20E7D36
lstrcatW.KERNEL32 ref: 00007FF6C20E7D4A
lstrcatW.KERNEL32 ref: 00007FF6C20E7D5A
RegCloseKey.ADVAPI32 ref: 00007FF6C20E7D67
lstrlenW.KERNEL32 ref: 00007FF6C20E7DA4
lstrcatW.KERNEL32 ref: 00007FF6C20E7DB8
CloseHandle.KERNEL32 ref: 00007FF6C20E7DE5
lstrcatW.KERNEL32 ref: 00007FF6C20E7DFD
lstrcatW.KERNEL32 ref: 00007FF6C20E7E0D

Strings

CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 00007FF6C20E7C97
Windows Defender IOfficeAntiVirus implementation , xrefs: 00007FF6C20E7A84

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: lstrcat$Close$CreateHandleProcess32$FirstInstanceNextOpenQuerySnapshotToolhelp32Valuelstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 582347850-1583895642
Opcode ID: 172064aca06d7bab2ac812725ebad370c198c4fa5686a0e3f00f667ec9231332
Instruction ID: 88f046564ead17b9b48879be62b0ef0a246991e0fca7f84e4808d32cb4591089
Opcode Fuzzy Hash: 172064aca06d7bab2ac812725ebad370c198c4fa5686a0e3f00f667ec9231332
Instruction Fuzzy Hash: 23A16222B0879286E720CF25E8406AA67B1FB85B5EF544136DE8D87B68DF7CD684C740

Function 00007FF6C20EB410 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 232
memorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32 ref: 00007FF6C20EB444

Part of subcall function 00007FF6C20E1200: GetProcessHeap.KERNEL32 ref: 00007FF6C20E1236

HeapCreate.KERNEL32 ref: 00007FF6C20EB50F
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6C20EB56F
CreateEventW.KERNEL32 ref: 00007FF6C20EB5A2
CreateEventW.KERNEL32 ref: 00007FF6C20EB5C2
CreateEventW.KERNEL32 ref: 00007FF6C20EB5E2
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6C20EB6B3
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6C20EB6C7
timeGetTime.WINMM ref: 00007FF6C20EB739
CreateEventW.KERNEL32 ref: 00007FF6C20EB74F
CreateEventW.KERNEL32 ref: 00007FF6C20EB763

Strings

<, xrefs: 00007FF6C20EB484
<, xrefs: 00007FF6C20EB47D

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Create$Event$CountCriticalInitializeSectionSpin$Heap$ProcessTimetime
String ID: <$<
API String ID: 2446585644-213342407
Opcode ID: 4a3ea3394690932cb0d2d856ce8909e67e1cf7f35bb4a36878bb821cefc6b694
Instruction ID: 58d4402fbf8c222603273566057e00630a402c4eab3791f99b5e2bb886ba289a
Opcode Fuzzy Hash: 4a3ea3394690932cb0d2d856ce8909e67e1cf7f35bb4a36878bb821cefc6b694
Instruction Fuzzy Hash: 34B13972605B818AE754CF35E4857A933A5FB04B09F58413DCF8C8BB99DFB8A0A4C758

Function 00007FF6C20FC400 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 128fileCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00007FF6C20FC42F
CreateFileW.KERNEL32 ref: 00007FF6C20FC45A
DeviceIoControl.KERNEL32 ref: 00007FF6C20FC4AA
DeviceIoControl.KERNEL32 ref: 00007FF6C20FC511

Part of subcall function 00007FF6C20FC640: WideCharToMultiByte.KERNEL32 ref: 00007FF6C20FC675
Part of subcall function 00007FF6C20FC640: WideCharToMultiByte.KERNEL32 ref: 00007FF6C20FC6B0

DeviceIoControl.KERNEL32 ref: 00007FF6C20FC571
DeviceIoControl.KERNEL32 ref: 00007FF6C20FC5D0

Part of subcall function 00007FF6C20FC2D0: CreateFileA.KERNEL32 ref: 00007FF6C20FC379
Part of subcall function 00007FF6C20FC2D0: DeviceIoControl.KERNEL32 ref: 00007FF6C20FC3C1

CloseHandle.KERNEL32 ref: 00007FF6C20FC5FE
CloseHandle.KERNEL32 ref: 00007FF6C20FC623

Strings

\\.\HCD%d, xrefs: 00007FF6C20FC423

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ControlDevice$ByteCharCloseCreateFileHandleMultiWide$wsprintf
String ID: \\.\HCD%d
API String ID: 2324936672-2696249065
Opcode ID: 976449f406f44e82ee4552859a2aa0bd98404e5d535f3e00274a106eb8da92fd
Instruction ID: 11d7563d83d332e8a4d80341969602af75b7facf0e329e83d75dc0b982070188
Opcode Fuzzy Hash: 976449f406f44e82ee4552859a2aa0bd98404e5d535f3e00274a106eb8da92fd
Instruction Fuzzy Hash: 29516C32B0C78186EA60DF11B4817AB66A4EB85B9AF042135DECE87F95DF7CD055CB00

Function 00007FF6C20FBDF0 Relevance: 15.0, APIs: 10, Instructions: 33threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6C20FBDFB
GetConsoleWindow.KERNEL32 ref: 00007FF6C20FBE01
ShowWindow.USER32 ref: 00007FF6C20FBE0C
GetCurrentThreadId.KERNEL32 ref: 00007FF6C20FBE12
PostThreadMessageA.USER32 ref: 00007FF6C20FBE22
GetInputState.USER32 ref: 00007FF6C20FBE28
CreateThread.KERNEL32 ref: 00007FF6C20FBE47
WaitForSingleObject.KERNEL32 ref: 00007FF6C20FBE5C
CloseHandle.KERNEL32 ref: 00007FF6C20FBE69
Sleep.KERNEL32 ref: 00007FF6C20FBE74

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Thread$Window$CloseConsoleCreateCurrentExceptionFilterHandleInputMessageObjectPostShowSingleSleepStateUnhandledWait
String ID:
API String ID: 2277684705-0
Opcode ID: 1f499c150cbe33159222533ec4b742c736879ee302e7e86ebc66b87cb5efa357
Instruction ID: 95183a280a2dd9a9900f1a9173bd10c0d9823e7eee84ee49e7deb1466c21aee6
Opcode Fuzzy Hash: 1f499c150cbe33159222533ec4b742c736879ee302e7e86ebc66b87cb5efa357
Instruction Fuzzy Hash: BF01C825A18B4282E314DF70EC5556A22A2FF98F1BF414135CE9EC2B70EEBCD485C600

Function 00007FF6C2112048 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6C211208D

Part of subcall function 00007FF6C2111704: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2111718

Part of subcall function 00007FF6C210E95C: RtlFreeHeap.NTDLL(?,?,?,00007FF6C2116862,?,?,?,00007FF6C2116BDF,?,?,00000000,00007FF6C2117025,?,?,?,00007FF6C2116F57), ref: 00007FF6C210E972
Part of subcall function 00007FF6C210E95C: GetLastError.KERNEL32(?,?,?,00007FF6C2116862,?,?,?,00007FF6C2116BDF,?,?,00000000,00007FF6C2117025,?,?,?,00007FF6C2116F57), ref: 00007FF6C210E97C

Part of subcall function 00007FF6C2104028: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6C2103FD7,?,?,?,?,?,00007FF6C2103EC2), ref: 00007FF6C2104031
Part of subcall function 00007FF6C2104028: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6C2103FD7,?,?,?,?,?,00007FF6C2103EC2), ref: 00007FF6C2104056

Part of subcall function 00007FF6C211A1B4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C211A0FF

_get_daylight.LIBCMT ref: 00007FF6C211207C

Part of subcall function 00007FF6C2111764: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2111778

_get_daylight.LIBCMT ref: 00007FF6C21122F2
_get_daylight.LIBCMT ref: 00007FF6C2112303
_get_daylight.LIBCMT ref: 00007FF6C2112314
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6C2112554), ref: 00007FF6C211233B

Strings

Eastern Summer Time, xrefs: 00007FF6C21123F9
Eastern Standard Time, xrefs: 00007FF6C21123E1

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 5190737fcedb8824ad4a2f5adc1dd419c442ee6d8cf329e1688e58de2abb36f5
Instruction ID: 0864b0eb4758591121ef54402535f1c33f351547bc2ad99bd5d19666b3f0d5ed
Opcode Fuzzy Hash: 5190737fcedb8824ad4a2f5adc1dd419c442ee6d8cf329e1688e58de2abb36f5
Instruction Fuzzy Hash: 34D1BD26A0826286EB24EF2698511B96761FF64F99F448135EF8DC7F85DFBCE481C340

Function 00007FF6C20E80C0 Relevance: 10.9, APIs: 7, Instructions: 424COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C20FC400: wsprintfW.USER32 ref: 00007FF6C20FC42F
Part of subcall function 00007FF6C20FC400: CreateFileW.KERNEL32 ref: 00007FF6C20FC45A
Part of subcall function 00007FF6C20FC400: DeviceIoControl.KERNEL32 ref: 00007FF6C20FC4AA
Part of subcall function 00007FF6C20FC400: DeviceIoControl.KERNEL32 ref: 00007FF6C20FC511
Part of subcall function 00007FF6C20FC400: DeviceIoControl.KERNEL32 ref: 00007FF6C20FC571
Part of subcall function 00007FF6C20FC400: DeviceIoControl.KERNEL32 ref: 00007FF6C20FC5D0

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20E86F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20E86F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20E86FC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20E8702

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ControlDevice_invalid_parameter_noinfo_noreturn$CreateFilewsprintf
String ID:
API String ID: 3155671162-0
Opcode ID: b340a1fa3acb893865ad2ef9f08c6749c254f50d214876e63c374723e95af656
Instruction ID: 16ae143297ae67d06a699d0a51a12d7e204e9ab1f08d64062e4d2919482af509
Opcode Fuzzy Hash: b340a1fa3acb893865ad2ef9f08c6749c254f50d214876e63c374723e95af656
Instruction Fuzzy Hash: 0A029062F18B8185EB00DF61E4502AD23A1FB55B9DF014236EEDD97BD9DEB8E485C340

Function 00007FF6C21122C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6C21122F2

Part of subcall function 00007FF6C2111764: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2111778

_get_daylight.LIBCMT ref: 00007FF6C2112303

Part of subcall function 00007FF6C2111704: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2111718

_get_daylight.LIBCMT ref: 00007FF6C2112314

Part of subcall function 00007FF6C2111734: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2111748

Part of subcall function 00007FF6C210E95C: RtlFreeHeap.NTDLL(?,?,?,00007FF6C2116862,?,?,?,00007FF6C2116BDF,?,?,00000000,00007FF6C2117025,?,?,?,00007FF6C2116F57), ref: 00007FF6C210E972
Part of subcall function 00007FF6C210E95C: GetLastError.KERNEL32(?,?,?,00007FF6C2116862,?,?,?,00007FF6C2116BDF,?,?,00000000,00007FF6C2117025,?,?,?,00007FF6C2116F57), ref: 00007FF6C210E97C

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6C2112554), ref: 00007FF6C211233B

Strings

Eastern Summer Time, xrefs: 00007FF6C21123F9
Eastern Standard Time, xrefs: 00007FF6C21123E1

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 2133f9b6c4e90f95ebb1c2c4b763d73db315d9997485f014e8f6b7b9b98ca04f
Instruction ID: 3a7ba6365e7c7fee75a72f1e88f515cdd219dc7014511ef21cc56782a5d33bf0
Opcode Fuzzy Hash: 2133f9b6c4e90f95ebb1c2c4b763d73db315d9997485f014e8f6b7b9b98ca04f
Instruction Fuzzy Hash: 7E517A32A1865286E720DF26E8915A96761BF68B89F404135EF8DC3F96DFBCE480C740

Function 00007FF6C2108EB0 Relevance: 9.2, APIs: 6, Instructions: 249COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2108ED2
_get_daylight.LIBCMT ref: 00007FF6C2108F32
_get_daylight.LIBCMT ref: 00007FF6C2108F43
_get_daylight.LIBCMT ref: 00007FF6C2108F54
_isindst.LIBCMT ref: 00007FF6C2108FA5
_isindst.LIBCMT ref: 00007FF6C2108FF8

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: 94003a780ed234a965d2311ace6d53ea410cbd1e40622ac1b689e0d0deb2975f
Instruction ID: 64e560259493ab4f115a71e2533a4ed14ef4f8e37f1e681a8688d2fcd43b9713
Opcode Fuzzy Hash: 94003a780ed234a965d2311ace6d53ea410cbd1e40622ac1b689e0d0deb2975f
Instruction Fuzzy Hash: FB91D4B2B043868AEB588F29C9112A967A5EB54F8DF048035DF4DCBB89EF7CE551C700

Function 00007FF6C20E3B00 Relevance: 4.7, APIs: 3, Instructions: 151timenetworkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FF6C20E3BF5
recv.WS2_32 ref: 00007FF6C20E3C1B

Part of subcall function 00007FF6C20E1500: VirtualAlloc.KERNEL32 ref: 00007FF6C20E1575
Part of subcall function 00007FF6C20E1500: VirtualFree.KERNELBASE ref: 00007FF6C20E15AF

timeGetTime.WINMM ref: 00007FF6C20E3D04

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Virtual$AllocFreeTimerecvselecttime
String ID:
API String ID: 1996171534-0
Opcode ID: 23a90fc057aa06d069fd8243b6c9acbfff7205866c389b5e17964529276d1c99
Instruction ID: 6813c2b83809352e0cb73355537ba96f9e5a2bfd54cd647bb48f87267a1e9ecf
Opcode Fuzzy Hash: 23a90fc057aa06d069fd8243b6c9acbfff7205866c389b5e17964529276d1c99
Instruction Fuzzy Hash: 88715B62B18A8581EB209F28E4042BD7761FB94B8DF15923ADFCD83755DF79E484C740

Function 00007FF6C20E1500 Relevance: 2.6, APIs: 2, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF6C20E1575
VirtualFree.KERNELBASE ref: 00007FF6C20E15AF

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: bdec6c309521b78e3869a161020c8be31cfe41798d2485b5db3fb8b25cd2d730
Instruction ID: 0a06e6bae4fa035fa2ec9fdde400f28331e4d15f8725b359d2770a19641d35fb
Opcode Fuzzy Hash: bdec6c309521b78e3869a161020c8be31cfe41798d2485b5db3fb8b25cd2d730
Instruction Fuzzy Hash: 814107727086418AE709CF2AE45066AA755FB84FC9F054139EF8EC7745EE78D981C780

Function 00007FF6C20F0220 Relevance: 45.3, APIs: 30, Instructions: 260
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32 ref: 00007FF6C20F0258
GlobalLock.KERNEL32 ref: 00007FF6C20F0264
GlobalUnlock.KERNEL32 ref: 00007FF6C20F027B
CreateStreamOnHGlobal.OLE32 ref: 00007FF6C20F0291
GlobalFree.KERNEL32 ref: 00007FF6C20F05F4

Part of subcall function 00007FF6C20E61E0: InitializeCriticalSectionEx.KERNEL32 ref: 00007FF6C20E6231
Part of subcall function 00007FF6C20E61E0: GetLastError.KERNEL32 ref: 00007FF6C20E623B

EnterCriticalSection.KERNEL32 ref: 00007FF6C20F02DF
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20F02EC
GdipCreateBitmapFromStream.GDIPLUS ref: 00007FF6C20F031A
GdipDisposeImage.GDIPLUS ref: 00007FF6C20F0330
GdipDisposeImage.GDIPLUS ref: 00007FF6C20F034E
CreateStreamOnHGlobal.OLE32 ref: 00007FF6C20F036B
GetHGlobalFromStream.OLE32 ref: 00007FF6C20F0392
GlobalLock.KERNEL32 ref: 00007FF6C20F039C
GlobalFree.KERNEL32 ref: 00007FF6C20F03BB
DeleteObject.GDI32 ref: 00007FF6C20F03EB
EnterCriticalSection.KERNEL32 ref: 00007FF6C20F03FD
EnterCriticalSection.KERNEL32 ref: 00007FF6C20F040D
GdiplusShutdown.GDIPLUS ref: 00007FF6C20F041B
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20F0428
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20F0432
DeleteObject.GDI32 ref: 00007FF6C20F05A4
EnterCriticalSection.KERNEL32 ref: 00007FF6C20F05B6
EnterCriticalSection.KERNEL32 ref: 00007FF6C20F05C6
GdiplusShutdown.GDIPLUS ref: 00007FF6C20F05D4
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20F05E1
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20F05EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20F0618

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$Global$EnterLeave$Stream$CreateGdip$DeleteDisposeFreeFromGdiplusImageLockObjectShutdown$AllocBitmapErrorInitializeLastUnlock_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 953580087-0
Opcode ID: 95f9102791bae23428d256b808952fa6c2f0dd8150e6595b9474aac6058de54d
Instruction ID: 70300724975207970b7643951170a5ff81e9c063c8cfb443834be3b4686f393f
Opcode Fuzzy Hash: 95f9102791bae23428d256b808952fa6c2f0dd8150e6595b9474aac6058de54d
Instruction Fuzzy Hash: EBC14D36B08B428AEB00DF65E4041AE3376FB54B5EB014136DE9D97B99DFB8E489C344

Function 00007FF6C20EC340 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 297
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImagePixelFormat.GDIPLUS ref: 00007FF6C20EC377
GdipGetImageHeight.GDIPLUS ref: 00007FF6C20EC3F4
GdipGetImageWidth.GDIPLUS ref: 00007FF6C20EC41A
GdipGetImagePaletteSize.GDIPLUS ref: 00007FF6C20EC470
GdipGetImagePalette.GDIPLUS ref: 00007FF6C20EC4F1
CreateCompatibleDC.GDI32 ref: 00007FF6C20EC588
SelectObject.GDI32 ref: 00007FF6C20EC599
SetDIBColorTable.GDI32 ref: 00007FF6C20EC5B7
SelectObject.GDI32 ref: 00007FF6C20EC5CC
DeleteDC.GDI32 ref: 00007FF6C20EC5F6
GdipBitmapLockBits.GDIPLUS ref: 00007FF6C20EC646
GdipBitmapUnlockBits.GDIPLUS ref: 00007FF6C20EC6D3
GdipCreateBitmapFromScan0.GDIPLUS ref: 00007FF6C20EC702
GdipGetImageGraphicsContext.GDIPLUS ref: 00007FF6C20EC71D
GdipDrawImageI.GDIPLUS ref: 00007FF6C20EC737
GdipDeleteGraphics.GDIPLUS ref: 00007FF6C20EC740
GdipDisposeImage.GDIPLUS ref: 00007FF6C20EC74D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C20EC79F

Strings

&, xrefs: 00007FF6C20EC3D4

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Gdip$Image$Bitmap$BitsCreateDeleteGraphicsObjectPaletteSelect$ColorCompatibleContextDisposeDrawFormatFromHeightLockPixelScan0SizeTableUnlockWidth_invalid_parameter_noinfo
String ID: &
API String ID: 4034434136-3042966939
Opcode ID: a499d526fc759152f962bd8ac92b94fef4b08a799c35396b5de34858d35d3e9a
Instruction ID: 73510f9f643af0cbc431e42adf69fb94c225714defb66555d69d03d10f849fc2
Opcode Fuzzy Hash: a499d526fc759152f962bd8ac92b94fef4b08a799c35396b5de34858d35d3e9a
Instruction Fuzzy Hash: B2D1BE727047828AEB208F21D4446AD37A5FB04B9DF028036DF9D97B84DFB9E980C780

Function 00007FF6C20E3820 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 157
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32 ref: 00007FF6C20E3840
timeGetTime.WINMM ref: 00007FF6C20E384F
socket.WS2_32 ref: 00007FF6C20E387C
lstrlenW.KERNEL32 ref: 00007FF6C20E389E
WideCharToMultiByte.KERNEL32 ref: 00007FF6C20E38C2
lstrlenW.KERNEL32 ref: 00007FF6C20E38DA
WideCharToMultiByte.KERNEL32 ref: 00007FF6C20E38FD
gethostbyname.WS2_32 ref: 00007FF6C20E390A
htons.WS2_32 ref: 00007FF6C20E3938
connect.WS2_32 ref: 00007FF6C20E3962
setsockopt.WS2_32 ref: 00007FF6C20E399E
setsockopt.WS2_32 ref: 00007FF6C20E39D1
setsockopt.WS2_32 ref: 00007FF6C20E3A04
setsockopt.WS2_32 ref: 00007FF6C20E3A2D
WSAIoctl.WS2_32 ref: 00007FF6C20E3A80

Strings

0u, xrefs: 00007FF6C20E39EB

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: setsockopt$ByteCharMultiWidelstrlen$EventIoctlResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 3082052849-3203441087
Opcode ID: bf00bf6d4c918ad4b15b4ac4507d87e622e3328d71f4f2b0ff17e7bcb51563e4
Instruction ID: 6b966f558693dbba7f17d6e97a3fa0562133d5c00c3bb6674d8c7534f5a1c716
Opcode Fuzzy Hash: bf00bf6d4c918ad4b15b4ac4507d87e622e3328d71f4f2b0ff17e7bcb51563e4
Instruction Fuzzy Hash: BC711972608B8186E7248F21F44476AB7A5FB84B99F004229EFCE87B54DF7DD189CB04

Function 00007FF6C20E8C30 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF6C20E8C4B
wsprintfW.USER32 ref: 00007FF6C20E8C62

Part of subcall function 00007FF6C20E8A40: GetCurrentProcessId.KERNEL32(00001334,00000000,00000000,00001334,?,00007FF6C20E8C70), ref: 00007FF6C20E8A53
Part of subcall function 00007FF6C20E8A40: OpenProcess.KERNEL32 ref: 00007FF6C20E8A63
Part of subcall function 00007FF6C20E8A40: OpenProcessToken.ADVAPI32 ref: 00007FF6C20E8A86
Part of subcall function 00007FF6C20E8A40: CloseHandle.KERNEL32 ref: 00007FF6C20E8A93

GetVersionExW.KERNEL32 ref: 00007FF6C20E8C91
GetCurrentProcess.KERNEL32 ref: 00007FF6C20E8CBD
OpenProcessToken.ADVAPI32 ref: 00007FF6C20E8CD3
GetTokenInformation.KERNELBASE ref: 00007FF6C20E8D08
GetLastError.KERNEL32 ref: 00007FF6C20E8D16
LocalAlloc.KERNEL32 ref: 00007FF6C20E8D35
GetTokenInformation.KERNELBASE ref: 00007FF6C20E8D68
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF6C20E8D75
GetSidSubAuthority.ADVAPI32 ref: 00007FF6C20E8D83
LocalFree.KERNEL32 ref: 00007FF6C20E8D8E
CloseHandle.KERNEL32 ref: 00007FF6C20E8DA4
wsprintfW.USER32 ref: 00007FF6C20E8E03

Strings

VenNetwork, xrefs: 00007FF6C20E8C30

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion
String ID: VenNetwork
API String ID: 4155081256-3057682757
Opcode ID: 3f8584f5fcd7f5c6e2a43086911b50252391c07ec280dcb647a940034b709ca1
Instruction ID: c62e7282dbfd1b8c7cec452a947a83acbfba23849e7d68154f081f95cc25defb
Opcode Fuzzy Hash: 3f8584f5fcd7f5c6e2a43086911b50252391c07ec280dcb647a940034b709ca1
Instruction Fuzzy Hash: 94411A35B0C78282EB619F21E4443A92361FFA5B4AF454036DECEC2BA4DEBCD589C740

Function 00007FF6C20FBEF0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeviceIoControl.KERNEL32 ref: 00007FF6C20FBF94
DeviceIoControl.KERNEL32 ref: 00007FF6C20FC003
GlobalAlloc.KERNEL32 ref: 00007FF6C20FC032
DeviceIoControl.KERNEL32 ref: 00007FF6C20FC07C
GlobalFree.KERNEL32 ref: 00007FF6C20FC09E
DeviceIoControl.KERNEL32 ref: 00007FF6C20FC0ED
GlobalAlloc.KERNEL32 ref: 00007FF6C20FC115
DeviceIoControl.KERNEL32 ref: 00007FF6C20FC157
GlobalFree.KERNEL32 ref: 00007FF6C20FC170
GlobalFree.KERNEL32 ref: 00007FF6C20FC18F

Strings

- External Hub, xrefs: 00007FF6C20FC17B
%s-%s|, xrefs: 00007FF6C20FC1FB

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ControlDeviceGlobal$Free$Alloc
String ID: - External Hub$%s-%s|
API String ID: 3253977144-729331614
Opcode ID: 1f7e9db755a157d432911f1b9fe012dddbccf9669206c13c65b8f16a53449968
Instruction ID: 758a6093adc107f053d0cbb6d8addc85015265e56507af06782401577cefd33c
Opcode Fuzzy Hash: 1f7e9db755a157d432911f1b9fe012dddbccf9669206c13c65b8f16a53449968
Instruction Fuzzy Hash: 92B1AA72A08B8186E760CF60E8403AAB7A0FB85B99F454236DF8D97B94DF7CD585C704

Function 00007FF6C20ED9C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20EDA44
GetLastInputInfo.USER32 ref: 00007FF6C20EDAAB
GetTickCount.KERNEL32 ref: 00007FF6C20EDAB1
wsprintfW.USER32 ref: 00007FF6C20EDAE4
RegOpenKeyExW.KERNEL32 ref: 00007FF6C20EDB72
RegQueryValueExW.KERNEL32 ref: 00007FF6C20EDBA3

Strings

Console, xrefs: 00007FF6C20EDB64
%d min, xrefs: 00007FF6C20EDADD
IpDatespecial, xrefs: 00007FF6C20EDB9C

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CountInfoInputLastOpenQueryTickValue_invalid_parameter_noinfo_noreturnwsprintf
String ID: %d min$Console$IpDatespecial
API String ID: 357503962-2712035571
Opcode ID: ace1b3d2cd48c08365a0f90486035991872f61de3151780784e465d55028fd4b
Instruction ID: e2a06dfe49ca288e8c0f040b322200421b70543f58ca584c1c8037b85af13b71
Opcode Fuzzy Hash: ace1b3d2cd48c08365a0f90486035991872f61de3151780784e465d55028fd4b
Instruction Fuzzy Hash: 1151BD72708E8685EB608F24EC443A923A5EB44B5EF454132DE8C87BA8DF79D689C740

Function 00007FF6C20EC7B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS ref: 00007FF6C20EC7E4
GdipGetImageEncoders.GDIPLUS ref: 00007FF6C20EC871
GdipCreateBitmapFromScan0.GDIPLUS ref: 00007FF6C20EC915
GdipCreateBitmapFromHBITMAP.GDIPLUS ref: 00007FF6C20EC92D
GdipSaveImageToStream.GDIPLUS ref: 00007FF6C20EC944
GdipDisposeImage.GDIPLUS ref: 00007FF6C20EC951
GdipDisposeImage.GDIPLUS ref: 00007FF6C20EC95E

Strings

&, xrefs: 00007FF6C20EC8FD

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Gdip$Image$BitmapCreateDisposeEncodersFrom$SaveScan0SizeStream
String ID: &
API String ID: 370471037-3042966939
Opcode ID: 7f9e19e0c3492a4602d088b06f396f1b06bc9926d3b4bbca2e4df5d1cc66e2cf
Instruction ID: e0525705c6f9dd9287ffee70a69e70e054bf3a611b243b034d8f94f606dba40e
Opcode Fuzzy Hash: 7f9e19e0c3492a4602d088b06f396f1b06bc9926d3b4bbca2e4df5d1cc66e2cf
Instruction Fuzzy Hash: A5518532B0474286EB119F25D5046B82361FB54B9EF554132DEDD87B94DFBDE582C380

Function 00007FF6C20E9300 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6C20E931D
GetProcAddress.KERNEL32 ref: 00007FF6C20E932D
GetNativeSystemInfo.KERNEL32 ref: 00007FF6C20E933D
GetSystemInfo.KERNEL32 ref: 00007FF6C20E9341

Strings

kernel32.dll, xrefs: 00007FF6C20E9307
GetNativeSystemInfo, xrefs: 00007FF6C20E9326

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 06b04ae401ee5d5c7cc9b92bd00cef418c8d008ef26561d2b8b72a7f6fbba0c7
Instruction ID: eb9d991456e0420c60162be0aa30e2058a99b1da6e198716c075e371731f21b3
Opcode Fuzzy Hash: 06b04ae401ee5d5c7cc9b92bd00cef418c8d008ef26561d2b8b72a7f6fbba0c7
Instruction Fuzzy Hash: BEF06D15E18F8683EA50DF20D4502752251FFA8B0AF915335EDCEC1B55EFACD2D48640

Function 00007FF6C20E8E30 Relevance: 9.1, APIs: 6, Instructions: 67registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF6C20E8E92
RegQueryValueExW.KERNEL32 ref: 00007FF6C20E8EE9
lstrcmpW.KERNEL32 ref: 00007FF6C20E8EFF
RegCloseKey.KERNEL32 ref: 00007FF6C20E8F2F
RegCloseKey.ADVAPI32 ref: 00007FF6C20E8F3D

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcmp
String ID:
API String ID: 4288439342-0
Opcode ID: 9757e75af8232627abeb9f8389a1c3797a9351f61d8f1bccc733d4b1246574e8
Instruction ID: fe1e1f4747da915ad8db1d790e82006e6f9ae1c4761d01480f138f003ae68374
Opcode Fuzzy Hash: 9757e75af8232627abeb9f8389a1c3797a9351f61d8f1bccc733d4b1246574e8
Instruction Fuzzy Hash: 51316131718B8182E760CF25E88866A73A4FB94B99F504231DEDD83BA8DF7DD544C740

Function 00007FF6C20E8F60 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 239COMMON

Download Yara Rule

APIs

CreateDXGIFactory.DXGI ref: 00007FF6C20E8FAC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20E92F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20E92F7

Strings

%s%s %d %d , xrefs: 00007FF6C20E909F
%s%s %d*%d , xrefs: 00007FF6C20E91F4

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateFactory
String ID: %s%s %d %d $%s%s %d*%d
API String ID: 2331002265-1924168580
Opcode ID: a5ae18454dd4e952492b121e68ba7776273e3bb709e69e407b14d655c7c09278
Instruction ID: c9b2238698f281cf2dbf1cdb5ec6578559efe1d98b5a15a20dab589e79f7affd
Opcode Fuzzy Hash: a5ae18454dd4e952492b121e68ba7776273e3bb709e69e407b14d655c7c09278
Instruction Fuzzy Hash: 78A18D32B04B8589EB10CF69D4442AE7761FB89BA8F554226EEDD97B98CF78D081C740

Function 00007FF6C2108BE0 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2108C0B
CreateThread.KERNEL32 ref: 00007FF6C2108C4C
GetLastError.KERNEL32 ref: 00007FF6C2108C5A
CloseHandle.KERNEL32 ref: 00007FF6C2108C70
FreeLibrary.KERNEL32 ref: 00007FF6C2108C7F

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: 2bf2d8e4056023ef3a5b5264bbcf8491965b7124c54493676a6e58e8f064e49f
Instruction ID: dc1c24c823df4e37f107d36f26d6bed40a9f8f4f28ec6095480e53bfe61fff81
Opcode Fuzzy Hash: 2bf2d8e4056023ef3a5b5264bbcf8491965b7124c54493676a6e58e8f064e49f
Instruction Fuzzy Hash: 44215C25A0EB8285EA14DF66A4000B9A3A0BF88F99F094535DF8DC3F55DEBCE4508600

Function 00007FF6C20FC2D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF6C20FC379
DeviceIoControl.KERNEL32 ref: 00007FF6C20FC3C1

Strings

\\.\, xrefs: 00007FF6C20FC31E
L, xrefs: 00007FF6C20FC3A9

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ControlCreateDeviceFile
String ID: L$\\.\
API String ID: 107608037-1891537229
Opcode ID: a07068868a0198f375fdba6670056fd9ee1ad646044f5fd81988d03a78d23320
Instruction ID: fb1475347925c0438ae310189798218eb7e454b3ae251c89cfcfd81b4caea095
Opcode Fuzzy Hash: a07068868a0198f375fdba6670056fd9ee1ad646044f5fd81988d03a78d23320
Instruction Fuzzy Hash: 76319362A0978181E7508F11B49037A7B90EB85BE9F084235EFE987BC9DFBCD4058B04

Function 00007FF6C20E3E30 Relevance: 6.1, APIs: 4, Instructions: 120threadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF6C20E3E51
send.WS2_32 ref: 00007FF6C20E3F43
send.WS2_32 ref: 00007FF6C20E3F90
GetCurrentThreadId.KERNEL32 ref: 00007FF6C20E3FBA

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CurrentThreadsend
String ID:
API String ID: 302076607-0
Opcode ID: 1d5fac0907bdd9d84bc34d83d8396e4accfe818cb4c73ff339665f4c5f5d32ef
Instruction ID: 8410d5ae56e32b2b068c338387f5275078b17ec7ba9618ba6bd01322b7495d47
Opcode Fuzzy Hash: 1d5fac0907bdd9d84bc34d83d8396e4accfe818cb4c73ff339665f4c5f5d32ef
Instruction Fuzzy Hash: 33515F22B04B4687E7149F25E54437AB7A0FB84B89F05803ACFD987B55DFB8E5928381

Function 00007FF6C20E37A0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FF6C20E37DD
CancelIo.KERNEL32 ref: 00007FF6C20E37EA
closesocket.WS2_32 ref: 00007FF6C20E37FA
SetEvent.KERNEL32 ref: 00007FF6C20E3804

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CancelEventclosesocketsetsockopt
String ID:
API String ID: 852421847-0
Opcode ID: 3e6bea74e94700dfcc8d9d47a61c466b5b5c0e1f507d80d6be11655914b66227
Instruction ID: d5348ebb37f3fbc41445aea39e290f3e6268f011f69350882819f57093e23b4a
Opcode Fuzzy Hash: 3e6bea74e94700dfcc8d9d47a61c466b5b5c0e1f507d80d6be11655914b66227
Instruction Fuzzy Hash: E9F06D3260478187E7148F25E55432AB330FB84B69F104335CBAC87BA4CF79D0A5C700

Function 00007FF6C20FC6E0 Relevance: 4.6, APIs: 3, Instructions: 79stringCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 00007FF6C20FC723
DeviceIoControl.KERNEL32 ref: 00007FF6C20FC773

Part of subcall function 00007FF6C20FC640: WideCharToMultiByte.KERNEL32 ref: 00007FF6C20FC675
Part of subcall function 00007FF6C20FC640: WideCharToMultiByte.KERNEL32 ref: 00007FF6C20FC6B0

lstrcpyA.KERNEL32 ref: 00007FF6C20FC7F2

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ByteCharMultiWide$ControlDefaultDeviceLangSystemlstrcpy
String ID:
API String ID: 3058672631-0
Opcode ID: e8f6ede7849d36d52dc95aee6e98d13eba40ea345c343918e182da1ef7c32a74
Instruction ID: 4963874d369446ee22995b0a5a7e7a5f6954b75c18dc5d5da84afeefa7ca47fd
Opcode Fuzzy Hash: e8f6ede7849d36d52dc95aee6e98d13eba40ea345c343918e182da1ef7c32a74
Instruction Fuzzy Hash: D031CD21B0C78285EA20CF11A4442AAA7A1EB89BD5F154135EEDD87B85DF7DC4428B00

Function 00007FF6C20EC9B0 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C20E61E0: InitializeCriticalSectionEx.KERNEL32 ref: 00007FF6C20E6231
Part of subcall function 00007FF6C20E61E0: GetLastError.KERNEL32 ref: 00007FF6C20E623B

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6C20EC7D4), ref: 00007FF6C20EC9DA
GdiplusStartup.GDIPLUS ref: 00007FF6C20ECA0F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6C20EC7D4), ref: 00007FF6C20ECA27

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$EnterErrorGdiplusInitializeLastLeaveStartup
String ID:
API String ID: 2723390537-0
Opcode ID: c1fce392dff7f0e0a1fd8d320c51b28cecfe9cf3d04554c50c1a4421144027e9
Instruction ID: f410e8c32365018ca74f182764139990a1fda8373ce09ea4aa3dff677c124310
Opcode Fuzzy Hash: c1fce392dff7f0e0a1fd8d320c51b28cecfe9cf3d04554c50c1a4421144027e9
Instruction Fuzzy Hash: ED014032A08B8586E7509F15E40436AB7E5F795B4AF491025EBCE83B54CF7CD495CB40

Function 00007FF6C2108B18 Relevance: 4.5, APIs: 3, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C210EE88: GetLastError.KERNEL32(?,?,0000975800AD59FC,00007FF6C2108DA5,?,?,?,?,00007FF6C21127E6,?,?,00000000,00007FF6C210A69B,?,?,?), ref: 00007FF6C210EE97
Part of subcall function 00007FF6C210EE88: SetLastError.KERNEL32(?,?,0000975800AD59FC,00007FF6C2108DA5,?,?,?,?,00007FF6C21127E6,?,?,00000000,00007FF6C210A69B,?,?,?), ref: 00007FF6C210EF37

CloseHandle.KERNEL32(?,?,?,00007FF6C2108CC5,?,?,?,?,00007FF6C2108B09), ref: 00007FF6C2108B53
FreeLibraryAndExitThread.KERNEL32(?,?,?,00007FF6C2108CC5,?,?,?,?,00007FF6C2108B09), ref: 00007FF6C2108B69
ExitThread.KERNEL32 ref: 00007FF6C2108B72

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: a30104ba4f4f868018fa850f0c9dce139a3884833968d360b0db499d9868783c
Instruction ID: 311a17699b370b0981fd3519177c504c5f2c966cd3cefd7930e1a4f482b60ccf
Opcode Fuzzy Hash: a30104ba4f4f868018fa850f0c9dce139a3884833968d360b0db499d9868783c
Instruction Fuzzy Hash: E0F03C61A08A8641EA64AF24D04427C6265AF40F7EF1D0735CFBCC2BE4DFB8D8558340

Function 00007FF6C20FC640 Relevance: 3.0, APIs: 2, Instructions: 47COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF6C20FC675
WideCharToMultiByte.KERNEL32 ref: 00007FF6C20FC6B0

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: bc16c43eea0ed280334d93034586a90535d51b13af79ee49b066fa01463f18a8
Instruction ID: 36601720316e490934925c0bc85bf44888d383b1952758f382115b4c57f81349
Opcode Fuzzy Hash: bc16c43eea0ed280334d93034586a90535d51b13af79ee49b066fa01463f18a8
Instruction Fuzzy Hash: 11115E32B08B8186A710DF26B84102A77A5BB84FE9B584239EFD983B94DF78E4518704

Function 00007FF6C20E3DA0 Relevance: 3.0, APIs: 2, Instructions: 41timeCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00007FF6C20E3DCD
timeGetTime.WINMM ref: 00007FF6C20E3DF1

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: a07444b426276808b022deff05d84a514b99e0a0f66664c5b3036afdf0babcf4
Instruction ID: ee71a7a14567f2014b0a81e687ed0874d49b8c6e6aeff276b55bd8ab314ca1dd
Opcode Fuzzy Hash: a07444b426276808b022deff05d84a514b99e0a0f66664c5b3036afdf0babcf4
Instruction Fuzzy Hash: B2016122B1864187E7644F24E18833D26A0FB44B49F451139DBDA86BD0CFBCD4E5C700

Function 00007FF6C2108AA8 Relevance: 3.0, APIs: 2, Instructions: 31threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6C2108AB6
ExitThread.KERNEL32 ref: 00007FF6C2108ABE

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 41641528019013f9ff929c92362d335c34901b889fac2650327ddb4de509bf94
Instruction ID: 69e8505fe17ecabf96cc6a218e91f2ce362dd68da7806f947c91a8a0ad1662b3
Opcode Fuzzy Hash: 41641528019013f9ff929c92362d335c34901b889fac2650327ddb4de509bf94
Instruction Fuzzy Hash: AEF06D21E1A68682EE14AF71D40907D1260AF64F6AF041434DF8DC7B96DEACE4918300

Function 00007FF6C20FDFB8 Relevance: 3.0, APIs: 2, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C20FDFE8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C20FDFEE

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 27ce854fd7d12c0980c58eb44fd6b716ec2b61cb45cb586127daaf2819af3026
Instruction ID: 7caeb75034f27608c332bceeac12403b8ec4d35b87007195f2a38def497e0e8f
Opcode Fuzzy Hash: 27ce854fd7d12c0980c58eb44fd6b716ec2b61cb45cb586127daaf2819af3026
Instruction Fuzzy Hash: 24E0BF44F9D10B45F9186E66240687A01401F5477AF1B1B32DEFDC47D3ADDCA469C159

Function 00007FF6C210E95C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF6C2116862,?,?,?,00007FF6C2116BDF,?,?,00000000,00007FF6C2117025,?,?,?,00007FF6C2116F57), ref: 00007FF6C210E972
GetLastError.KERNEL32(?,?,?,00007FF6C2116862,?,?,?,00007FF6C2116BDF,?,?,00000000,00007FF6C2117025,?,?,?,00007FF6C2116F57), ref: 00007FF6C210E97C

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: a2b1b4d253dc9b48524949a201526306b0bcc39bf10aa9e0b1341fdbb23a067c
Instruction ID: fd5c9281d599b22ad3ebd1025452d4f9f95fa79e86123c206009dfd1fb29f3fe
Opcode Fuzzy Hash: a2b1b4d253dc9b48524949a201526306b0bcc39bf10aa9e0b1341fdbb23a067c
Instruction Fuzzy Hash: DEE08C10F1934342FF586FF6A84517826A1AF94F0AF005434CF8DC7B51DEBCA8A04310

Function 00007FF6C20E1730 Relevance: 2.6, APIs: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF6C20E1796
VirtualFree.KERNELBASE ref: 00007FF6C20E17CA

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 17a02dcf2f47f10d7a08db77411b6b44ca6662cc7d290d042544fe107c4b0b33
Instruction ID: 6bfa94fb11ef675bfcc79a56336598d71eae54afa1f76e763a80706da70d50b3
Opcode Fuzzy Hash: 17a02dcf2f47f10d7a08db77411b6b44ca6662cc7d290d042544fe107c4b0b33
Instruction Fuzzy Hash: 72218121B18A4186D764CF2AF48012AB7B1FB88B84B148135EBDED3B19EE3CE5C18744

Function 00007FF6C20E1670 Relevance: 2.6, APIs: 2, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF6C20E16C4
VirtualFree.KERNEL32 ref: 00007FF6C20E16FE

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 4c8156205564e744c18fa944b02d568327434d479cf77dfe2f9176b33a9ea29c
Instruction ID: d3d05d13d4d335b6c72d47967d9029ff588653183b20b98f34aa64da99909416
Opcode Fuzzy Hash: 4c8156205564e744c18fa944b02d568327434d479cf77dfe2f9176b33a9ea29c
Instruction Fuzzy Hash: 4A11D371B28A4182D7548F2AA440129A3A5EB98FC9B144132EE8ED3B58EE7CD9C1C780

Function 00007FF6C20FE0E0 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C20FDD80: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6C20FDD94

__scrt_release_startup_lock.LIBCMT ref: 00007FF6C20FE177

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 2217363868-0
Opcode ID: df8c2cae6130cff53013dc258be4a77fac826802f49534194485c90f58f48bf0
Instruction ID: dbebe6031629d9c9f4460de6e4a70aef1d28a3c26ce0faf839a1d0c2c000d7b6
Opcode Fuzzy Hash: df8c2cae6130cff53013dc258be4a77fac826802f49534194485c90f58f48bf0
Instruction Fuzzy Hash: D6315922B8D24741FA54AF25D4113BA2291AF81B8EF550036EECDCB7E7DEACA4448745

Function 00007FF6C20E1000 Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF6C20E1022

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 2276b2cfde0ec166953e0ec75e850ce31f8cbc4b3846b0cdc97fb7f8133b5954
Instruction ID: 4a6d4d966b71bcdb6c5b7f77e71819a5e52df5f318c7a0d4b420dd47ff2e60e9
Opcode Fuzzy Hash: 2276b2cfde0ec166953e0ec75e850ce31f8cbc4b3846b0cdc97fb7f8133b5954
Instruction Fuzzy Hash: 52E04F39B05A45CAE6119F24D4490A47364FB68709F404132EACCC3B94DF7CD155CB00

Function 00007FF6C210F070 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6C21127CD,?,?,00000000,00007FF6C210A69B,?,?,?,00007FF6C210C873,?,?,?,00007FF6C210C769), ref: 00007FF6C210F0AE

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 016c47a342e12657c725cebeaa7b4028c5a2c41f1cbc7a3001cbfc12b323d78a
Instruction ID: 5bed41fa256146b9d2fab92d17d6725937311736381ece7ff19bea28ecb466dd
Opcode Fuzzy Hash: 016c47a342e12657c725cebeaa7b4028c5a2c41f1cbc7a3001cbfc12b323d78a
Instruction Fuzzy Hash: 26F08241B0D38641FE546F629A42A7522825FA4F6AF080730DFAEC6FC5DDACE4614211

Non-executed Functions

Function 00007FF6C20E9480 Relevance: 68.5, APIs: 29, Strings: 10, Instructions: 221libraryloaderinjectionCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF6C20E94F6
CreateProcessA.KERNEL32 ref: 00007FF6C20E9559
GetCurrentProcess.KERNEL32 ref: 00007FF6C20E9567
OpenProcessToken.ADVAPI32 ref: 00007FF6C20E957C
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6C20E959A
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6C20E95E2
OpenProcess.KERNEL32 ref: 00007FF6C20E95FB
LoadLibraryA.KERNEL32 ref: 00007FF6C20E9625
GetProcAddress.KERNEL32 ref: 00007FF6C20E9635
LoadLibraryA.KERNEL32 ref: 00007FF6C20E9646
GetProcAddress.KERNEL32 ref: 00007FF6C20E9656
LoadLibraryA.KERNEL32 ref: 00007FF6C20E9667
GetProcAddress.KERNEL32 ref: 00007FF6C20E9677
LoadLibraryA.KERNEL32 ref: 00007FF6C20E9688
GetProcAddress.KERNEL32 ref: 00007FF6C20E9698
GetCurrentProcess.KERNEL32 ref: 00007FF6C20E96A2
GetProcessId.KERNEL32 ref: 00007FF6C20E96AB
GetModuleFileNameA.KERNEL32 ref: 00007FF6C20E96DF
VirtualAllocEx.KERNEL32 ref: 00007FF6C20E9715
WriteProcessMemory.KERNEL32 ref: 00007FF6C20E973C
VirtualProtectEx.KERNEL32 ref: 00007FF6C20E976F
VirtualAllocEx.KERNEL32 ref: 00007FF6C20E978E
WriteProcessMemory.KERNEL32 ref: 00007FF6C20E97B8
VirtualProtectEx.KERNEL32 ref: 00007FF6C20E97E4
CreateRemoteThread.KERNEL32 ref: 00007FF6C20E9807
Sleep.KERNEL32 ref: 00007FF6C20E981A
VirtualProtectEx.KERNEL32 ref: 00007FF6C20E983E
VirtualProtectEx.KERNEL32 ref: 00007FF6C20E9862
ResumeThread.KERNEL32 ref: 00007FF6C20E986B

Strings

h, xrefs: 00007FF6C20E94DD
OpenProcess, xrefs: 00007FF6C20E962E
ExitProcess, xrefs: 00007FF6C20E964F
Windows\System32\svchost.exe, xrefs: 00007FF6C20E94FC
@, xrefs: 00007FF6C20E9777
WinExec, xrefs: 00007FF6C20E9670
%s%s, xrefs: 00007FF6C20E9511
Kernel32.dll, xrefs: 00007FF6C20E961E, 00007FF6C20E963B, 00007FF6C20E965C, 00007FF6C20E967D
WaitForSingleObject, xrefs: 00007FF6C20E9691
SeDebugPrivilege, xrefs: 00007FF6C20E9593

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Process$Virtual$AddressLibraryLoadProcProtect$AllocCreateCurrentMemoryOpenThreadTokenWrite$AdjustDirectoryFileLookupModuleNamePrivilegePrivilegesRemoteResumeSleepSystemValue
String ID: %s%s$@$ExitProcess$Kernel32.dll$OpenProcess$SeDebugPrivilege$WaitForSingleObject$WinExec$Windows\System32\svchost.exe$h
API String ID: 3040193174-4212407401
Opcode ID: 6fd3f4fde48d0361eb2d5c202ab323ad8a247f6fe0c7ba3ad29a459755052d7c
Instruction ID: d025c05fe1b8821b5efe1d18ced40483fc639c3a143f74a29821cf975c0c5566
Opcode Fuzzy Hash: 6fd3f4fde48d0361eb2d5c202ab323ad8a247f6fe0c7ba3ad29a459755052d7c
Instruction Fuzzy Hash: 69A14D72B08B8285EB25CF21E8143A923A4FB99B8DF404135DE8D97B64DFBCD285C740

Function 00007FF6C20EADB0 Relevance: 63.3, APIs: 30, Strings: 6, Instructions: 286stringclipboardfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,00000000,00000000,00002514,00000000,00000000,00000000,00007FF6C20E7A51), ref: 00007FF6C20EAE08
GetTickCount.KERNEL32 ref: 00007FF6C20EAE0E
GetTickCount.KERNEL32 ref: 00007FF6C20EAE25
OpenClipboard.USER32 ref: 00007FF6C20EAE33
GetClipboardData.USER32 ref: 00007FF6C20EAE3E
GlobalSize.KERNEL32 ref: 00007FF6C20EAE53
GlobalLock.KERNEL32 ref: 00007FF6C20EAE63
wsprintfW.USER32 ref: 00007FF6C20EAECE
WaitForSingleObject.KERNEL32 ref: 00007FF6C20EAEE0
CreateFileW.KERNEL32 ref: 00007FF6C20EAF14
SetFilePointer.KERNEL32 ref: 00007FF6C20EAF3C
lstrlenW.KERNEL32 ref: 00007FF6C20EAF47
WriteFile.KERNEL32 ref: 00007FF6C20EAF6A
CloseHandle.KERNEL32 ref: 00007FF6C20EAF73
ReleaseMutex.KERNEL32 ref: 00007FF6C20EAF80
GlobalUnlock.KERNEL32 ref: 00007FF6C20EAF9B
CloseClipboard.USER32 ref: 00007FF6C20EAFA1
GetForegroundWindow.USER32 ref: 00007FF6C20EAFBB
GetWindowTextW.USER32 ref: 00007FF6C20EAFD8
lstrlenW.KERNEL32 ref: 00007FF6C20EB00E
GetLocalTime.KERNEL32 ref: 00007FF6C20EB021
wsprintfW.USER32 ref: 00007FF6C20EB074
GetKeyState.USER32 ref: 00007FF6C20EB153
lstrlenW.KERNEL32 ref: 00007FF6C20EB1A0
lstrlenW.KERNEL32 ref: 00007FF6C20EB1C1
wsprintfW.USER32 ref: 00007FF6C20EB211
wsprintfW.USER32 ref: 00007FF6C20EB22F
lstrlenW.KERNEL32 ref: 00007FF6C20EB2A7

Strings

%s%s, xrefs: 00007FF6C20EB21B
[, xrefs: 00007FF6C20EAEC2
%s%s, xrefs: 00007FF6C20EB24D
%s%s, xrefs: 00007FF6C20EB207
[esc], xrefs: 00007FF6C20EADFC
[, xrefs: 00007FF6C20EB05C

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: lstrlen$wsprintf$ClipboardFileGlobal$CloseCountTickWindow$CreateDataForegroundHandleLocalLockMutexObjectOpenPointerReleaseSingleSizeSleepStateTextTimeUnlockWaitWrite
String ID: [$[$%s%s$%s%s$%s%s$[esc]
API String ID: 3669393114-972647286
Opcode ID: 0ba4a650500777e326fb2fa0ba1ce122045bb19d315cab67db3075d848846471
Instruction ID: 24786ec39e186c7e35c4447b0f9fb6325ce27342e9ec7130608e6ba218ec6eee
Opcode Fuzzy Hash: 0ba4a650500777e326fb2fa0ba1ce122045bb19d315cab67db3075d848846471
Instruction Fuzzy Hash: 22D15B25A0874282EB10DF55E8442B963A1FF95B4AF414136DFCEC2BA4DFBCE588C780

Function 00007FF6C20ED410 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 385stringtimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00007FF6C20ED437
wsprintfW.USER32 ref: 00007FF6C20ED47F
lstrlenW.KERNEL32 ref: 00007FF6C20ED4C5
lstrlenW.KERNEL32 ref: 00007FF6C20ED4E6
lstrlenW.KERNEL32 ref: 00007FF6C20ED4F9
lstrlenW.KERNEL32 ref: 00007FF6C20ED58D
lstrlenW.KERNEL32 ref: 00007FF6C20ED5AC
lstrlenW.KERNEL32 ref: 00007FF6C20ED5BF
lstrlenW.KERNEL32 ref: 00007FF6C20ED649
lstrlenW.KERNEL32 ref: 00007FF6C20ED65C
CreateEventA.KERNEL32 ref: 00007FF6C20ED7AD

Strings

%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 00007FF6C20ED471
o1:, xrefs: 00007FF6C20ED5B5
t1:, xrefs: 00007FF6C20ED652
p1:, xrefs: 00007FF6C20ED4EF

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: lstrlen$CreateEventLocalTimewsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
API String ID: 2157945651-1225219777
Opcode ID: 47fad789ab3af050acc245a7c8e2a4ba1bf5ebe93637114f82c187b4c691db7b
Instruction ID: 7d94e48316f86d0a3728443cc721ffbb812746ee51554d2e3de1806715d8cfe3
Opcode Fuzzy Hash: 47fad789ab3af050acc245a7c8e2a4ba1bf5ebe93637114f82c187b4c691db7b
Instruction Fuzzy Hash: BCF1D166B1469286EB209F25E8403BD23A4FB44B8EF414232DEDD97B95DFBCE581C340

Function 00007FF6C20E9900 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 118libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF6C20E9935
GetProcAddress.KERNEL32 ref: 00007FF6C20E9948
GetProcAddress.KERNEL32 ref: 00007FF6C20E9976
FreeLibrary.KERNEL32 ref: 00007FF6C20E99A7
CreateFileW.KERNEL32 ref: 00007FF6C20E99D4
GetProcAddress.KERNEL32 ref: 00007FF6C20E9A1C
WriteFile.KERNEL32 ref: 00007FF6C20E9A66
CloseHandle.KERNEL32 ref: 00007FF6C20E9A7E
Sleep.KERNEL32 ref: 00007FF6C20E9A91
GetProcAddress.KERNEL32 ref: 00007FF6C20E9AA1
FreeLibrary.KERNEL32 ref: 00007FF6C20E9ABC

Strings

InternetOpenW, xrefs: 00007FF6C20E993E
InternetCloseHandle, xrefs: 00007FF6C20E9A97
wininet.dll, xrefs: 00007FF6C20E9923
InternetOpenUrlW, xrefs: 00007FF6C20E996C
InternetReadFile, xrefs: 00007FF6C20E9A12
MSIE 6.0, xrefs: 00007FF6C20E9959

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite
String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 2977986460-1099148085
Opcode ID: 067ce2f794736821cf202725aa30ed0aa3c92a2ab4f8812fc9fc05c1c4d827d7
Instruction ID: 8204fcd367c26a11a2938d16b471214005ba196ce633cde88fea386245874170
Opcode Fuzzy Hash: 067ce2f794736821cf202725aa30ed0aa3c92a2ab4f8812fc9fc05c1c4d827d7
Instruction Fuzzy Hash: 2B41B265709B4282EA24DF11E40477A67A0FF89B9AF484131DEDE87B54DFBCD184CB80

Function 00007FF6C20F0DA0 Relevance: 27.3, APIs: 18, Instructions: 322clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C20FD26C: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6C20FD289
Part of subcall function 00007FF6C20FD26C: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF6C20FD2AC
Part of subcall function 00007FF6C20FD26C: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6C20FD341

Part of subcall function 00007FF6C20F15A0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6C20F15B9
Part of subcall function 00007FF6C20F15A0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6C20F15DE
Part of subcall function 00007FF6C20F15A0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6C20F1608
Part of subcall function 00007FF6C20F15A0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6C20F16A2
Part of subcall function 00007FF6C20F15A0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6C20F16B2
Part of subcall function 00007FF6C20F15A0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6C20F16D7
Part of subcall function 00007FF6C20F15A0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6C20F1701

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20F0FE2
lstrlenW.KERNEL32 ref: 00007FF6C20F1005
Sleep.KERNEL32 ref: 00007FF6C20F1065
OpenClipboard.USER32 ref: 00007FF6C20F107B
GetClipboardData.USER32 ref: 00007FF6C20F108A
GlobalLock.KERNEL32 ref: 00007FF6C20F109B
GlobalUnlock.KERNEL32 ref: 00007FF6C20F10B6
CloseClipboard.USER32 ref: 00007FF6C20F10BC
CloseClipboard.USER32 ref: 00007FF6C20F10D8
OpenClipboard.USER32 ref: 00007FF6C20F1100
EmptyClipboard.USER32 ref: 00007FF6C20F110A
GlobalAlloc.KERNEL32 ref: 00007FF6C20F1122
GlobalLock.KERNEL32 ref: 00007FF6C20F1133
GlobalUnlock.KERNEL32 ref: 00007FF6C20F115D
SetClipboardData.USER32 ref: 00007FF6C20F116B
CloseClipboard.USER32 ref: 00007FF6C20F1171
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20F11FE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20F1204

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Lockitstd::_$Clipboard$GlobalLockit::_$Lockit::~_$Close_invalid_parameter_noinfo_noreturn$DataLockOpenUnlock$AllocEmptySetgloballocaleSleeplstrlenstd::locale::_
String ID:
API String ID: 1851032462-0
Opcode ID: aabcae955cac2af6ba832851c4318358007fcfe9d1e2923aa11ce886c13c8c26
Instruction ID: faf764cbccfb2fe753ad92429ef618519dc3a9ebfa9c450d6ba0baa5a8dbcc7c
Opcode Fuzzy Hash: aabcae955cac2af6ba832851c4318358007fcfe9d1e2923aa11ce886c13c8c26
Instruction Fuzzy Hash: A7D1C172B49B8282EB109F65E4442AE6361FF84B99F014136EE9D83BD9DFBCE444C744

Function 00007FF6C20ECD40 Relevance: 26.7, APIs: 7, Strings: 8, Instructions: 406threadinjectionprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF6C20ECF12
CreateProcessA.KERNEL32 ref: 00007FF6C20ECF6E
VirtualAllocEx.KERNEL32 ref: 00007FF6C20ECF97
WriteProcessMemory.KERNEL32 ref: 00007FF6C20ECFBC
GetThreadContext.KERNEL32 ref: 00007FF6C20ECFE0
SetThreadContext.KERNEL32 ref: 00007FF6C20ED001
ResumeThread.KERNEL32 ref: 00007FF6C20ED014

Strings

plugmark, xrefs: 00007FF6C20ECE43
3b6311a8-7ec5-474e-9db0-a86adda60c45, xrefs: 00007FF6C20ED262
%s %s, xrefs: 00007FF6C20ED05B, 00007FF6C20ED1EF, 00007FF6C20ED2D3, 00007FF6C20ED369
Windows\System32\svchost.exe, xrefs: 00007FF6C20ECF18
%s%s, xrefs: 00007FF6C20ECF27
nlyloadinmyself, xrefs: 00007FF6C20ECD94
h, xrefs: 00007FF6C20ECEE6
@, xrefs: 00007FF6C20ECF8A

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Thread$ContextProcess$AllocCreateDirectoryMemoryResumeSystemVirtualWrite
String ID: %s %s$%s%s$3b6311a8-7ec5-474e-9db0-a86adda60c45$@$Windows\System32\svchost.exe$h$nlyloadinmyself$plugmark
API String ID: 4033188109-2318592918
Opcode ID: dd76dec3fe357dc3d491a64959cfce8b3d3ceb37c461736123a1101bb35bc249
Instruction ID: ea697b4cba084c09656dccaaecc6a3e1f3461efef724fa9828b770e7b9f56ab1
Opcode Fuzzy Hash: dd76dec3fe357dc3d491a64959cfce8b3d3ceb37c461736123a1101bb35bc249
Instruction Fuzzy Hash: C112A066B18A8282EB20CF25D4442BD67A1FB98B49F458136DFCD87B95DFBCE185C340

Function 00007FF6C20EE3E9 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 64shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6C20EE3E9
OpenProcessToken.ADVAPI32 ref: 00007FF6C20EE3FE
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6C20EE426
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6C20EE44A
GetLastError.KERNEL32 ref: 00007FF6C20EE450
CloseHandle.KERNEL32 ref: 00007FF6C20EE45D
ExitWindowsEx.USER32 ref: 00007FF6C20EE56F
GetCurrentProcess.KERNEL32 ref: 00007FF6C20EE575
OpenProcessToken.ADVAPI32 ref: 00007FF6C20EE58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6C20EE5B2
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6C20EE5D6
GetLastError.KERNEL32 ref: 00007FF6C20EE5DC
CloseHandle.KERNEL32 ref: 00007FF6C20EE5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF6C20EE415, 00007FF6C20EE5A5

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: 40da0a47c9c7c1cc3a1aa31b778f4d13c03be2ed2b90204a7f89449c4a5765b5
Instruction ID: cf6be719504b6682b9ca070539412be5c85568834aa5f6dd25318e1a520fb956
Opcode Fuzzy Hash: 40da0a47c9c7c1cc3a1aa31b778f4d13c03be2ed2b90204a7f89449c4a5765b5
Instruction Fuzzy Hash: 01313C75A08B8686E720CF24E8143AA6361FB94B5BF104036DE8DD2B64CFBCD1C9C740

Function 00007FF6C20FA680 Relevance: 25.8, APIs: 17, Instructions: 347memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C20ED242), ref: 00007FF6C20FA6C5
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C20ED242), ref: 00007FF6C20FA74A
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C20ED242), ref: 00007FF6C20FA79F
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C20ED242), ref: 00007FF6C20FA7BE
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C20ED242), ref: 00007FF6C20FA821
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C20ED242), ref: 00007FF6C20FA842
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C20ED242), ref: 00007FF6C20FA856
VirtualFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C20ED242), ref: 00007FF6C20FA873
VirtualFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C20ED242), ref: 00007FF6C20FA88F
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C20ED242), ref: 00007FF6C20FA8AC
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C20ED242), ref: 00007FF6C20FAB92

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Virtual$Alloc$ErrorLast$FreeHeap$InfoNativeProcessSystem
String ID:
API String ID: 1282860858-0
Opcode ID: 4d973c66754e088e73cc59f97826ef657113e5d729d23b3f6b76df67dc1bbb1c
Instruction ID: 82c64f378c18bc360761b38ebf30b67d7626862508cd2994f56937ce7093010d
Opcode Fuzzy Hash: 4d973c66754e088e73cc59f97826ef657113e5d729d23b3f6b76df67dc1bbb1c
Instruction Fuzzy Hash: 16D19431B5964286EB60CF1AE45177A73A5FF58B8AF064036CE8DC7B80EEBCE4458354

Function 00007FF6C20EE46D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 62shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6C20EE46D
OpenProcessToken.ADVAPI32 ref: 00007FF6C20EE482
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6C20EE4AA
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6C20EE4CE
GetLastError.KERNEL32 ref: 00007FF6C20EE4D4
CloseHandle.KERNEL32 ref: 00007FF6C20EE4E1
ExitWindowsEx.USER32 ref: 00007FF6C20EE56F
GetCurrentProcess.KERNEL32 ref: 00007FF6C20EE575
OpenProcessToken.ADVAPI32 ref: 00007FF6C20EE58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6C20EE5B2
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6C20EE5D6
GetLastError.KERNEL32 ref: 00007FF6C20EE5DC
CloseHandle.KERNEL32 ref: 00007FF6C20EE5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF6C20EE499, 00007FF6C20EE5A5

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: a792fc21bd502bb1f53feba3e0ea592908ea8fd6b5dd88df7bff687d3cdc374e
Instruction ID: 4600a640b324ad37edbc2bd0e479e25e75617b423707718103ea4eeb35c46790
Opcode Fuzzy Hash: a792fc21bd502bb1f53feba3e0ea592908ea8fd6b5dd88df7bff687d3cdc374e
Instruction Fuzzy Hash: 5B312D75A08B8686E720CF25E8143AA6361FB94B5BF504036DE8DD6B64CFBDD1C9C740

Function 00007FF6C20EE4EE Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 61shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6C20EE4EE
OpenProcessToken.ADVAPI32 ref: 00007FF6C20EE503
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6C20EE52B
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6C20EE54F
GetLastError.KERNEL32 ref: 00007FF6C20EE555
CloseHandle.KERNEL32 ref: 00007FF6C20EE562
ExitWindowsEx.USER32 ref: 00007FF6C20EE56F
GetCurrentProcess.KERNEL32 ref: 00007FF6C20EE575
OpenProcessToken.ADVAPI32 ref: 00007FF6C20EE58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6C20EE5B2
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6C20EE5D6
GetLastError.KERNEL32 ref: 00007FF6C20EE5DC
CloseHandle.KERNEL32 ref: 00007FF6C20EE5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF6C20EE51A, 00007FF6C20EE5A5

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: c4512c4a51b1fe7d902806900a56825f16f8507878c75a96d79f3f5efe7084bf
Instruction ID: c32d9919457c1356b050154bece528a753d04223db7c51c9b96db70f2852201a
Opcode Fuzzy Hash: c4512c4a51b1fe7d902806900a56825f16f8507878c75a96d79f3f5efe7084bf
Instruction Fuzzy Hash: 3A310D75608F8685E720CF25E8143AA6361FB94B5BF504036DE8DD6B64CFBDD18AC740

Function 00007FF6C2118824 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6C2118872
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2118EDE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2119054
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2119312
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2119532
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C211976F
memcpy_s.LIBCPMT ref: 00007FF6C211984A
memcpy_s.LIBCPMT ref: 00007FF6C21198F5
memcpy_s.LIBCPMT ref: 00007FF6C21199C4

Strings

1#QNAN, xrefs: 00007FF6C211898B
1#INF, xrefs: 00007FF6C211899B
1#SNAN, xrefs: 00007FF6C2118982
1#IND, xrefs: 00007FF6C211895F

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 8a8cdf450ad9da4e3e91848c83b2fc9670f44cdb81e1e9276785e569651f6bed
Instruction ID: c4f5ab80ee1e5152d395c27b2decdeb2a3dec479011c1683fecc9b98166abc5c
Opcode Fuzzy Hash: 8a8cdf450ad9da4e3e91848c83b2fc9670f44cdb81e1e9276785e569651f6bed
Instruction Fuzzy Hash: 7DB2C072A182828AE724CE64D4407FD37A1FB64B89F505135DF59D7F88DFB8EA808B40

Function 00007FF6C20F0880 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 129registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6C20F08F0
RegQueryValueExW.ADVAPI32 ref: 00007FF6C20F096F
lstrcpyW.KERNEL32 ref: 00007FF6C20F0AF2
RegCloseKey.ADVAPI32 ref: 00007FF6C20F0B04
RegCloseKey.ADVAPI32 ref: 00007FF6C20F0B12

Strings

%08X, xrefs: 00007FF6C20F0A8D

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcpy
String ID: %08X
API String ID: 2032971926-3773563069
Opcode ID: 32c954eb57fda164b81f0150aeb248f5c32c45763a12c98c87c6a1606aaef6c8
Instruction ID: d9856d5aecaff20aec7400914aeb5ec6fb31383e14896265564c52b55cbedbf1
Opcode Fuzzy Hash: 32c954eb57fda164b81f0150aeb248f5c32c45763a12c98c87c6a1606aaef6c8
Instruction Fuzzy Hash: 12512A72648A8281E670CF25E4443ABA3A1FB95B59F804136DBDD83BA8DF7CD544CB08

Function 00007FF6C211797C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6C210ED10: GetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED1F
Part of subcall function 00007FF6C210ED10: FlsGetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED34
Part of subcall function 00007FF6C210ED10: SetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210EDBF

TranslateName.LIBCMT ref: 00007FF6C21179E6
TranslateName.LIBCMT ref: 00007FF6C2117A21
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF6C210D778), ref: 00007FF6C2117A68
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF6C210D778), ref: 00007FF6C2117AA0
GetLocaleInfoW.KERNEL32 ref: 00007FF6C2117C5D

Strings

utf8, xrefs: 00007FF6C2117B84

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: ed249922890c5a667d77dbf9e0f0f5ff4edc5bc12cc14daec0a02a097362d650
Instruction ID: b9ea34ec605ec3fb82722d7124d884174a898c22c1b65a9e98042601776c5950
Opcode Fuzzy Hash: ed249922890c5a667d77dbf9e0f0f5ff4edc5bc12cc14daec0a02a097362d650
Instruction Fuzzy Hash: 26917F32A0874285EB24AF21E9412B923A5EB64F8AF444531DF8DC7BC5DFBDE592C740

Function 00007FF6C21183C4 Relevance: 10.7, APIs: 7, Instructions: 172COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6C210ED10: GetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED1F
Part of subcall function 00007FF6C210ED10: FlsGetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED34
Part of subcall function 00007FF6C210ED10: SetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210EDBF

Part of subcall function 00007FF6C210ED10: FlsSetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED55

GetUserDefaultLCID.KERNEL32(00000000,00000092,?,?), ref: 00007FF6C2118534

Part of subcall function 00007FF6C210ED10: FlsSetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED82
Part of subcall function 00007FF6C210ED10: FlsSetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED93
Part of subcall function 00007FF6C210ED10: FlsSetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210EDA4

EnumSystemLocalesW.KERNEL32(00000000,00000092,?,?,00000000,?,?,00007FF6C210D771), ref: 00007FF6C211851B
ProcessCodePage.LIBCMT ref: 00007FF6C211855E
IsValidCodePage.KERNEL32 ref: 00007FF6C2118570
IsValidLocale.KERNEL32 ref: 00007FF6C2118586
GetLocaleInfoW.KERNEL32 ref: 00007FF6C21185E2
GetLocaleInfoW.KERNEL32 ref: 00007FF6C21185FE

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 22d8bcddac7133f8b6f7a06d5e5334a0f8ea8210c2b9d064d69f21135d6cdb9b
Instruction ID: 61a3cc88c36cfba89462c10196c93e40166d3481fdada96cae7b19ebabf08644
Opcode Fuzzy Hash: 22d8bcddac7133f8b6f7a06d5e5334a0f8ea8210c2b9d064d69f21135d6cdb9b
Instruction Fuzzy Hash: 4C715662B1860299FB609F64D8512F932A1BF64B4AF458135CF8DC3B95EFBCE485C350

Function 00007FF6C20FE66C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6C20FE688
RtlCaptureContext.KERNEL32 ref: 00007FF6C20FE6B5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6C20FE6CF
RtlVirtualUnwind.KERNEL32 ref: 00007FF6C20FE710
IsDebuggerPresent.KERNEL32 ref: 00007FF6C20FE764
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6C20FE781
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6C20FE78C

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 045e81cc47e066d153aaaf5b50bd9fe289779446efb159575806e036ae1ed661
Instruction ID: 0e2509aab06ff181beb724fdfdf1114b9cc1aa50e07744dc527dfa0f2b1dd6c6
Opcode Fuzzy Hash: 045e81cc47e066d153aaaf5b50bd9fe289779446efb159575806e036ae1ed661
Instruction Fuzzy Hash: DE312C72618B8186EB608F60E8407EE7364FB94B49F44403ADB8E87B95EF7CD648C714

Function 00007FF6C20EE36A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32 ref: 00007FF6C20EE397
ClearEventLogW.ADVAPI32 ref: 00007FF6C20EE3AA
CloseEventLog.ADVAPI32 ref: 00007FF6C20EE3B3

Strings

Application, xrefs: 00007FF6C20EE36A
Security, xrefs: 00007FF6C20EE376
System, xrefs: 00007FF6C20EE382

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 1bb91c5c2b3888595093d95bda04c9b415b5dc93057c8244563c58f3f028a90d
Instruction ID: 0e84a36bfa796ba9cce9aa3dd27395707024aa9e7620bc5832fe1ca9391ca84d
Opcode Fuzzy Hash: 1bb91c5c2b3888595093d95bda04c9b415b5dc93057c8244563c58f3f028a90d
Instruction Fuzzy Hash: 38F03126A0DF4681EA15CF15F444266A3A5FF89B6AF041036DECDC2B64EEBCD1E68700

Function 00007FF6C2103D0C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6C2103D85
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6C2103D9D
RtlVirtualUnwind.KERNEL32 ref: 00007FF6C2103DD8
IsDebuggerPresent.KERNEL32 ref: 00007FF6C2103E11
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6C2103E1B
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6C2103E26

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: fa8f028e9fcd13a2b73484911b7de9c78ca1ddcb2e97266c57a75bc76a24fdd2
Instruction ID: f862f38ca93e8a29cc6b0302f6f35d4456f8111413e197aa5112433d3f9acfcf
Opcode Fuzzy Hash: fa8f028e9fcd13a2b73484911b7de9c78ca1ddcb2e97266c57a75bc76a24fdd2
Instruction Fuzzy Hash: 36317E32618B8186DB60CF25E8842AE73A4FB98B59F540136EF8D87B95DF7CC555CB00

Function 00007FF6C2114190 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C21141DC
FindFirstFileExW.KERNEL32 ref: 00007FF6C21142E6

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 68b5c0f69695cefe4d2b1cac7d4572eefde3aab897b1af24f4d9a3b1cd0a2181
Instruction ID: cb234b2cf140f11bc77eb116b5884a4cafe45e25726d7355f25c0e7f901398ac
Opcode Fuzzy Hash: 68b5c0f69695cefe4d2b1cac7d4572eefde3aab897b1af24f4d9a3b1cd0a2181
Instruction Fuzzy Hash: C0B18326B1869241EA619F23E4146BA6391EB64FD9F445131EF9EC7F85EEFCE4818300

Function 00007FF6C20FC82C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6C20FC88D
IsDebuggerPresent.KERNEL32 ref: 00007FF6C20FC8A5
OutputDebugStringW.KERNEL32 ref: 00007FF6C20FC8B6

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF6C20FC8AF

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 6ee909605b01ed677f0d258b83eb54f87cb27d04152a024ec70f484db7e8edcc
Instruction ID: 3bcc7c650c0f3c3eeb19ba200277a0b63ac2157a5ebbe3844355c7e5c70cd60e
Opcode Fuzzy Hash: 6ee909605b01ed677f0d258b83eb54f87cb27d04152a024ec70f484db7e8edcc
Instruction Fuzzy Hash: DA112832A14B4296F704DF26E6453B932A1FB5474AF404135CB8DC2EA0EFBCE4A5C750

Function 00007FF6C210B5F0 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6C210B656
memcpy_s.LIBCPMT ref: 00007FF6C210B681

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: a3a34dc7f104a5757306e0e4006adbba08ef9a00a3e13a0073f806107d450ba3
Instruction ID: 0ca8c1b122a76303ef65bb35a3a8b50afd6a3bbe3f1d4f2425eb8d811be31c21
Opcode Fuzzy Hash: a3a34dc7f104a5757306e0e4006adbba08ef9a00a3e13a0073f806107d450ba3
Instruction Fuzzy Hash: DFC1E572B186CA87E724CF16A04466AB791F784B89F448135DF8AC3B94DF7DEA11CB40

Function 00007FF6C2117E40 Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C210ED10: GetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED1F
Part of subcall function 00007FF6C210ED10: FlsGetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED34
Part of subcall function 00007FF6C210ED10: SetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210EDBF

Part of subcall function 00007FF6C210ED10: FlsSetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED55

GetLocaleInfoW.KERNEL32 ref: 00007FF6C2117EAC

Part of subcall function 00007FF6C2113FCC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2113FE9

GetLocaleInfoW.KERNEL32 ref: 00007FF6C2117EF5

Part of subcall function 00007FF6C2113FCC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2114042

GetLocaleInfoW.KERNEL32 ref: 00007FF6C2117FBD

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: 47a608bb907d4de4290f427b339ca80dcd83f241fa12a378f23bb4634d50531a
Instruction ID: 45aa820644556c9effb340f906338ebf27269ebb6224ffde04a0519ec4fa782d
Opcode Fuzzy Hash: 47a608bb907d4de4290f427b339ca80dcd83f241fa12a378f23bb4634d50531a
Instruction Fuzzy Hash: 6B617C32A0854386EB248F25D5502BA73A1EB64B4AF058235DFDDD3B95DFBCE591C700

Function 00007FF6C2110FB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF6C210D94A), ref: 00007FF6C2111024

Strings

GetLocaleInfoEx, xrefs: 00007FF6C2110FCC, 00007FF6C2110FDD

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 3b61ae466ef5758e0e9e9450f631c2e40b05ac649b5573246797acb4bca5b173
Instruction ID: 8af925f862be06391e55ad0c5f9494863b1ef0fb7c71ab0e34ac2bb234e11867
Opcode Fuzzy Hash: 3b61ae466ef5758e0e9e9450f631c2e40b05ac649b5573246797acb4bca5b173
Instruction Fuzzy Hash: F101DF64B08A8185EB008F5AB4001A6A260AB94FD9F584031EF8DC3F59CEBCD9818340

Function 00007FF6C2113A00 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6C2113C4F
RaiseException.KERNEL32 ref: 00007FF6C2113C60

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 122b1925bd55db41e804c5b079ebde0f01de1123b2666aa23313b6dae26d6c44
Instruction ID: 79d86ceb0de51c29d253d3f37852aedefc3a362d0c6eff24331f40071e70eeeb
Opcode Fuzzy Hash: 122b1925bd55db41e804c5b079ebde0f01de1123b2666aa23313b6dae26d6c44
Instruction Fuzzy Hash: 52B13777604B898AEB158F29C8463687BA0F794F49F148922DF9DC7BA8CF79D491C700

Function 00007FF6C21075E0 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6C210774E
, xrefs: 00007FF6C2107990

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 551e646fd59d23c1ee018d61c48a67f2a52f50f5278fc9195615cae8faf456cd
Instruction ID: 8349aabc475e11705383a923d0af21986e6139840171a3a0c814a28b1135bf0b
Opcode Fuzzy Hash: 551e646fd59d23c1ee018d61c48a67f2a52f50f5278fc9195615cae8faf456cd
Instruction Fuzzy Hash: 00E19236A0868681EB688E29805453D3BA0FF45F9DF145235DF8EC7B94DFA9E863C740

Function 00007FF6C210F950 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

gfff, xrefs: 00007FF6C210FADA
e+000, xrefs: 00007FF6C210FA5D

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: a347cb712251c494c0ac76841d0ca458a250c6be9a7c463d0ead6691c264c289
Instruction ID: 2b839eecd4f6bfebadd551367e6bec2da8d2a38856a296aa50d1386ad06c8a6e
Opcode Fuzzy Hash: a347cb712251c494c0ac76841d0ca458a250c6be9a7c463d0ead6691c264c289
Instruction Fuzzy Hash: B1514762B182C586E7248E36A901769BB91E744F99F48C231DFD8CBFD5CEBDD0548700

Function 00007FF6C210A798 Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF6C210A8E0

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 773e53d09e5455f04dc57cd524f4ca394a315c5928bf5f5768ba6214c405212f
Instruction ID: 5fd3cbaaa44ebff6de336aa74cc90bcdc5e5666cc1c6dfda5314b9ec02438688
Opcode Fuzzy Hash: 773e53d09e5455f04dc57cd524f4ca394a315c5928bf5f5768ba6214c405212f
Instruction Fuzzy Hash: 68127922A08BC186E751CF2994542F973A4FB58B49F059236EFDCC6B92EF79E190C300

Function 00007FF6C2115FD4 Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22158b38decd8d90c74f2f99d25a665006446744f2e1b5a41cef00b0dd0ad41
Instruction ID: 0815f0dfb47ea9093ccaa729ea525a8701adffca0cdc9677b6c8cc3b643179b7
Opcode Fuzzy Hash: e22158b38decd8d90c74f2f99d25a665006446744f2e1b5a41cef00b0dd0ad41
Instruction Fuzzy Hash: 81E12D32A04B9586E720DF61E4412EE77A4FB64B89F404636DF9D93B56EFB8D285C300

Function 00007FF6C20E2E50 Relevance: 1.8, Strings: 1, Instructions: 571COMMON

Download Yara Rule

Strings

[RO] %ld bytes, xrefs: 00007FF6C20E3450, 00007FF6C20E35BB

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID: [RO] %ld bytes
API String ID: 0-772938740
Opcode ID: 4874844c38418d14ede67d35d8ec1f57646d452b183219fb2a06a3d7a21df842
Instruction ID: 5eabc7e720e03b08d3d26d0a789a9d034be7a228d0d4eba04cca5440f83df8cc
Opcode Fuzzy Hash: 4874844c38418d14ede67d35d8ec1f57646d452b183219fb2a06a3d7a21df842
Instruction Fuzzy Hash: FE428C736092C58BC328CF28D44066E7FA0F755B48F44812ADBCA87B46DB78E995CB91

Function 00007FF6C2118088 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C210ED10: GetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED1F
Part of subcall function 00007FF6C210ED10: FlsGetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED34
Part of subcall function 00007FF6C210ED10: SetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210EDBF

Part of subcall function 00007FF6C210ED10: FlsSetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED55

GetLocaleInfoW.KERNEL32 ref: 00007FF6C21180F0

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: fd4313f3ed39529f0e214070d5eb9b22141959494d17c08f529f82dcba2f0cc7
Instruction ID: 3bb657831c529eee74f06881ad383656038d838f9b9ba21863f0b72eb2bfeaf7
Opcode Fuzzy Hash: fd4313f3ed39529f0e214070d5eb9b22141959494d17c08f529f82dcba2f0cc7
Instruction Fuzzy Hash: 99315E32B086828AFB248F21D4417AA72A1FB54B89F558535DFCDC3B85DFBCE4918700

Function 00007FF6C2117CD8 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6C210ED10: GetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED1F
Part of subcall function 00007FF6C210ED10: FlsGetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED34
Part of subcall function 00007FF6C210ED10: SetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210EDBF

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6C21184C7,00000000,00000092,?,?,00000000,?,?,00007FF6C210D771), ref: 00007FF6C2117D76

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 15ac7d5427dd9fc22c9c1f247fbd5354b0666d540418ec543f069a2b87512e20
Instruction ID: 024a940d52b596484f4e2a0b4bc0bc06de48c1bf0dc394b48c7625b218b83222
Opcode Fuzzy Hash: 15ac7d5427dd9fc22c9c1f247fbd5354b0666d540418ec543f069a2b87512e20
Instruction Fuzzy Hash: 66112763A086458AEF108F15D0802B877A1FB60FA5F548131DBA9C37C0DFB9D6D2C700

Function 00007FF6C2118290 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C210ED10: GetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED1F
Part of subcall function 00007FF6C210ED10: FlsGetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED34
Part of subcall function 00007FF6C210ED10: SetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210EDBF

GetLocaleInfoW.KERNEL32(?,?,?,00007FF6C211803A), ref: 00007FF6C21182C7

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: 02c8055d8d650acd3e8a74c68ff88f338c75fb4c0e3c19cf7d436b4e0503b1ee
Instruction ID: b09b6c72a2508869832ce7f43444df3ad26887a8211fdfc6e45949e45d52e974
Opcode Fuzzy Hash: 02c8055d8d650acd3e8a74c68ff88f338c75fb4c0e3c19cf7d436b4e0503b1ee
Instruction Fuzzy Hash: DE11C831B2855283F7648E25A0406BF6261EB64B69F59C631DFADC7BC4EEB9D8C18700

Function 00007FF6C2117DA8 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6C210ED10: GetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED1F
Part of subcall function 00007FF6C210ED10: FlsGetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED34
Part of subcall function 00007FF6C210ED10: SetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210EDBF

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6C2118483,00000000,00000092,?,?,00000000,?,?,00007FF6C210D771), ref: 00007FF6C2117E26

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 5727eb7e919169bab7f3b731904feba02bf0749f82d0e8f83876c19ff70cc26c
Instruction ID: ae8857caa60f2972e106c45177c916a74f6cb79a422694a3e870f6c1282d8d69
Opcode Fuzzy Hash: 5727eb7e919169bab7f3b731904feba02bf0749f82d0e8f83876c19ff70cc26c
Instruction Fuzzy Hash: 8F01D262F0828546EB204F15E4407B976E1EB60FAAF558231DBA8C7BC4CFB8D8C28700

Function 00007FF6C2110AD8 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF6C2110F7F,?,?,?,?,?,?,?,?,00000000,00007FF6C2117328), ref: 00007FF6C2110B27

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 0f058bcf8847595df1816a53f4d47a97cac47f7a866e7bb19b671d0c18a11263
Instruction ID: 6701fff515d39680ef9a75c428265de3b48601851d470ef03ad9703b8350da17
Opcode Fuzzy Hash: 0f058bcf8847595df1816a53f4d47a97cac47f7a866e7bb19b671d0c18a11263
Instruction Fuzzy Hash: 2AF01972B08B4183E604DF15E8906AA6366FB99F85F548036EF8DD7B65CEBCD4A0C740

Function 00007FF6C210F4BC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6C210F7FE

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 91511e75055787009b36da5e0b5904dd2b35cdbec92fe664924b5d59d9c2ed42
Instruction ID: 3b70ba9eb853a048be071d05148369bd8cf2cf3529bd8fd045799aa3a9dd7a52
Opcode Fuzzy Hash: 91511e75055787009b36da5e0b5904dd2b35cdbec92fe664924b5d59d9c2ed42
Instruction Fuzzy Hash: 31A14563A087C686EB21CF29A1017A97B91EB50F88F058132DF8DC7B95DE7DE516C701

Function 00007FF6C210684C Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6C2106A2E

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5fb6afdc90124b9ccfbc1fc7428f51e6266c183c57cc2358b46b47bb293d3794
Instruction ID: 8988cf1c28ceebc4a7c39dd40850a021a4636cd56e0ce619090b7346ee67fa8b
Opcode Fuzzy Hash: 5fb6afdc90124b9ccfbc1fc7428f51e6266c183c57cc2358b46b47bb293d3794
Instruction Fuzzy Hash: 29B159B2A086C689EB648F29805023C3BA0E749F4DF285136DF8EC7B95CFB9D461C705

Function 00007FF6C21129E4 Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6C2112A89

Part of subcall function 00007FF6C2110A28: HeapAlloc.KERNEL32(?,?,00000000,00007FF6C210EEEA,?,?,0000975800AD59FC,00007FF6C2108DA5,?,?,?,?,00007FF6C21127E6,?,?,00000000), ref: 00007FF6C2110A7D

Part of subcall function 00007FF6C210E95C: RtlFreeHeap.NTDLL(?,?,?,00007FF6C2116862,?,?,?,00007FF6C2116BDF,?,?,00000000,00007FF6C2117025,?,?,?,00007FF6C2116F57), ref: 00007FF6C210E972
Part of subcall function 00007FF6C210E95C: GetLastError.KERNEL32(?,?,?,00007FF6C2116862,?,?,?,00007FF6C2116BDF,?,?,00000000,00007FF6C2117025,?,?,?,00007FF6C2116F57), ref: 00007FF6C210E97C

Part of subcall function 00007FF6C211A24C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C211A27F

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
String ID:
API String ID: 916656526-0
Opcode ID: 211458dcc4182629a49dfa16bd233c2fd01fa5b79e8a7313d1c8d1c4e015e553
Instruction ID: d91c001ef46746c7448522fd685ae59ee7f3612e1a662191a741da9f9bb501ef
Opcode Fuzzy Hash: 211458dcc4182629a49dfa16bd233c2fd01fa5b79e8a7313d1c8d1c4e015e553
Instruction Fuzzy Hash: 6541A221B096A341FA705E26745167AA6A0BFA5F8AF444535EFCDC7FC5EEBCE4808600

Function 00007FF6C20F9330 Relevance: .7, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d3e26cd520c0d7484bca21c75386a0081201fe8f2cf936fcf25e5b7a4aa551
Instruction ID: 3bb79c61b73e213a80e73269346f2dd72438fedb2b6e91c8894266fc4bd4754c
Opcode Fuzzy Hash: f9d3e26cd520c0d7484bca21c75386a0081201fe8f2cf936fcf25e5b7a4aa551
Instruction Fuzzy Hash: 3F22CEB7B3805047D36DCB1DEC52FA97692B7A5348748A02CBA07C3F45EA3DEA458A44

Function 00007FF6C20F79D0 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbab6f601d912f7832fe87e6cb8010b159b99cec89eaaed4f22644e13967388
Instruction ID: 4f175223612d133407d974edc293dd9997d5cc33747b4566023f255cbcdc215b
Opcode Fuzzy Hash: 2dbab6f601d912f7832fe87e6cb8010b159b99cec89eaaed4f22644e13967388
Instruction Fuzzy Hash: 9FC10F73B0869187DB09CF52E94056A77A2B7C8BD5B56C135CE8A47B88DE3CD801CB00

Function 00007FF6C21071DC Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5dc7f97a53f24eb071f4a4c5281cd4cfcae3ea760a8a1df74637965631acf6
Instruction ID: f149e68e35a2fbc7e6e54de33c0a96fe108c58f86f66c0bc169478c49a7ca598
Opcode Fuzzy Hash: 3e5dc7f97a53f24eb071f4a4c5281cd4cfcae3ea760a8a1df74637965631acf6
Instruction Fuzzy Hash: 19D1B522A0868686FB688E29845027E2BA0FB05F4DF145135DF8DC7BD5DFB9E863C740

Function 00007FF6C210D5C0 Relevance: .3, Instructions: 310COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: 21e64ea7c375e93a6d3691ec49e9bdd76ef4fc5f4d0d1dcdba5dc2295bd766ac
Instruction ID: 18ed8e43bebfe4975a5f3c2e0aae2fa3728e1ad549dcbd0a5bf45d2157320616
Opcode Fuzzy Hash: 21e64ea7c375e93a6d3691ec49e9bdd76ef4fc5f4d0d1dcdba5dc2295bd766ac
Instruction Fuzzy Hash: BFC1932AA186C285EB609F6295107BA67A0FB94F8DF404036EFCDC7B89DEBCD555C700

Function 00007FF6C21173EC Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLast$Value_invalid_parameter_noinfo
String ID:
API String ID: 1500699246-0
Opcode ID: d774b1686d68766547d9d0affe500116b26f703ac014ee2f743871d76f2ddb8c
Instruction ID: 9fe7d299f0e08ed88994b65959d05c858d5b76b4b733be87f643099a88fcc6ce
Opcode Fuzzy Hash: d774b1686d68766547d9d0affe500116b26f703ac014ee2f743871d76f2ddb8c
Instruction Fuzzy Hash: BFB1B332A0864686EB649F25D5116B933A1EB64F8EF504131DF89C3BC9DFBCE592C780

Function 00007FF6C21064C8 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf611d711d996cef35472e7504a5935af8ed11963d98eb5a37693ba2286e55b
Instruction ID: bc65e55136a3522cc07b754b869c0f473c40dc07fc6a11315d2d0cbc36369d61
Opcode Fuzzy Hash: 9cf611d711d996cef35472e7504a5935af8ed11963d98eb5a37693ba2286e55b
Instruction Fuzzy Hash: 1BB16C729086C585EB648F29809027C3BA4EB49F4DF284139CF8EC7B99CFB9E461C755

Function 00007FF6C210AF20 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c771e48c11f0d915594974b4bba5b1cef921b70c42e7a63ac30c42f7e56c6b99
Instruction ID: b180853b3ddc7f6a4339f2aaba5af23bd0f94187574e22d37cf05c8010c2ec0d
Opcode Fuzzy Hash: c771e48c11f0d915594974b4bba5b1cef921b70c42e7a63ac30c42f7e56c6b99
Instruction Fuzzy Hash: E381B072A04A9186EB609E26D4913BD33A0FB84F9DF104636EF9DD7B99CF78D5618300

Function 00007FF6C210FFD0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06df77d5c41abf0c9103d11d2ff5cfa312f76e721c7628385afe64dabe37a34
Instruction ID: e20cacdb80031b6d35c3914555ede45dd5a0ae93097af51eee557a56b8322643
Opcode Fuzzy Hash: c06df77d5c41abf0c9103d11d2ff5cfa312f76e721c7628385afe64dabe37a34
Instruction Fuzzy Hash: 9481A172A087818AE7A4CE19944037A6691EB55BD9F144235EFCDC3F95CE7DD5809B00

Function 00007FF6C20F2FA0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f6a1a1a1cf9baf0de81f1e4df80e775a01d7d2970379cd065fadcfc056c7f6
Instruction ID: 7d3514ab839386570e5be86be82c7387b2a647f575492ef2c593451aab33e3fb
Opcode Fuzzy Hash: f6f6a1a1a1cf9baf0de81f1e4df80e775a01d7d2970379cd065fadcfc056c7f6
Instruction Fuzzy Hash: 3F610772B18BC982DE208F29E4516AAA360FB59794F559236DFDC87B54EF7DE180C300

Function 00007FF6C21051FC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: ab584789bf448eb12a0b0edd766480509f9b8aac1e0e5ef3cf2fa74010e58980
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: A0514F36A18695D6E7248E29C05022937A0FB49F6DF244131DF8DDBB94CFBAE863C740

Function 00007FF6C2105A1C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: a45b4ba527c88829272ae7f69beeb7650e19212abf13f98aaffb3e2e529d0849
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: 66515F76A1869596E7248F29C09022837A1FB44F6DF248131DF8DD7B94CFBAE863C740

Function 00007FF6C210560C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 4a71fcc27f2ada15bc4ade4dbcd295588c45b76686c362b839924782e276e900
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 35515F76A18A9196E7248F29C05022827A0FB44F6DF244131CF8DD7B94CFBAE863D780

Function 00007FF6C2105408 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
Instruction ID: e54379e9114fe15f4702c5787bb0b821782f617d076dc80bb5de4d4b78543ba7
Opcode Fuzzy Hash: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
Instruction Fuzzy Hash: 08516036A1869196E7648F29C04427C27A1FB58F5EF244131CF8DD7BA4DF7AE862C780

Function 00007FF6C2104FF8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
Instruction ID: 07f6299138035a17278e23deeca216e02fe18748a04f030beec4cf861b2b6d02
Opcode Fuzzy Hash: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
Instruction Fuzzy Hash: 9C513C36A1869596E7248E29C04472D27A0FB44F5EF244131CF8DD7BA8DF7AEC62C780

Function 00007FF6C2105818 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
Instruction ID: bd7b6aa4e8bbbc117f17394a4f2909c96a5452b18511afb680a5456439d3e611
Opcode Fuzzy Hash: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
Instruction Fuzzy Hash: 5C517436A1869196E7248F2AC04423837A0FB44F6DF285131CF8DD7B95DF7AE862C744

Function 00007FF6C210C7BC Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 992bdeb28752ac81bb160f4e9466717d9b532df2d17ea574ae2dd87a94b6b211
Instruction ID: a4a1e976e098f02aa905f70499a48c10437fa5191cfd273bff1378851e190fcc
Opcode Fuzzy Hash: 992bdeb28752ac81bb160f4e9466717d9b532df2d17ea574ae2dd87a94b6b211
Instruction Fuzzy Hash: 3C41E272B14A9581EF08CF2AD92426973A2BB48FC4B489032EF8DD7B58DE7DD0518740

Function 00007FF6C211CB60 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db13767cb4ef8546692f7daaddc1c348767b8ea185383b737debd21f48b2f6e
Instruction ID: c2a63489f85a396a5654f50b4b5b0d4a51449ee3078c6f19597482438bcf3725
Opcode Fuzzy Hash: 6db13767cb4ef8546692f7daaddc1c348767b8ea185383b737debd21f48b2f6e
Instruction Fuzzy Hash: 98F044716182558AEBA48F28A402A297795FB08785B908439DBC9C3F04DE7C90508F04

Function 00007FF6C20FE814 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9500c7797480eaac07bce270d35ebf5893055aa53205c196292c9b063e5a007a
Instruction ID: a64f10247fb98e07e1f08f53f9c00206e0f1a2e4510e18f7c4689b834a859530
Opcode Fuzzy Hash: 9500c7797480eaac07bce270d35ebf5893055aa53205c196292c9b063e5a007a
Instruction Fuzzy Hash: 19A00231A5CE42D0E604DF00E95413223B0EBA4B0AB4A0032CA8DC2A709FBDF581C355

Function 00007FF6C20E4C50 Relevance: 33.2, APIs: 22, Instructions: 199windowthreadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF6C20E4C65
SwitchToThread.KERNEL32 ref: 00007FF6C20E4C9D
SetLastError.KERNEL32 ref: 00007FF6C20E4CDC
SetEvent.KERNEL32 ref: 00007FF6C20E4D17
MsgWaitForMultipleObjects.USER32 ref: 00007FF6C20E4D4B
PeekMessageW.USER32 ref: 00007FF6C20E4D66
TranslateMessage.USER32 ref: 00007FF6C20E4D75
DispatchMessageW.USER32 ref: 00007FF6C20E4D80
PeekMessageW.USER32 ref: 00007FF6C20E4D97
CloseHandle.KERNEL32 ref: 00007FF6C20E4DC4
send.WS2_32 ref: 00007FF6C20E4E01
SetEvent.KERNEL32 ref: 00007FF6C20E4E18
WSACloseEvent.WS2_32 ref: 00007FF6C20E4E2D
shutdown.WS2_32 ref: 00007FF6C20E4E49
closesocket.WS2_32 ref: 00007FF6C20E4E53
EnterCriticalSection.KERNEL32 ref: 00007FF6C20E4E70
ResetEvent.KERNEL32 ref: 00007FF6C20E4E7D
ResetEvent.KERNEL32 ref: 00007FF6C20E4E8A
ResetEvent.KERNEL32 ref: 00007FF6C20E4E97
SetEvent.KERNEL32 ref: 00007FF6C20E4F2C
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E4F39
SetLastError.KERNEL32 ref: 00007FF6C20E4F79

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Event$Message$Reset$CloseCriticalErrorLastPeekSectionThread$CurrentDispatchEnterHandleLeaveMultipleObjectsSwitchTranslateWaitclosesocketsendshutdown
String ID:
API String ID: 4058177064-0
Opcode ID: d4a00dac0fba48dd619eb6ba1b780ae101c1c81bf132304460c16c28b79e9ffb
Instruction ID: e07aa702eef55d665a966753c6f6b8feeadc4db0608918c22a43e57d0a1f9a97
Opcode Fuzzy Hash: d4a00dac0fba48dd619eb6ba1b780ae101c1c81bf132304460c16c28b79e9ffb
Instruction Fuzzy Hash: E5914976B08A8296E7689F25D5442A973A0FB44B5AF014536CFEDC3B90CFB8E4A4C750

Function 00007FF6C20F0620 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 140stringprocessCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF6C20F0698
lstrlenW.KERNEL32 ref: 00007FF6C20F06BA
wsprintfW.USER32 ref: 00007FF6C20F0722
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6C20F0786
lstrcatW.KERNEL32 ref: 00007FF6C20F07C1
lstrcatW.KERNEL32 ref: 00007FF6C20F07CE
lstrcpyW.KERNEL32 ref: 00007FF6C20F07DC
CreateProcessW.KERNEL32 ref: 00007FF6C20F085B

Strings

%s\shell\open\command, xrefs: 00007FF6C20F0714
WinSta0\Default, xrefs: 00007FF6C20F0813
"%1, xrefs: 00007FF6C20F078C
h, xrefs: 00007FF6C20F07E5

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: lstrcatlstrlen$CreateEnvironmentExpandProcessStringslstrcpywsprintf
String ID: "%1$%s\shell\open\command$WinSta0\Default$h
API String ID: 1783372451-551013563
Opcode ID: eac3ac33eed5e84588de99090fdd2237e456d1a0e0148cdd7090aa018ec508cf
Instruction ID: f806ad2bd955d18c5396dcf3e603e1fc60581b050f8c8bcfacba9858071ff7de
Opcode Fuzzy Hash: eac3ac33eed5e84588de99090fdd2237e456d1a0e0148cdd7090aa018ec508cf
Instruction Fuzzy Hash: B5617032B18B9285EB20DF60D8442EA2361FB9874DF454136DE8D82F99EFBCD645C740

Function 00007FF6C20E4270 Relevance: 21.1, APIs: 14, Instructions: 119networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF6C20E429F
WSAIoctl.WS2_32 ref: 00007FF6C20E42F8
setsockopt.WS2_32 ref: 00007FF6C20E431D
setsockopt.WS2_32 ref: 00007FF6C20E4342
WSACreateEvent.WS2_32 ref: 00007FF6C20E4348
lstrlenW.KERNEL32 ref: 00007FF6C20E4355
WideCharToMultiByte.KERNEL32 ref: 00007FF6C20E4378
lstrlenW.KERNEL32 ref: 00007FF6C20E4390
WideCharToMultiByte.KERNEL32 ref: 00007FF6C20E43B3
gethostbyname.WS2_32 ref: 00007FF6C20E43C0
htons.WS2_32 ref: 00007FF6C20E43ED
WSAEventSelect.WS2_32 ref: 00007FF6C20E4413
connect.WS2_32 ref: 00007FF6C20E442D
WSAGetLastError.WS2_32 ref: 00007FF6C20E443C

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
String ID:
API String ID: 1455939504-0
Opcode ID: 9a40c917c3a144fb0e85df481e15c57252f9d18ea51718549b18d6b35bc4cd58
Instruction ID: 0c9d3e91c7d9507fa78d7e1fa02b063c5c1587d902d0d38b85244ef8abd25714
Opcode Fuzzy Hash: 9a40c917c3a144fb0e85df481e15c57252f9d18ea51718549b18d6b35bc4cd58
Instruction Fuzzy Hash: 9B512C72608B9186E720CF61E84466A77A5FB94BA9F100236EEDD83F94CF7CD585C740

Function 00007FF6C20F15A0 Relevance: 18.2, APIs: 12, Instructions: 153COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6C20F15B9
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6C20F15DE
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6C20F1608
std::_Facet_Register.LIBCPMT ref: 00007FF6C20F1688
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6C20F16A2
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6C20F16B2
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6C20F16D7
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6C20F1701
std::_Facet_Register.LIBCPMT ref: 00007FF6C20F1777
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6C20F1791
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C20F17AA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C20F17B0

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: abf8e540b54f698cc9b45021eb612f4fee3d5b077170ba2ec9f9a82e9aa791c4
Instruction ID: 48c92c13e1e2c3e37f66f3189ca9b8741c2886922454d73f3da3f0f38d83d3ef
Opcode Fuzzy Hash: abf8e540b54f698cc9b45021eb612f4fee3d5b077170ba2ec9f9a82e9aa791c4
Instruction Fuzzy Hash: 6E516136B88B4281EA159F19E44417A73A1FB54B9AF190133DEDD83BA6DFBCE442C304

Function 00007FF6C20E46A0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171networktimeCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 00007FF6C20E46C7
WSAGetLastError.WS2_32 ref: 00007FF6C20E46D8
WSAResetEvent.WS2_32 ref: 00007FF6C20E4717
WSAEventSelect.WS2_32 ref: 00007FF6C20E479C
WSAGetLastError.WS2_32 ref: 00007FF6C20E47A7
timeGetTime.WINMM ref: 00007FF6C20E47D2
timeGetTime.WINMM ref: 00007FF6C20E481D
send.WS2_32 ref: 00007FF6C20E4852
WSAGetLastError.WS2_32 ref: 00007FF6C20E485D

Strings

, xrefs: 00007FF6C20E48F8

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLast$EventTimetime$EnumEventsNetworkResetSelectsend
String ID:
API String ID: 957247320-3916222277
Opcode ID: 2310baa555e0df77a8bcfccd4f7fd94b27c56680d13eb448f7d2580fe2531f2f
Instruction ID: 2835170e14b53e7c8c47e0356e4d35da0402da62d1dca024ffa65ddc2234e784
Opcode Fuzzy Hash: 2310baa555e0df77a8bcfccd4f7fd94b27c56680d13eb448f7d2580fe2531f2f
Instruction Fuzzy Hash: 8C712772B086828AE3648F29D58436976E0FB44B49F154136CFD9C3B95CFFDE8858B80

Function 00007FF6C20E5A80 Relevance: 16.7, APIs: 11, Instructions: 154networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6C20E5AC4
WSASetLastError.WS2_32 ref: 00007FF6C20E5C69
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E5C73

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: cb0b3ee4ce24505bbac61aa70540e6acda4bbb341cea077ae408a959c4223429
Instruction ID: 3d75a105ad216d7351b523a2c2bcf59bb3b114ad5fb94b5e1c78dd3d347c7890
Opcode Fuzzy Hash: cb0b3ee4ce24505bbac61aa70540e6acda4bbb341cea077ae408a959c4223429
Instruction Fuzzy Hash: A161CE32B0864286E6589F15D46567D6765FB84B8AF824432CFDEC3B90DFBCE894C380

Function 00007FF6C20E5090 Relevance: 16.6, APIs: 11, Instructions: 87COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6C20E50F5
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E5107
SetLastError.KERNEL32 ref: 00007FF6C20E51DB

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 31685a7c47cc355b0b84d769594d8f48275261b6e3cd822618b6b5c873848fb6
Instruction ID: 46c2ef5ae897c10ec568f711f8a5f074265a1672a94e2dbe7a6da204870e1942
Opcode Fuzzy Hash: 31685a7c47cc355b0b84d769594d8f48275261b6e3cd822618b6b5c873848fb6
Instruction Fuzzy Hash: 92318820B0CB4286E7589F25E8891796661FF44B8AF550476DEDEC7B90CFBCE885C381

Function 00007FF6C20F0B40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6C20F0B91
RegDeleteValueW.ADVAPI32 ref: 00007FF6C20F0B9F
RegCloseKey.ADVAPI32 ref: 00007FF6C20F0BAA
RegCreateKeyW.ADVAPI32 ref: 00007FF6C20F0BCA
lstrlenW.KERNEL32 ref: 00007FF6C20F0BD7
RegSetValueExW.ADVAPI32 ref: 00007FF6C20F0BF9
RegCloseKey.ADVAPI32 ref: 00007FF6C20F0C04

Strings

VenNetwork, xrefs: 00007FF6C20F0B69
Software, xrefs: 00007FF6C20F0B73

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CloseValue$CreateDeleteOpenlstrlen
String ID: Software$VenNetwork
API String ID: 3197061591-1820303132
Opcode ID: b270a5905e67aa2bd04960c5a5af98d5e64a07028cd1629e036b508084a2e799
Instruction ID: bdc615d54ab84862062ed87124fdb07b37773f820869c5141e5b138e43b70589
Opcode Fuzzy Hash: b270a5905e67aa2bd04960c5a5af98d5e64a07028cd1629e036b508084a2e799
Instruction Fuzzy Hash: FF213076608A4186E710DF26E84825AB361FB94FAAF444131EE9DC3F68DFBCD149CB04

Function 00007FF6C20E5FC0 Relevance: 15.1, APIs: 10, Instructions: 140COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF6C20E5FE4
EnterCriticalSection.KERNEL32 ref: 00007FF6C20E6004
SetLastError.KERNEL32 ref: 00007FF6C20E6016
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E606F

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: 81cee7a1bb8c55b665f2cb6114ea46a9dbeaedbff72b1fcf3e0ec13788c62983
Instruction ID: e158204ff45766edfccf0df89b4a2b603e6cadcdb96831ad9664100934f41333
Opcode Fuzzy Hash: 81cee7a1bb8c55b665f2cb6114ea46a9dbeaedbff72b1fcf3e0ec13788c62983
Instruction Fuzzy Hash: 5451BC32A086518BE7649F15E44467D77A5FB48B8AF06413ADECEC7751CF78E884C780

Function 00007FF6C2104880 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C21048C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2104C88
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2104F27

Strings

f, xrefs: 00007FF6C21049C2
f, xrefs: 00007FF6C2104B0D
p, xrefs: 00007FF6C2104965
f, xrefs: 00007FF6C2104958
p, xrefs: 00007FF6C21049CA

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 338c2a64cdc3021812c5b6ddca5db7159329e9a17ba8d876efc02d9e71b2fbd5
Instruction ID: 3a3e82935772cce2f1eb8c928c2624709529ca616e084b621ebade57746ee65a
Opcode Fuzzy Hash: 338c2a64cdc3021812c5b6ddca5db7159329e9a17ba8d876efc02d9e71b2fbd5
Instruction Fuzzy Hash: C3127332A081C785FB209E16A18467A7251FB90B5AF944135EBCAC6FC4DFFDE5A08B14

Function 00007FF6C20E4080 Relevance: 13.6, APIs: 9, Instructions: 111timenetworkCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32 ref: 00007FF6C20E40C6
setsockopt.WS2_32 ref: 00007FF6C20E4165
setsockopt.WS2_32 ref: 00007FF6C20E418F
ResetEvent.KERNEL32 ref: 00007FF6C20E41DE
SetLastError.KERNEL32 ref: 00007FF6C20E420A
WSAGetLastError.WS2_32 ref: 00007FF6C20E4216
SetLastError.KERNEL32 ref: 00007FF6C20E4228
GetLastError.KERNEL32 ref: 00007FF6C20E4241
SetLastError.KERNEL32 ref: 00007FF6C20E4253

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLast$setsockopt$CreateEventResetTimerWaitable
String ID:
API String ID: 2911610646-0
Opcode ID: 34ebcb83ecca3e20ff49f256afc65ca9a808d404bf61d5c783bec37bfef76818
Instruction ID: 2dd1522ce4de3e89b37563dbe9b524f2d1c16dffdb159f04fd99d51f63f29240
Opcode Fuzzy Hash: 34ebcb83ecca3e20ff49f256afc65ca9a808d404bf61d5c783bec37bfef76818
Instruction Fuzzy Hash: FB513772A05B8297E7148F25E90436973A0FB4875AF110135DF8DD7BA0DFBDE4A98B40

Function 00007FF6C20E5D10 Relevance: 13.6, APIs: 9, Instructions: 93timenetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,-00000004,00007FF6C20E49B9), ref: 00007FF6C20E5D5E
timeGetTime.WINMM(?,?,-00000004,00007FF6C20E49B9), ref: 00007FF6C20E5D95
LeaveCriticalSection.KERNEL32(?,?,-00000004,00007FF6C20E49B9), ref: 00007FF6C20E5DB5
timeGetTime.WINMM(?,?,-00000004,00007FF6C20E49B9), ref: 00007FF6C20E5DFA
SetEvent.KERNEL32 ref: 00007FF6C20E5E27
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E5E3B
WSASetLastError.WS2_32(?,?,-00000004,00007FF6C20E49B9), ref: 00007FF6C20E5E52
LeaveCriticalSection.KERNEL32(?,?,-00000004,00007FF6C20E49B9), ref: 00007FF6C20E5E61
WSASetLastError.WS2_32(?,?,-00000004,00007FF6C20E49B9), ref: 00007FF6C20E5E73

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEvent
String ID:
API String ID: 3019579578-0
Opcode ID: 4019db875c6352495a6e2a967cb07e89537093c69e3cddfa206385f108ce449b
Instruction ID: c382120b48148e17bfa1054f149ec583b83c141940f5d23fb89a492b4e292160
Opcode Fuzzy Hash: 4019db875c6352495a6e2a967cb07e89537093c69e3cddfa206385f108ce449b
Instruction Fuzzy Hash: 93410432A0864287E7749F15E44423EBB61FB94B5AF150536DBCA83B94DFBCE8C58780

Function 00007FF6C20E5E90 Relevance: 13.6, APIs: 9, Instructions: 77COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF6C20E5EAA
TryEnterCriticalSection.KERNEL32 ref: 00007FF6C20E5ECB
TryEnterCriticalSection.KERNEL32 ref: 00007FF6C20E5EDD
SetLastError.KERNEL32 ref: 00007FF6C20E5EF6
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E5F00
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E5F0A

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: bf041e3c240114bd2df664f35279ad8215a3420238d0dd4b213a5f2d55893e77
Instruction ID: 383c36706c542eff7030ea93933624c94defe6d19b8b7a8a912429b950c6c8f3
Opcode Fuzzy Hash: bf041e3c240114bd2df664f35279ad8215a3420238d0dd4b213a5f2d55893e77
Instruction Fuzzy Hash: 40310A32A186528AE7909F25D44426937A4FF54B4EF440432DE8EC6B54DFBCD499C741

Function 00007FF6C2100EA8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6C2100F05

Part of subcall function 00007FF6C2103268: __GetUnwindTryBlock.LIBCMT ref: 00007FF6C21032AB
Part of subcall function 00007FF6C2103268: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6C21032D0

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6C2100FDD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6C210122B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6C2101338

Strings

csm, xrefs: 00007FF6C2100F1F
csm, xrefs: 00007FF6C2101000
csm, xrefs: 00007FF6C2100F86

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: cb5b3d42660800b6706ee9e5169d6ae77bc1ec10b54460efee445a81ffa0bcf3
Instruction ID: 545928692ba84c9358972402602da8e0bc7d04ccd54434a6ef8fc50c6face240
Opcode Fuzzy Hash: cb5b3d42660800b6706ee9e5169d6ae77bc1ec10b54460efee445a81ffa0bcf3
Instruction Fuzzy Hash: BCD14D22A086818AEB209F6994803AD77A0FB55B9DF104135EF8DD7F96DF7CE5A1C700

Function 00007FF6C2110B54 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FF6C2110CD0
GetProcAddress.KERNEL32 ref: 00007FF6C2110CDC

Strings

api-ms-, xrefs: 00007FF6C2110C1A
ext-ms-, xrefs: 00007FF6C2110C2D

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: c5e8058506f29389ada01458bdd8bed04f407a28a220f5367f3ecbd3c22801fb
Instruction ID: 2c2c372fcacb35476ef0c7c47eea46852fd70f80820d86015ec8aa443f477dc3
Opcode Fuzzy Hash: c5e8058506f29389ada01458bdd8bed04f407a28a220f5367f3ecbd3c22801fb
Instruction Fuzzy Hash: D4411661F19B0245FA25CF16A80037A2291FF19FAAF054536DF8DD7B84EEBCE4899740

Function 00007FF6C20EE01F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6C20EE0E9
WriteFile.KERNEL32 ref: 00007FF6C20EE119
CloseHandle.KERNEL32 ref: 00007FF6C20EE12A
lstrlenW.KERNEL32 ref: 00007FF6C20EE135
wsprintfW.USER32 ref: 00007FF6C20EE159
lstrcpyW.KERNEL32 ref: 00007FF6C20EE168

Part of subcall function 00007FF6C20F0620: lstrlenW.KERNEL32 ref: 00007FF6C20F0698
Part of subcall function 00007FF6C20F0620: wsprintfW.USER32 ref: 00007FF6C20F0722
Part of subcall function 00007FF6C20F0620: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6C20F0786
Part of subcall function 00007FF6C20F0620: lstrcatW.KERNEL32 ref: 00007FF6C20F07C1
Part of subcall function 00007FF6C20F0620: lstrcatW.KERNEL32 ref: 00007FF6C20F07CE

Strings

%s %s, xrefs: 00007FF6C20EE152

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Filelstrcatlstrlenwsprintf$CloseCreateEnvironmentExpandHandleStringsWritelstrcpy
String ID: %s %s
API String ID: 958574092-2939940506
Opcode ID: 9d4b93ecebe44ad3dcfc41bef5c72ffa3e96dd61b2b13565d963145b1ed2cd72
Instruction ID: 321ece75e1130b899578944a57fcf285016816b9d00bbca0d4588b60ce8f9b4c
Opcode Fuzzy Hash: 9d4b93ecebe44ad3dcfc41bef5c72ffa3e96dd61b2b13565d963145b1ed2cd72
Instruction Fuzzy Hash: 8A415F22A18BC682E711CF28D9042FD2320FBA4B5DF15A222DF8C56656EF79E2C5C340

Function 00007FF6C20E4A90 Relevance: 12.1, APIs: 8, Instructions: 104networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6C20E4AD0
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E4B20
send.WS2_32 ref: 00007FF6C20E4B49
EnterCriticalSection.KERNEL32 ref: 00007FF6C20E4B58
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E4B6F
WSAGetLastError.WS2_32 ref: 00007FF6C20E4BA9
EnterCriticalSection.KERNEL32 ref: 00007FF6C20E4BB9
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E4BFB

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLastsend
String ID:
API String ID: 3480985631-0
Opcode ID: 223d6e403172c637e9da5f06492e840e62a0238e832c6a19f43c9c4cbc36de86
Instruction ID: 98f57336e92d843602d5da6941d41cbdaa2af7fc94313d56d8bce3a3b2e1b056
Opcode Fuzzy Hash: 223d6e403172c637e9da5f06492e840e62a0238e832c6a19f43c9c4cbc36de86
Instruction Fuzzy Hash: 25415936608B8282E7948F25E5442AC73A4FB48F9DF190136CF9D87B58CFB8E595C790

Function 00007FF6C2109720 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2109763
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2109B50
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2109DEC

Strings

p, xrefs: 00007FF6C2109815
p, xrefs: 00007FF6C210988D
f, xrefs: 00007FF6C2109885

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 42fb3e65d0f17d18353857ebdda260012259b146ac6ef5ada1715a4ca3ec7708
Instruction ID: c45fb2814dbfab0f586ea7fcc03a4135dfa3a62aafb4cc2c55981a9f05121b13
Opcode Fuzzy Hash: 42fb3e65d0f17d18353857ebdda260012259b146ac6ef5ada1715a4ca3ec7708
Instruction Fuzzy Hash: 23126172A0C1C386FB24DE1591646BA7651EB40F5AF944135EBDAC6FC4DFBDE8A08B00

Function 00007FF6C20E4470 Relevance: 10.6, APIs: 7, Instructions: 143threadnetworktimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF6C20E448E
SetWaitableTimer.KERNEL32 ref: 00007FF6C20E44C3
WSAWaitForMultipleEvents.WS2_32 ref: 00007FF6C20E456D
GetCurrentThreadId.KERNEL32 ref: 00007FF6C20E4676

Part of subcall function 00007FF6C20E4A90: EnterCriticalSection.KERNEL32 ref: 00007FF6C20E4AD0
Part of subcall function 00007FF6C20E4A90: LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E4B20
Part of subcall function 00007FF6C20E4A90: send.WS2_32 ref: 00007FF6C20E4B49
Part of subcall function 00007FF6C20E4A90: EnterCriticalSection.KERNEL32 ref: 00007FF6C20E4B58
Part of subcall function 00007FF6C20E4A90: LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E4B6F
Part of subcall function 00007FF6C20E4A90: WSAGetLastError.WS2_32 ref: 00007FF6C20E4BA9
Part of subcall function 00007FF6C20E4A90: EnterCriticalSection.KERNEL32 ref: 00007FF6C20E4BB9
Part of subcall function 00007FF6C20E4A90: LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E4BFB

SetLastError.KERNEL32 ref: 00007FF6C20E4616

Part of subcall function 00007FF6C20E5FC0: SetLastError.KERNEL32 ref: 00007FF6C20E5FE4

GetLastError.KERNEL32 ref: 00007FF6C20E461C
WSAGetLastError.WS2_32 ref: 00007FF6C20E4641

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$ErrorLast$EnterLeave$CurrentThread$EventsMultipleTimerWaitWaitablesend
String ID:
API String ID: 2807917265-0
Opcode ID: b86a4d89a2a610e9370193a82eb041067802b0227bafa79ad6b9f02f0420e125
Instruction ID: 7afacd81ee1573109b147f52cf107dcd0b14748c707659f83780a187500a14a1
Opcode Fuzzy Hash: b86a4d89a2a610e9370193a82eb041067802b0227bafa79ad6b9f02f0420e125
Instruction Fuzzy Hash: 62517D72B0874286EB608F25A84427923A4FB54B6EF150632DEEEC7795DFBCE4C08741

Function 00007FF6C20EB9E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6C20EBA4B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6C20EBA93
_Getctype.LIBCPMT ref: 00007FF6C20EBAAB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6C20EBB63
_Getwctype.LIBCPMT ref: 00007FF6C20EBBB1

Strings

bad locale name, xrefs: 00007FF6C20EBB86

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1386471777-1405518554
Opcode ID: 69cc4a8b7b19662485723bada806c81d00e2c443d81482d7207a293efd463004
Instruction ID: 5688c6268587fc103a51262dee9545ee0bede966c5e6b19acc3c0b29f428e5df
Opcode Fuzzy Hash: 69cc4a8b7b19662485723bada806c81d00e2c443d81482d7207a293efd463004
Instruction Fuzzy Hash: DC516922B09B818AEB24DFA0D4902BD3370EF54749F054136DF8DA6A9ADF78E596C344

Function 00007FF6C20F1E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6C20F1E80
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6C20F1EC8
_Getcoll.LIBCPMT ref: 00007FF6C20F1EE0
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6C20F1F6F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20F1FC9

Strings

bad locale name, xrefs: 00007FF6C20F1FCF

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: std::_$Lockit$GetcollLocinfo::_Locinfo_ctorLockit::_Lockit::~__invalid_parameter_noinfo_noreturn
String ID: bad locale name
API String ID: 3908275632-1405518554
Opcode ID: 9e920306f43e4952b8c64fd291f4ca624831a52797418e3e011e95836a5b2e51
Instruction ID: 12cbfdc8853b18c5c4bcd8fd000f4c1d8a356ada9187f4e62b483c27b26d7bb7
Opcode Fuzzy Hash: 9e920306f43e4952b8c64fd291f4ca624831a52797418e3e011e95836a5b2e51
Instruction Fuzzy Hash: 7F517A22B49A8189FB10DFB4D4503BD3361AF44B4DF064136DE8DA6B9ADFB8955AC304

Function 00007FF6C21037CC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6C2103A7E,?,?,?,00007FF6C2103770,?,?,?,00007FF6C21003A9), ref: 00007FF6C2103851
GetLastError.KERNEL32(?,?,?,00007FF6C2103A7E,?,?,?,00007FF6C2103770,?,?,?,00007FF6C21003A9), ref: 00007FF6C210385F
LoadLibraryExW.KERNEL32(?,?,?,00007FF6C2103A7E,?,?,?,00007FF6C2103770,?,?,?,00007FF6C21003A9), ref: 00007FF6C2103889
FreeLibrary.KERNEL32(?,?,?,00007FF6C2103A7E,?,?,?,00007FF6C2103770,?,?,?,00007FF6C21003A9), ref: 00007FF6C21038F7
GetProcAddress.KERNEL32(?,?,?,00007FF6C2103A7E,?,?,?,00007FF6C2103770,?,?,?,00007FF6C21003A9), ref: 00007FF6C2103903

Strings

api-ms-, xrefs: 00007FF6C2103871

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: bdcdafd802d049a58c0b09305f9ac5b25268f61174ed16779f6a01e1bd42f6da
Instruction ID: aff3188c347dd1b346d95a8085dcb87a7edff20a01e63213809a4b79540af63f
Opcode Fuzzy Hash: bdcdafd802d049a58c0b09305f9ac5b25268f61174ed16779f6a01e1bd42f6da
Instruction Fuzzy Hash: 3631D221B1ABC291EE25DF02A4441752394BF04FAAF090637DF9DC6B80EFBCE4958344

Function 00007FF6C20F0C20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82processstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF6C20F0C30
GetFileAttributesW.KERNEL32 ref: 00007FF6C20F0CBD
GetLastError.KERNEL32 ref: 00007FF6C20F0CCC
CreateProcessW.KERNEL32 ref: 00007FF6C20F0D59

Strings

h, xrefs: 00007FF6C20F0D39
WinSta0\Default, xrefs: 00007FF6C20F0CEB

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: AttributesCreateErrorFileLastProcesslstrlen
String ID: WinSta0\Default$h
API String ID: 591566999-1620045033
Opcode ID: 97fd0016f673becf6109ea61c1b2bb0de26f74e5b3e6926f290ade0db5da7716
Instruction ID: 98cbbe18fa77c886e06e503753e4afedbfdf54d575b7723ec810d33bdaf464c5
Opcode Fuzzy Hash: 97fd0016f673becf6109ea61c1b2bb0de26f74e5b3e6926f290ade0db5da7716
Instruction Fuzzy Hash: B2317322A087C242E6708F14B5043BAA392FB95795F014335EADDC6B99EF7CE094C700

Function 00007FF6C210ED10 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED1F
FlsGetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED34
FlsSetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED55
FlsSetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED82
FlsSetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210ED93
FlsSetValue.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210EDA4
SetLastError.KERNEL32(?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F,?,?,?,00007FF6C21066E3), ref: 00007FF6C210EDBF

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f2de6421f07b29a90cfdc6310c4a09f0568ac7a9393794dea83b72160e9ddcb3
Instruction ID: 467293140d39d49f1cfe17cb69c459a88205c7801dd398fa5029c91371d0c3e3
Opcode Fuzzy Hash: f2de6421f07b29a90cfdc6310c4a09f0568ac7a9393794dea83b72160e9ddcb3
Instruction Fuzzy Hash: 76215C20E0928386F9586F2255461796242AF94FBAF140634EEBEC7FC6DEADE4914300

Function 00007FF6C211CF20 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6C211CF51
GetLastError.KERNEL32 ref: 00007FF6C211CF5D
CloseHandle.KERNEL32 ref: 00007FF6C211CF75
CreateFileW.KERNEL32 ref: 00007FF6C211CFA0
WriteConsoleW.KERNEL32 ref: 00007FF6C211CFBF

Strings

CONOUT$, xrefs: 00007FF6C211CF81

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 459cac5f161fe15dedf5efeb1a5c45af724dbddd491f92cbd2d9a7ab51bbc5e3
Instruction ID: 350e69442170d7f6461f8560279712f49f31af9ae7639739b178957d252eb704
Opcode Fuzzy Hash: 459cac5f161fe15dedf5efeb1a5c45af724dbddd491f92cbd2d9a7ab51bbc5e3
Instruction Fuzzy Hash: B4117C31B18B4286E3508F56E844329A6A0BB98FEAF000234EF9DC7FA4CFBCD5548740

Function 00007FF6C20EACF0 Relevance: 10.5, APIs: 7, Instructions: 40filesynchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6C20EAD09
CreateFileW.KERNEL32 ref: 00007FF6C20EAD3D
SetFilePointer.KERNEL32 ref: 00007FF6C20EAD62
lstrlenW.KERNEL32 ref: 00007FF6C20EAD6B
WriteFile.KERNEL32 ref: 00007FF6C20EAD89
CloseHandle.KERNEL32 ref: 00007FF6C20EAD92
ReleaseMutex.KERNEL32 ref: 00007FF6C20EAD9F

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
String ID:
API String ID: 4202892810-0
Opcode ID: 1770146ed1a2281a067c6a80d48e2834b530e15e6b9c6a9fb3f6106c2579b985
Instruction ID: 99eb4928f9ef514e00a798c84722fa53bcf7c9c2ea80fbda7c84a9be31576c50
Opcode Fuzzy Hash: 1770146ed1a2281a067c6a80d48e2834b530e15e6b9c6a9fb3f6106c2579b985
Instruction Fuzzy Hash: D3113D6560874282E7109F15F8097696361FB98BA9F004231DFAE83FE4CFBCD4898740

Function 00007FF6C20EEF25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6C20EEF4F
RegDeleteValueW.ADVAPI32 ref: 00007FF6C20EEF63
RegSetValueExW.ADVAPI32 ref: 00007FF6C20EEF8D
RegCloseKey.ADVAPI32 ref: 00007FF6C20EEF9A

Strings

Console, xrefs: 00007FF6C20EEF41
IpDatespecial, xrefs: 00007FF6C20EEF5C, 00007FF6C20EEF70

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Value$CloseDeleteOpen
String ID: Console$IpDatespecial
API String ID: 3183427449-1840232981
Opcode ID: 227ad8f4b06cdb6b08930102bada313d7f8b98b7889bc09013c0be248a67a942
Instruction ID: 2e3e5ab93a04b2c88a32f42437a1f4fd674bff5592ae1fbcad8951a4b0665575
Opcode Fuzzy Hash: 227ad8f4b06cdb6b08930102bada313d7f8b98b7889bc09013c0be248a67a942
Instruction Fuzzy Hash: F1015E76608E8286E7218F24EC147693721FB95B6AF444122DE8D83B54DF7CD299CB04

Function 00007FF6C20E9380 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 26processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF6C20E9399
GetCommandLineW.KERNEL32 ref: 00007FF6C20E939F
GetStartupInfoW.KERNEL32 ref: 00007FF6C20E93AD
CreateProcessW.KERNEL32 ref: 00007FF6C20E93F0
ExitProcess.KERNEL32 ref: 00007FF6C20E93FB

Strings

, xrefs: 00007FF6C20E93E4

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-3916222277
Opcode ID: aa1260efbfd046cd4269c4db6a47a0747b5d48ad13e0b0b72107f694596a2f32
Instruction ID: 9fd1e38bdd687bf6687174c9ab89c77ef8163d1a51f7cb653ac812da9590f43e
Opcode Fuzzy Hash: aa1260efbfd046cd4269c4db6a47a0747b5d48ad13e0b0b72107f694596a2f32
Instruction Fuzzy Hash: B3F01232618B8186DB608F20F44875AB3A0FB98759F500235D7CE86F64DFBCD189CB40

Function 00007FF6C20E4940 Relevance: 9.1, APIs: 6, Instructions: 80networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF6C20E4964
SetLastError.KERNEL32 ref: 00007FF6C20E4977
WSAGetLastError.WS2_32 ref: 00007FF6C20E49C8
SetLastError.KERNEL32 ref: 00007FF6C20E4A32
WSASetLastError.WS2_32 ref: 00007FF6C20E4A3D
GetLastError.KERNEL32 ref: 00007FF6C20E4A43

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: 1bfb22ba95e7e7656d2d5e0fb302539e9b3bee6e0c9b932fa958a4b538105933
Instruction ID: 8f83908fcedef03639e02d248d8c70054a65e402b9e91f4ba79c1ff5977ec059
Opcode Fuzzy Hash: 1bfb22ba95e7e7656d2d5e0fb302539e9b3bee6e0c9b932fa958a4b538105933
Instruction Fuzzy Hash: E9315B72B08A4282EB608F28E48436D23A1FB55B5EF560436CE8DC6798DEBDD8C49751

Function 00007FF6C2101378 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6C2101516
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6C210183F

Strings

csm, xrefs: 00007FF6C210153D
csm, xrefs: 00007FF6C210145D
csm, xrefs: 00007FF6C21014BF

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: f0c8ce6e5c114cb55c7e972b5d7e00f12528d3fa075699b5c4d5ef1c378b05c7
Instruction ID: f13207a16c7e00097dd39aad69d41db43a4fa74d904fe9e8e5b81ab4bba7c82e
Opcode Fuzzy Hash: f0c8ce6e5c114cb55c7e972b5d7e00f12528d3fa075699b5c4d5ef1c378b05c7
Instruction Fuzzy Hash: 44E1AC72A087828AE7209F68D4802AD37A0FB45B5DF144136EF8ED7B96CE7CE191C704

Function 00007FF6C20E5300 Relevance: 9.1, APIs: 6, Instructions: 63synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 00007FF6C20E531C
ResetEvent.KERNEL32 ref: 00007FF6C20E5329
timeGetTime.WINMM ref: 00007FF6C20E532F
WaitForSingleObject.KERNEL32 ref: 00007FF6C20E5379
ResetEvent.KERNEL32 ref: 00007FF6C20E5396

Part of subcall function 00007FF6C20E4C50: GetCurrentThreadId.KERNEL32 ref: 00007FF6C20E4C65
Part of subcall function 00007FF6C20E4C50: SwitchToThread.KERNEL32 ref: 00007FF6C20E4C9D
Part of subcall function 00007FF6C20E4C50: SetLastError.KERNEL32 ref: 00007FF6C20E4CDC

ResetEvent.KERNEL32 ref: 00007FF6C20E53BD

Part of subcall function 00007FF6C2108BE0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2108C0B

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: EventReset$Thread$CurrentErrorLastObjectSingleSwitchTimeWait_invalid_parameter_noinfotime
String ID:
API String ID: 2235205178-0
Opcode ID: 590f28aa241335ba61f28d79a4cf37bde6970dd5790133cda3c336355218676e
Instruction ID: 8c2d11cfa2dfa298adcf696f46ec6bd6cdc088b95f006dc08895fd6295f02461
Opcode Fuzzy Hash: 590f28aa241335ba61f28d79a4cf37bde6970dd5790133cda3c336355218676e
Instruction Fuzzy Hash: 99217E32608A8182E750CF25E84426963A0FB88F9DF194532DECDD7B68CFB8D591C740

Function 00007FF6C210EE88 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0000975800AD59FC,00007FF6C2108DA5,?,?,?,?,00007FF6C21127E6,?,?,00000000,00007FF6C210A69B,?,?,?), ref: 00007FF6C210EE97
FlsSetValue.KERNEL32(?,?,0000975800AD59FC,00007FF6C2108DA5,?,?,?,?,00007FF6C21127E6,?,?,00000000,00007FF6C210A69B,?,?,?), ref: 00007FF6C210EECD
FlsSetValue.KERNEL32(?,?,0000975800AD59FC,00007FF6C2108DA5,?,?,?,?,00007FF6C21127E6,?,?,00000000,00007FF6C210A69B,?,?,?), ref: 00007FF6C210EEFA
FlsSetValue.KERNEL32(?,?,0000975800AD59FC,00007FF6C2108DA5,?,?,?,?,00007FF6C21127E6,?,?,00000000,00007FF6C210A69B,?,?,?), ref: 00007FF6C210EF0B
FlsSetValue.KERNEL32(?,?,0000975800AD59FC,00007FF6C2108DA5,?,?,?,?,00007FF6C21127E6,?,?,00000000,00007FF6C210A69B,?,?,?), ref: 00007FF6C210EF1C
SetLastError.KERNEL32(?,?,0000975800AD59FC,00007FF6C2108DA5,?,?,?,?,00007FF6C21127E6,?,?,00000000,00007FF6C210A69B,?,?,?), ref: 00007FF6C210EF37

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 3654d854b1b7b54d09208102c236c7adbe92e0b1e90858cb6ea83a43bfdf338d
Instruction ID: 4de7274b3f7f7b31d5ece17794bc063653605fe642308213d56c81a2a2f27add
Opcode Fuzzy Hash: 3654d854b1b7b54d09208102c236c7adbe92e0b1e90858cb6ea83a43bfdf338d
Instruction Fuzzy Hash: 91115E20E0968786F5586F22554603962426F84FBAF144634EEBEC7FC6DEACF4914300

Function 00007FF6C210BF30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6C210BF55
GetProcAddress.KERNEL32 ref: 00007FF6C210BF6B
FreeLibrary.KERNEL32 ref: 00007FF6C210BF92

Strings

mscoree.dll, xrefs: 00007FF6C210BF4C
CorExitProcess, xrefs: 00007FF6C210BF64

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 69936be9a3c9092073ccdecace5a334f9bb4337f6d94747144cad9e03172cb9f
Instruction ID: 213e04806cbd0b5e8778fd7c20afbf61f8ea25392ad8facc5be97d1645e9e8eb
Opcode Fuzzy Hash: 69936be9a3c9092073ccdecace5a334f9bb4337f6d94747144cad9e03172cb9f
Instruction Fuzzy Hash: 3BF0C265A1974281EB148F24E4443396320EF49FAAF440639DFAEC6BE4CFBCD189C700

Function 00007FF6C20EEFA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6C20EEFC9
RegDeleteValueW.ADVAPI32 ref: 00007FF6C20EEFDD
RegCloseKey.ADVAPI32 ref: 00007FF6C20EEFEA

Strings

Console, xrefs: 00007FF6C20EEFBB
IpDatespecial, xrefs: 00007FF6C20EEFD6

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Console$IpDatespecial
API String ID: 849931509-1840232981
Opcode ID: 428edfecf080eeaca7e0c1c67ef556d191498152a1b600a56db6dc59e929ff35
Instruction ID: 2bc9507e2c4539d6c3e60a62a59295f7b8942b4944367f07e0abbb5a209067e1
Opcode Fuzzy Hash: 428edfecf080eeaca7e0c1c67ef556d191498152a1b600a56db6dc59e929ff35
Instruction Fuzzy Hash: 6BF0FF76608DC285EB308F14EC147A97321EB94B6BF400131DE8D97B68DE79E2D98B04

Function 00007FF6C2100778 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF6C210089B
__AdjustPointer.LIBCMT ref: 00007FF6C21008E6

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 95c273c5d9a602b1e514679a9057b242ded82a174dba946a287035d63dc3020a
Instruction ID: e38c8f07300c658f52e5a9e700dba68ad4a70838c440dccb64ee51a471baafae
Opcode Fuzzy Hash: 95c273c5d9a602b1e514679a9057b242ded82a174dba946a287035d63dc3020a
Instruction Fuzzy Hash: 68B18122E0AAC689FA659E1194442396390AF54F8EF098436DFCDC7F95DEBCE462C341

Function 00007FF6C211C95C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6C211C984
_set_statfp.LIBCMT ref: 00007FF6C211C99F
_set_statfp.LIBCMT ref: 00007FF6C211C9BB
_set_statfp.LIBCMT ref: 00007FF6C211C9F7

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 3a9c703ea5aaac55ee3dcba71a43574e980d604707a0521e319b1fc91c9c8b59
Instruction ID: 033522bc3cbd4511807c377cf80f07681fcdad783acf284182906d1ec8026057
Opcode Fuzzy Hash: 3a9c703ea5aaac55ee3dcba71a43574e980d604707a0521e319b1fc91c9c8b59
Instruction Fuzzy Hash: 5E11B222E08B5B01FA541D28D54637911416F75B7AF480634EFEEE6BDE9EBCE8C04202

Function 00007FF6C210EF50 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6C2103C9B,?,?,00000000,00007FF6C2103F36,?,?,?,?,?,00007FF6C2103EC2), ref: 00007FF6C210EF6F
FlsSetValue.KERNEL32(?,?,?,00007FF6C2103C9B,?,?,00000000,00007FF6C2103F36,?,?,?,?,?,00007FF6C2103EC2), ref: 00007FF6C210EF8E
FlsSetValue.KERNEL32(?,?,?,00007FF6C2103C9B,?,?,00000000,00007FF6C2103F36,?,?,?,?,?,00007FF6C2103EC2), ref: 00007FF6C210EFB6
FlsSetValue.KERNEL32(?,?,?,00007FF6C2103C9B,?,?,00000000,00007FF6C2103F36,?,?,?,?,?,00007FF6C2103EC2), ref: 00007FF6C210EFC7
FlsSetValue.KERNEL32(?,?,?,00007FF6C2103C9B,?,?,00000000,00007FF6C2103F36,?,?,?,?,?,00007FF6C2103EC2), ref: 00007FF6C210EFD8

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4047813a2c2501da88736eb8979464a470432fe091b6a2381c64cb1679d0dde5
Instruction ID: ff974e60f7b57f36fc21d8456ae5c8d213a047d5af678ca86a5c8d95b616135b
Opcode Fuzzy Hash: 4047813a2c2501da88736eb8979464a470432fe091b6a2381c64cb1679d0dde5
Instruction Fuzzy Hash: 2D116D10E0928386FA985F26A55213961826F44FBAF144234EEFDC6FD6DEACF4914300

Function 00007FF6C210EDE4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F), ref: 00007FF6C210EDF5
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F), ref: 00007FF6C210EE14
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F), ref: 00007FF6C210EE3C
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F), ref: 00007FF6C210EE4D
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6C2117113,?,?,?,00007FF6C210F444,?,?,?,00007FF6C210843F), ref: 00007FF6C210EE5E

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f4b63a2d358e16832ea89596edc1dbf90b4b2fd2f1616095919a36d422ba38cd
Instruction ID: fb4bb250928e3fa8ba2da8859d89f988f7f2c4a628b38a06100b94b70c579601
Opcode Fuzzy Hash: f4b63a2d358e16832ea89596edc1dbf90b4b2fd2f1616095919a36d422ba38cd
Instruction Fuzzy Hash: 5F112E10E0928B46F9986E22545207921825F54F7EF281B38EFFEC6FC2DDECB4A15300

Function 00007FF6C20E56C0 Relevance: 7.5, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6C20E56E5
EnterCriticalSection.KERNEL32 ref: 00007FF6C20E56EF
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E56FF
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E5709

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 7d1c33e0fc199dc1a1b2b98ae86d416f77ce0655480dcc5f384a8a26f1c27f0c
Instruction ID: 9dcee76dad7dbd45920cfb507462c3d777b0173243e1b59299d777257452e720
Opcode Fuzzy Hash: 7d1c33e0fc199dc1a1b2b98ae86d416f77ce0655480dcc5f384a8a26f1c27f0c
Instruction Fuzzy Hash: 4811CC3262464687EA509F25F4953A96360FB54B5AF451031DBCF86B54CF7CE4CAC740

Function 00007FF6C20EC0C0 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF6C20EC103
EnterCriticalSection.KERNEL32(?,?,?,00007FF6C20EC094), ref: 00007FF6C20EC115
EnterCriticalSection.KERNEL32 ref: 00007FF6C20EC125
GdiplusShutdown.GDIPLUS ref: 00007FF6C20EC133
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20EC140

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$Enter$DeleteGdiplusLeaveObjectShutdown
String ID:
API String ID: 1513102227-0
Opcode ID: cb3a45266a7c72afb3eef7b31d32061257325c5ad6beb33f20a6e81f88ef5b24
Instruction ID: 33f85add8429ec29f8b2eb2acea6d0b5c826eae0f160cb9280a80fcf8f58216b
Opcode Fuzzy Hash: cb3a45266a7c72afb3eef7b31d32061257325c5ad6beb33f20a6e81f88ef5b24
Instruction Fuzzy Hash: F1113032505B4281EB108F29E4440287374FB54F6DB244236DBDD82BA4DF79D597C380

Function 00007FF6C20E5640 Relevance: 7.5, APIs: 5, Instructions: 26synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6C20E5652
WaitForSingleObject.KERNEL32 ref: 00007FF6C20E5664
Sleep.KERNEL32 ref: 00007FF6C20E566F
CloseHandle.KERNEL32 ref: 00007FF6C20E568C
CloseHandle.KERNEL32 ref: 00007FF6C20E5699

Part of subcall function 00007FF6C20E4C50: GetCurrentThreadId.KERNEL32 ref: 00007FF6C20E4C65
Part of subcall function 00007FF6C20E4C50: SwitchToThread.KERNEL32 ref: 00007FF6C20E4C9D
Part of subcall function 00007FF6C20E4C50: SetLastError.KERNEL32 ref: 00007FF6C20E4CDC

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CloseHandleObjectSingleThreadWait$CurrentErrorLastSleepSwitch
String ID:
API String ID: 1535946027-0
Opcode ID: 311de798c0593289d29e071e9f78a1d734eb52b4581ef33c1cbfd426072e5f36
Instruction ID: 3183ed195d52bf2f55772d3102c4b07fca8e6ab404637b859684abd416b396ba
Opcode Fuzzy Hash: 311de798c0593289d29e071e9f78a1d734eb52b4581ef33c1cbfd426072e5f36
Instruction Fuzzy Hash: 2CF0E736A04A4582E7049F69E8551682320FB99F6EF184231DEAEC7BA4DFB8D8C5C350

Function 00007FF6C2101AEC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6C2101B5C
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6C2101BA7

Strings

RCC, xrefs: 00007FF6C2101B78
MOC, xrefs: 00007FF6C2101B70

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 85eb8fbd3e06a99c4afa559b4d80cf249f4e954e0195537aa802c98b0a840f84
Instruction ID: e41af769a27ae3582ca148ae1187e5afc45ee90fb9ff47ab16ca265c6687101f
Opcode Fuzzy Hash: 85eb8fbd3e06a99c4afa559b4d80cf249f4e954e0195537aa802c98b0a840f84
Instruction Fuzzy Hash: 36919F73A087858AE710CF69E4842AD7BA0FB44B99F10412AEF8D97B55DF7CD1A5CB00

Function 00007FF6C20FFD28 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6C20FFD53
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6C20FFDEA
RtlUnwindEx.KERNEL32 ref: 00007FF6C20FFE44

Strings

csm, xrefs: 00007FF6C20FFDD1

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c305225e0e2b3a2203a822812f960376c115b044745f784688940b7b0a399dcc
Instruction ID: f021bfe4229d6c18c02ebb2ad4f980cf640ceee215792e510eb7a45f6a548ea9
Opcode Fuzzy Hash: c305225e0e2b3a2203a822812f960376c115b044745f784688940b7b0a399dcc
Instruction Fuzzy Hash: 9951AF32B196428ADB14CF15E048A7A3391EB44B9DF164136EE8EC7789EFBCE841C704

Function 00007FF6C210206C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6C2102094
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6C210217C

Strings

csm, xrefs: 00007FF6C21020B6
csm, xrefs: 00007FF6C21021CE

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 544592ab7251effa554c0990b2f03f08321f7b0f5e6baf8f1fc1d42750b8d711
Instruction ID: a8bd9b6e02c2a0954aa3bf99fc47412eb591293f316fb8b86c1d253e877c4bf8
Opcode Fuzzy Hash: 544592ab7251effa554c0990b2f03f08321f7b0f5e6baf8f1fc1d42750b8d711
Instruction Fuzzy Hash: BD514B32A082C68AEA649E51944436877A0FB55F9AF144136DFDCC7F99CFB8E8A1C701

Function 00007FF6C211AA5C Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6C211AADB
WriteFile.KERNEL32 ref: 00007FF6C211ADA3
WriteFile.KERNEL32 ref: 00007FF6C211ADE9
GetLastError.KERNEL32 ref: 00007FF6C211AE9F

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: b0a5a2f5e03aa4de9bb2610dcdd396f5b9cdbd820afb8483674e8d26cbad73da
Instruction ID: 9278bbef8a8b8e4aaefec543da0f999d0acbe42a6c23e49828adda8a4c4a89fd
Opcode Fuzzy Hash: b0a5a2f5e03aa4de9bb2610dcdd396f5b9cdbd820afb8483674e8d26cbad73da
Instruction Fuzzy Hash: ECD1CE22B19A8189EB10CF65D4502AC3BB2FB54B9DB144236DF9ED7F99DE78D486C300

Function 00007FF6C20F59A0 Relevance: 6.3, APIs: 4, Instructions: 260COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20F5B15
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C20F5B1B

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: 9f626c90efecc73dd731a3342661a9fce9011a5a195b48eaf535096b97dc9d75
Instruction ID: 0a77b52402b445ab2964a3f9cc8a77ea03f9b4aebc0ca41107ae93cd460f8587
Opcode Fuzzy Hash: 9f626c90efecc73dd731a3342661a9fce9011a5a195b48eaf535096b97dc9d75
Instruction Fuzzy Hash: B091F162B44A8245EE14CF26D4442BE6761BB04BE5F568632DFAD87BC5DFBCE0918304

Function 00007FF6C20F7610 Relevance: 6.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20F79B6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20F79BC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20F79C2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20F79C8

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 606bfdfa486e7f6607c7e08f7eff069c677fe6d288b2685b6771c8305ee7e9ca
Instruction ID: 90df843c41a41bffdcc4cb5e001acea40a94fcc7f42525178af4cd359cf6e0fc
Opcode Fuzzy Hash: 606bfdfa486e7f6607c7e08f7eff069c677fe6d288b2685b6771c8305ee7e9ca
Instruction Fuzzy Hash: 97B1CE62F54B5584FB008FA4C4447AD2372FB08B9DF415222DEAC67BE9DFB8A481C305

Function 00007FF6C211B384 Relevance: 6.2, APIs: 4, Instructions: 219COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF6C211B36F), ref: 00007FF6C211B4A0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF6C211B36F), ref: 00007FF6C211B52B

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: c0b9c452233083e8ba344db7b85cdb6942af15e1945070f1535423c6b6b64ca2
Instruction ID: 7c53345265f754349bc03ea03e4bd62b24250b5807f83c6c7eacfcd07cd34355
Opcode Fuzzy Hash: c0b9c452233083e8ba344db7b85cdb6942af15e1945070f1535423c6b6b64ca2
Instruction Fuzzy Hash: 7591A162B1865285F7608F6594802BD2BA0BB25F8EF144139DF8ED7FA5DEB8D6C1C700

Function 00007FF6C20F8830 Relevance: 6.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20F8A74
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6C20F8A80
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20F8A86
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20F8AE7

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: b56907e08ba36c9d4b8f3d7cb346202edcdf0dc19a316a1c7c65d1275951c183
Instruction ID: 98d76c7529558b48c1ea3d4c4144868a9d66791a47f6db4b7511f40f85f6360d
Opcode Fuzzy Hash: b56907e08ba36c9d4b8f3d7cb346202edcdf0dc19a316a1c7c65d1275951c183
Instruction Fuzzy Hash: D871BF62B54B8585EA04DF25D4082AE6361FB85F99F568632DFAC83BC5DEB8E480C344

Function 00007FF6C20EF160 Relevance: 6.2, APIs: 4, Instructions: 190processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6C20EF1AD
Process32FirstW.KERNEL32 ref: 00007FF6C20EF23F
Process32NextW.KERNEL32 ref: 00007FF6C20EF333

Part of subcall function 00007FF6C2108A40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C2108A66

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6C20EF3FB

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32_invalid_parameter_noinfo_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4260596558-0
Opcode ID: 0d783772210e43a2695af6463465b775912326aee02ff3f9c7600c154f401b30
Instruction ID: 4cf100eeec1b086eb8fe454397dad6cc561d9c292d93d8aad3333b7263e9c30f
Opcode Fuzzy Hash: 0d783772210e43a2695af6463465b775912326aee02ff3f9c7600c154f401b30
Instruction Fuzzy Hash: 0271D662B18A8681EB209F25D04826E6361FB85BA9F454332DEFE837D4DFBCD580C740

Function 00007FF6C21095E4 Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF6C210963B
GetSystemInfo.KERNEL32 ref: 00007FF6C2109654
VirtualAlloc.KERNEL32 ref: 00007FF6C21096C2
VirtualProtect.KERNEL32 ref: 00007FF6C21096DD

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: de052ff2da3a860ebe00b2b1188a3b3a24b5d5626fd4b16e4c5629aca21b164b
Instruction ID: 44a4cdd53ac0fdf0c76bf2e6e46adccd549fc89d3640b16dd4305a990ad32b42
Opcode Fuzzy Hash: de052ff2da3a860ebe00b2b1188a3b3a24b5d5626fd4b16e4c5629aca21b164b
Instruction Fuzzy Hash: 45314632714A819EDB20CF31D8547A923A5FB48B89F844025EE8D87B48DF78E646C740

Function 00007FF6C20E4F90 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6C20E4FAC
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E4FC3
LeaveCriticalSection.KERNEL32 ref: 00007FF6C20E504B
SetEvent.KERNEL32 ref: 00007FF6C20E506B

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 401af7361c6d18c862ea4f071fb6758f38da9ad67756e4e78bac1cd16ae14490
Instruction ID: 8ec7c7d1abbcf516dc3cf547b8b6aec8a56b83cb0019ee0f4a9a988b6e084832
Opcode Fuzzy Hash: 401af7361c6d18c862ea4f071fb6758f38da9ad67756e4e78bac1cd16ae14490
Instruction Fuzzy Hash: CB213932704B8193D748CF2AE5802ADB3A4FB48B89F544435DBAD83B25DF78E4A1C740

Function 00007FF6C20FE880 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6C20FE8AC
GetCurrentThreadId.KERNEL32 ref: 00007FF6C20FE8BA
GetCurrentProcessId.KERNEL32 ref: 00007FF6C20FE8C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF6C20FE8D6

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: e05f7aef3380f0f9b3312b24ce1aa7c1f593c40dbd43f636e11a9c4c637e2614
Instruction ID: fc552dfe997a3815f447cbf513f1be2e18ccdc1ee32fc068867f37609a54c845
Opcode Fuzzy Hash: e05f7aef3380f0f9b3312b24ce1aa7c1f593c40dbd43f636e11a9c4c637e2614
Instruction Fuzzy Hash: 80111F26B15B0589EB00CF60E8542B933A4FB19B59F440931DF6DC6B94DF7CD1948340

Function 00007FF6C20E3FF0 Relevance: 6.0, APIs: 4, Instructions: 22synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6C20E4002
Sleep.KERNEL32 ref: 00007FF6C20E400D
WaitForSingleObject.KERNEL32 ref: 00007FF6C20E4024
WaitForSingleObject.KERNEL32 ref: 00007FF6C20E4036

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ObjectSingleWait$Sleep
String ID:
API String ID: 2961732021-0
Opcode ID: 83ddd93f6670c03bec4b7f128343a3e6a6daf1263786cfff0f95db90d503808b
Instruction ID: 822a6a7ccc934de6d20ef8515d4d67fb1c187047d98d0f2f6bfd76904b33e984
Opcode Fuzzy Hash: 83ddd93f6670c03bec4b7f128343a3e6a6daf1263786cfff0f95db90d503808b
Instruction Fuzzy Hash: D1F0B262B04A4486EB409F39D8552283261FB9DF3AF650330CE6DC7BE4EF78C8858350

Function 00007FF6C21022A4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6C21022CE

Strings

csm, xrefs: 00007FF6C21022F3
csm, xrefs: 00007FF6C2102462

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: f15189d2199330c0f402dae8ecdfa2ca81426a1eff024833c44a8ddbe4b12987
Instruction ID: f4d21f9deb2df65ef51c3fea99e3047771c6415567459bd30bed59abdf67954f
Opcode Fuzzy Hash: f15189d2199330c0f402dae8ecdfa2ca81426a1eff024833c44a8ddbe4b12987
Instruction Fuzzy Hash: 57718A72A086C186DB608E2590A46BDABA0FB44F8AF148135DF8CD7F89DF7CD5A1C704

Function 00007FF6C210187C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6C21018DB

Strings

MOC, xrefs: 00007FF6C21018EF
RCC, xrefs: 00007FF6C21018F7

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: ff6c3586205ef54b92cc1381aa76c713ce5aef96bda724e5a14e442f6a8185ef
Instruction ID: 50d14258b51633018540b8f630cbfbf86a99f39a6484789bf5760b2a80a487aa
Opcode Fuzzy Hash: ff6c3586205ef54b92cc1381aa76c713ce5aef96bda724e5a14e442f6a8185ef
Instruction Fuzzy Hash: D6617032908BC585D7609F19E4407AAB7A0FB95B99F044225EFDD83B95DFBCE1A4CB00

Function 00007FF6C20EDC4D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00007FF6C20EDCA0
CloseHandle.KERNEL32 ref: 00007FF6C20EDE27

Strings

%s_bin, xrefs: 00007FF6C20EDC95

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CloseHandlewsprintf
String ID: %s_bin
API String ID: 3088109604-2665034546
Opcode ID: 32607a802dd0051346d943f98019fc9552bc7bdaec40320c16938ddbe90bc895
Instruction ID: aba7aafa1bb31e048c1ca587fb940bd586f8f4303c1dcda5c582a5cb0f321045
Opcode Fuzzy Hash: 32607a802dd0051346d943f98019fc9552bc7bdaec40320c16938ddbe90bc895
Instruction Fuzzy Hash: 3751A06AB19AA681EF20DF21C014BB92355EF85B8AF478136DE8D877C1DEBCD485C341

Function 00007FF6C2111F64 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6C21094E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6C210951B

_get_daylight.LIBCMT ref: 00007FF6C211207C
_get_daylight.LIBCMT ref: 00007FF6C211208D

Strings

?, xrefs: 00007FF6C211200D

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 73dd6a1d9a5ad4992f3991f8c36a8220d63358c9d054768064d2836bf5e58140
Instruction ID: 41ea091386519dd6f82dfc8c8871305da4476a8da2a18b569fc2cc0e0d87c436
Opcode Fuzzy Hash: 73dd6a1d9a5ad4992f3991f8c36a8220d63358c9d054768064d2836bf5e58140
Instruction Fuzzy Hash: 9D41C622A1839246FB249F299411779A660EBA0FA9F144235EFDCC6FD9DFBCD491C700

Function 00007FF6C210293C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6C21029E6
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF6C2102A0F

Strings

csm, xrefs: 00007FF6C2102B0F

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: f28967bb51a8388d528e36e8d1b9cbe39d4a27893e421944e70fc0d8e7df8c72
Instruction ID: 38e6a485cc6aa94e12d2b4f7e6b12d054df41328e9d09623df17e54ecbbf02fb
Opcode Fuzzy Hash: f28967bb51a8388d528e36e8d1b9cbe39d4a27893e421944e70fc0d8e7df8c72
Instruction Fuzzy Hash: 72513F7261878186E620AF26E08126E77A4F788B99F141135EF8DC7B56CF7CE461CB04

Function 00007FF6C210C224 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6C210C256

Part of subcall function 00007FF6C210E95C: RtlFreeHeap.NTDLL(?,?,?,00007FF6C2116862,?,?,?,00007FF6C2116BDF,?,?,00000000,00007FF6C2117025,?,?,?,00007FF6C2116F57), ref: 00007FF6C210E972
Part of subcall function 00007FF6C210E95C: GetLastError.KERNEL32(?,?,?,00007FF6C2116862,?,?,?,00007FF6C2116BDF,?,?,00000000,00007FF6C2117025,?,?,?,00007FF6C2116F57), ref: 00007FF6C210E97C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6C20FE051), ref: 00007FF6C210C274

Strings

C:\Users\user\Desktop\f3fBEUL66b.exe, xrefs: 00007FF6C210C262

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\f3fBEUL66b.exe
API String ID: 3580290477-2325883835
Opcode ID: aee35bfe6285ca872dc023e0e85ec8bac6debb86297f70b490d45f268cf6f652
Instruction ID: f8f60654abd9813360150f01aeedb23d3384e398afaba2c5cbb427eabee05721
Opcode Fuzzy Hash: aee35bfe6285ca872dc023e0e85ec8bac6debb86297f70b490d45f268cf6f652
Instruction Fuzzy Hash: DC416B3AA18B8286EB54DF21A4500B977A5FF45F89B444035EF8EC7F85DEBCE4608700

Function 00007FF6C211B0F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6C211B20B
GetLastError.KERNEL32 ref: 00007FF6C211B22D

Strings

U, xrefs: 00007FF6C211B1B7

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 82c14a47abd65dfd2f18e3d0d2973b2ccc07122a063a358567b3cbc0c6ba3651
Instruction ID: dd6bc1705eb3b48b74a142d11bf466c9dc89d3cce19c40cf3545d949b00f6e5e
Opcode Fuzzy Hash: 82c14a47abd65dfd2f18e3d0d2973b2ccc07122a063a358567b3cbc0c6ba3651
Instruction Fuzzy Hash: A4419372B18A8191DB208F25E8543BA67A1FB98B99F414031EF8DC7B58DF7CD645C740

Function 00007FF6C21002F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C20E1111), ref: 00007FF6C2100340
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6C20E1111), ref: 00007FF6C2100381

Strings

csm, xrefs: 00007FF6C210036E

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4e14dd832fb4824443fa8c0aec862097db35212d867c479028c393dfe5930aef
Instruction ID: be7cf0575c1628f812766de8a328479753fe7aefe58845b0a3a1fb39dc793bd1
Opcode Fuzzy Hash: 4e14dd832fb4824443fa8c0aec862097db35212d867c479028c393dfe5930aef
Instruction Fuzzy Hash: CE111C32618B8186EB618F25E44025A77E5FB88B89F584230DFCC87B68DF7DD551C700

Function 00007FF6C20FA4B0 Relevance: 5.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 00007FF6C20FA4EE
IsBadReadPtr.KERNEL32 ref: 00007FF6C20FA5C3
SetLastError.KERNEL32(?,00000000,00007FF6C20FAAC9,?,?,?,?,?,?,?,?,?,00007FF6C20ED242), ref: 00007FF6C20FA5E5
SetLastError.KERNEL32(?,00000000,00007FF6C20FAAC9,?,?,?,?,?,?,?,?,?,00007FF6C20ED242), ref: 00007FF6C20FA603

Memory Dump Source

Source File: 00000000.00000002.4117440587.00007FF6C20E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C20E0000, based on PE: true

Associated: 00000000.00000002.4117426025.00007FF6C20E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117473416.00007FF6C211F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117493131.00007FF6C2135000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117507740.00007FF6C2138000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117521945.00007FF6C213C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4117538425.00007FF6C2140000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c20e0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 82ac0250d1ecd3177f83757e94cf9be5bc81ee4aab1a059e0fd8dc4cfb57a079
Instruction ID: 6c0171809f777b79395468dcaedd99011b66a91c560a9c943c42781c2a0c6114
Opcode Fuzzy Hash: 82ac0250d1ecd3177f83757e94cf9be5bc81ee4aab1a059e0fd8dc4cfb57a079
Instruction Fuzzy Hash: 9C412B72B49B4186EB148F1AD54126A73A0FB58F9AF064436CF8E87B54DFBCE4A1C314

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report f3fBEUL66b.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\kernelquick.sys

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
f3fBEUL66b.exe

Function 00007FF6C20E6370 Relevance: 193.3, APIs: 81, Strings: 29, Instructions: 845
registrystringprocessCOMMON

Function 00007FF6C20FB5E0 Relevance: 103.7, APIs: 41, Strings: 18, Instructions: 429
registrylibrarysleepCOMMON

Function 00007FF6C20EF410 Relevance: 81.0, APIs: 35, Strings: 11, Instructions: 532
registryprocessfileCOMMON

Function 00007FF6C20E72D0 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 457
COMMON

Function 00007FF6C20EFD10 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318
windowCOMMON

Function 00007FF6C20E8A40 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 255
COMMON

Function 00007FF6C20E8710 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 244
memoryCOMMON

Function 00007FF6C20E7A60 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 216
stringregistrycomCOMMON

Function 00007FF6C20EB410 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 232
memorytimeCOMMON

Function 00007FF6C20F0220 Relevance: 45.3, APIs: 30, Instructions: 260
memorywindowCOMMON

Function 00007FF6C20EC340 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 297
windowCOMMON

Function 00007FF6C20E3820 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 157
networkstringtimeCOMMON

Function 00007FF6C20E8C30 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 101
memoryCOMMON

Function 00007FF6C20FBEF0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223
memoryCOMMON

Function 00007FF6C20ED9C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137
registryCOMMON