Edit tour

Windows Analysis Report
f3fBEUL66b.exe

Overview

General Information

Sample name:	f3fBEUL66b.exe renamed because original name is a hash value
Original sample name:	77dd16d7ed3758bd83e04514f6e84f58.exe
Analysis ID:	1583153
MD5:	77dd16d7ed3758bd83e04514f6e84f58
SHA1:	d1a4c38fe1626e8c66ff3d30e89c65610d49bc0e
SHA256:	7a668e696fe58365c3dff7e74162976e07deb2c766dd173ec4db09ff40eac47f
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected GhostRat

AI detected suspicious sample

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Sample is not signed and drops a device driver

Sigma detected: Potentially Suspicious Malware Callback Communication

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

AV process strings found (often used to terminate AV products)

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates driver files

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain checking for process token information

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Stores large binary data to the registry

Classification

Process Tree

System is w10x64

f3fBEUL66b.exe (PID: 4008 cmdline: "C:\Users\user\Desktop\f3fBEUL66b.exe" MD5: 77DD16D7ED3758BD83E04514F6E84F58)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: f3fBEUL66b.exe PID: 4008	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious Malware Callback Communication

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 192.238.134.113, DestinationIsIpv6: false, DestinationPort: 4433, EventID: 3, Image: C:\Users\user\Desktop\f3fBEUL66b.exe, Initiated: true, ProcessId: 4008, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T05:09:13.156748+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49731	192.238.134.113	4433	TCP
2025-01-02T05:10:20.000600+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49731	192.238.134.113	4433	TCP
2025-01-02T05:11:25.422620+0100	2052875	1	A Network Trojan was detected	192.168.2.4	49731	192.238.134.113	4433	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: f3fBEUL66b.exe	ReversingLabs: Detection: 52%
Source: f3fBEUL66b.exe	Virustotal: Detection: 67%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: f3fBEUL66b.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: z:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: x:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: v:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: t:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: r:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: p:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: n:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: l:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: j:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: h:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: f:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: b:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: y:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: w:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: u:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: s:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: q:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: o:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: m:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: k:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: i:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: g:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: e:	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235CF410 GetLastInputInfo,GetTickCount,wsprintfW,GetForegroundWindow,GetWindowTextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SHGetFolderPathW,lstrcatW,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,		0_2_00007FF6235CF410
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235F4190 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF6235F4190

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6235C6370 gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,GetSystemInfo,wsprintfW,GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,GetForegroundWindow,GetWindowTextW,lstrlenW,GetLocalTime,wsprintfW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,CloseHandle,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,RegOpenKeyExW,RegQueryInfoKeyW,RegEnumKeyExW,lstrlenW,lstrlenW,RegCloseKey,lstrlenW,GetTickCount,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,lstrcpyW,lstrcatW,lstrlenW,GetLocalTime,wsprintfW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegCreateKeyW,lstrlenW,RegSetValueExW,RegCloseKey,RegCloseKey,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,

0_2_00007FF6235C6370

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49731 -> 192.238.134.113:4433

Source: Joe Sandbox View

ASN Name: LEASEWEB-USA-LAX-11US LEASEWEB-USA-LAX-11US

Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113
Source: unknown	TCP traffic detected without corresponding DNS query: 192.238.134.113

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6235C3B00 select,recv,timeGetTime,

0_2_00007FF6235C3B00

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: [esc]

0_2_00007FF6235CADB0

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6235D0DA0 _invalid_parameter_noinfo_noreturn,lstrlenW,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,CloseClipboard,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6235D0DA0

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6235D0DA0

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6235D0DA0

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6235CFD10 GetDesktopWindow,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,GetDIBits,DeleteObject,DeleteObject,ReleaseDC,DeleteObject,DeleteObject,ReleaseDC,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6235CFD10

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6235C72D0 MultiByteToWideChar,MultiByteToWideChar,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,CreateMutexExW,GetLastError,Sleep,CreateMutexW,GetLastError,lstrlenW,lstrcmpW,SleepEx,GetModuleHandleW,GetConsoleWindow,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

0_2_00007FF6235C72D0

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Windows user hook set: 0 mouse low level C:\Windows\SYSTEM32\DINPUT8.dll

Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6235DC400: wsprintfW,CreateFileW,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,

0_2_00007FF6235DC400

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235CE46D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF6235CE46D
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235CE4EE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF6235CE4EE
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235CE3E9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_00007FF6235CE3E9

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

File created: C:\ProgramData\kernelquick.sys

Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235C1500	0_2_00007FF6235C1500
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235CFD10	0_2_00007FF6235CFD10
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235C6370	0_2_00007FF6235C6370
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235CB410	0_2_00007FF6235CB410
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235CF410	0_2_00007FF6235CF410
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235C7A60	0_2_00007FF6235C7A60
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235C72D0	0_2_00007FF6235C72D0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235F2048	0_2_00007FF6235F2048
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235C80C0	0_2_00007FF6235C80C0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235E8EB0	0_2_00007FF6235E8EB0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235DAE60	0_2_00007FF6235DAE60
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235DB5E0	0_2_00007FF6235DB5E0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235C9480	0_2_00007FF6235C9480
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235EF4BC	0_2_00007FF6235EF4BC
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235E64C8	0_2_00007FF6235E64C8
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235CD410	0_2_00007FF6235CD410
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235E5408	0_2_00007FF6235E5408
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235F73EC	0_2_00007FF6235F73EC
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235D9330	0_2_00007FF6235D9330
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235F22C4	0_2_00007FF6235F22C4
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235F4190	0_2_00007FF6235F4190
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235EF950	0_2_00007FF6235EF950
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235E5A1C	0_2_00007FF6235E5A1C
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235F3A00	0_2_00007FF6235F3A00
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235E51FC	0_2_00007FF6235E51FC
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235F29E4	0_2_00007FF6235F29E4
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235E71DC	0_2_00007FF6235E71DC
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235D79D0	0_2_00007FF6235D79D0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235D0880	0_2_00007FF6235D0880
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235E684C	0_2_00007FF6235E684C
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235C9900	0_2_00007FF6235C9900
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235D2FA0	0_2_00007FF6235D2FA0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235EA798	0_2_00007FF6235EA798
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235F8824	0_2_00007FF6235F8824
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235E5818	0_2_00007FF6235E5818
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235E4FF8	0_2_00007FF6235E4FF8
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235EC7BC	0_2_00007FF6235EC7BC
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235F5FD4	0_2_00007FF6235F5FD4
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235EFFD0	0_2_00007FF6235EFFD0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235DA680	0_2_00007FF6235DA680
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235C2E50	0_2_00007FF6235C2E50
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235EAF20	0_2_00007FF6235EAF20
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235CADB0	0_2_00007FF6235CADB0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235CCD40	0_2_00007FF6235CCD40
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235E560C	0_2_00007FF6235E560C
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235E75E0	0_2_00007FF6235E75E0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235EB5F0	0_2_00007FF6235EB5F0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235ED5C0	0_2_00007FF6235ED5C0

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/1@0/1

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235DB5E0 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,	0_2_00007FF6235DB5E0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235C9480 GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,	0_2_00007FF6235C9480
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235CE46D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF6235CE46D
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235CE4EE GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,	0_2_00007FF6235CE4EE
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235CE3E9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,ExitWindowsEx,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	0_2_00007FF6235CE3E9

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6235C6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6235C6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6235C6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Mutant created: \Sessions\1\BaseNamedObjects\????

Source: f3fBEUL66b.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: f3fBEUL66b.exe	ReversingLabs: Detection: 52%
Source: f3fBEUL66b.exe	Virustotal: Detection: 67%

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32

Jump to behavior

Source: f3fBEUL66b.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: f3fBEUL66b.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: f3fBEUL66b.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6235C6370

Persistence and Installation Behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

File created: C:\ProgramData\kernelquick.sys

Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6235CE36A OpenEventLogW,ClearEventLogW,CloseEventLog,

0_2_00007FF6235CE36A

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE VenkernalData_info

Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_0-21600

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-21077

Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{05DF8D13-C355-47F4-A11E-851B338CEFB8}

Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6235C6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Window / User API: threadDelayed 9592

Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-21761

Source: C:\Users\user\Desktop\f3fBEUL66b.exe TID: 764	Thread sleep count: 9592 > 30			Jump to behavior
Source: C:\Users\user\Desktop\f3fBEUL66b.exe TID: 764	Thread sleep time: -95920s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235CF410 GetLastInputInfo,GetTickCount,wsprintfW,GetForegroundWindow,GetWindowTextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,RegCloseKey,SHGetFolderPathW,lstrcatW,CreateFileW,lstrlenW,WriteFile,CloseHandle,FindFirstFileW,FindClose,_invalid_parameter_noinfo_noreturn,		0_2_00007FF6235CF410
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235F4190 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_00007FF6235F4190

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6235C6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6235C6370

Source: f3fBEUL66b.exe, 00000000.00000002.3529550967.00000217F35AC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6235DB5E0 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,

0_2_00007FF6235DB5E0

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6235DC82C GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF6235DC82C

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6235C6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6235C6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6235C8710 SysAllocString,SysAllocString,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,LookupAccountSidW,GetLastError,SysAllocString,SysAllocString,GetProcessHeap,HeapFree,GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,

0_2_00007FF6235C8710

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235DB5E0 SleepEx,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,RegOpenKeyExW,RegDeleteValueW,RegSetValueExW,RegCloseKey,SleepEx,CreateEventA,Sleep,Sleep,CloseHandle,_invalid_parameter_noinfo_noreturn,IsDebuggerPresent,LoadLibraryW,GetProcAddress,FreeLibrary,GetLocalTime,wsprintfW,CreateFileW,FreeLibrary,GetCurrentThreadId,GetCurrentProcessId,GetCurrentProcess,CloseHandle,FreeLibrary,	0_2_00007FF6235DB5E0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235DBDF0 SetUnhandledExceptionFilter,GetConsoleWindow,ShowWindow,GetCurrentThreadId,PostThreadMessageA,GetInputState,CreateThread,WaitForSingleObject,CloseHandle,Sleep,	0_2_00007FF6235DBDF0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235E3D0C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6235E3D0C
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235DEA00 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF6235DEA00
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235DE814 SetUnhandledExceptionFilter,	0_2_00007FF6235DE814
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: 0_2_00007FF6235DE66C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF6235DE66C

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6235C9480 GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread,

0_2_00007FF6235C9480

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6235C9480

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: GetSystemDirectoryA,CreateProcessA,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,OpenProcess,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,GetModuleFileNameA,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe

0_2_00007FF6235C9480

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6235DB5E0

Source: f3fBEUL66b.exe, 00000000.00000003.1733356809.00000217F3658000.00000004.00000020.00020000.00000000.sdmp, f3fBEUL66b.exe, 00000000.00000003.1733515225.00000217F3658000.00000004.00000020.00020000.00000000.sdmp, f3fBEUL66b.exe, 00000000.00000002.3529550967.00000217F3658000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: 0 minProgram Manager

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6235FCB60 cpuid

0_2_00007FF6235FCB60

Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: gethostname,gethostbyname,inet_ntoa,inet_ntoa,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,LoadLibraryW,GetProcAddress,RegOpenKeyExW,RegQueryValueExW,RegCloseKey,FreeLibrary,GetSystemInfo,wsprintfW,GetDriveTypeW,GetDiskFreeSpaceExW,GlobalMemoryStatusEx,GetForegroundWindow,GetWindowTextW,lstrlenW,GetLocalTime,wsprintfW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,lstrcpyW,CloseHandle,CoInitializeEx,CoCreateInstance,SysFreeString,CoUninitialize,RegOpenKeyExW,RegQueryInfoKeyW,RegEnumKeyExW,lstrlenW,lstrlenW,RegCloseKey,lstrlenW,GetTickCount,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,lstrcpyW,lstrcatW,lstrlenW,GetLocalTime,wsprintfW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,RegCreateKeyW,lstrlenW,RegSetValueExW,RegCloseKey,RegCloseKey,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,	0_2_00007FF6235C6370
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6235F7CD8
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6235F83C4
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: GetLocaleInfoW,	0_2_00007FF6235F8290
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6235F0AD8
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF6235F797C
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF6235F81E0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: GetLocaleInfoW,	0_2_00007FF6235F8088
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: GetLocaleInfoW,	0_2_00007FF6235F0FB0
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6235F7E40
Source: C:\Users\user\Desktop\f3fBEUL66b.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6235F7DA8

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

0_2_00007FF6235C6370

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6235F2048 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6235F2048

Source: C:\Users\user\Desktop\f3fBEUL66b.exe

Code function: 0_2_00007FF6235C8A40 GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,SysStringLen,SysStringLen,CloseHandle,CloseHandle,SysFreeString,SysFreeString,GetCurrentProcessId,wsprintfW,GetVersionExW,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,LocalAlloc,GetTokenInformation,GetSidSubAuthorityCount,GetSidSubAuthority,LocalFree,CloseHandle,wsprintfW,

0_2_00007FF6235C8A40

Source: f3fBEUL66b.exe, 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmp, f3fBEUL66b.exe, 00000000.00000000.1658651218.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: KSafeTray.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: f3fBEUL66b.exe PID: 4008, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: f3fBEUL66b.exe PID: 4008, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	12 Native API	1 Windows Service	1 Access Token Manipulation	1 Modify Registry	121 Input Capture	2 System Time Discovery	Remote Services	1 Screen Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Windows Service	1 Virtualization/Sandbox Evasion	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	121 Input Capture	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	211 Process Injection	1 Access Token Manipulation	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Archive Collected Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	211 Process Injection	NTDS	3 Process Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Indicator Removal	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 Peripheral Device Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	26 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
f3fBEUL66b.exe	53%	ReversingLabs	Win64.Trojan.SpywareX
f3fBEUL66b.exe	67%	Virustotal		Browse

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.238.134.113	unknown	United States		395954	LEASEWEB-USA-LAX-11US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583153
Start date and time:	2025-01-02 05:08:15 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	f3fBEUL66b.exe renamed because original name is a hash value
Original Sample Name:	77dd16d7ed3758bd83e04514f6e84f58.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/1@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 42 Number of non-executed functions: 118
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LEASEWEB-USA-LAX-11US	nabarm7.elf	Get hash	malicious	Unknown	Browse	23.84.102.105
	52C660192933BE09807FC4895F376764A2BE35AA68567819BB854E83CF5F9E5C.dll	Get hash	malicious	Unknown	Browse	192.238.132.206
	mips.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.87.203.7
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	108.187.71.205
	la.bot.sparc.elf	Get hash	malicious	Mirai	Browse	23.87.103.174
	arm5.nn-20241218-1651.elf	Get hash	malicious	Mirai, Okiru	Browse	23.86.199.44
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	23.86.161.151
	jew.sh4.elf	Get hash	malicious	Unknown	Browse	23.104.13.203
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	172.255.161.127

Process:	C:\Users\user\Desktop\f3fBEUL66b.exe
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	2.6616157143988106
Encrypted:	false
SSDEEP:	3:tblM6lEjln:tbhEZn
MD5:	AE50B29A0B8DCC411F24F1863B0EAFDE
SHA1:	D415A55627B1ADED8E4B2CBBA402F816B0461155
SHA-256:	6B4BBBCE480FBC50D39A8EC4B72CDB7D781B151921E063DD899FD9B736ADCF68
SHA-512:	D9A9BA42D99BE32D26667060BE1D523DCD20EAFA187A67F7919002CC6DA349FD058053C9C6F721D6FDB730EA02FBAA3013E51C0C653368BD6B3F57A4C0FCABA8
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.060311148694131
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	f3fBEUL66b.exe
File size:	390'656 bytes
MD5:	77dd16d7ed3758bd83e04514f6e84f58
SHA1:	d1a4c38fe1626e8c66ff3d30e89c65610d49bc0e
SHA256:	7a668e696fe58365c3dff7e74162976e07deb2c766dd173ec4db09ff40eac47f
SHA512:	9496abdd711b43e88d36c5c2aad0c7338296239e3486eebb6b2715395ffaf452b7ab737417e3cb784fdf9c0c14028602ced9fa4fff665abf16cb75d9f47f06bf
SSDEEP:	6144:Qvy/g/Oe2CZNHfXmv9m7tvT7DYewsPJimwi9vrBP2k1u0ZLjNy:1/KlpTXmv9mpvv0iPJPtr99Ny
TLSH:	C1847E49FB9409F8E467C138C9A34916EBB27C5913A09BDF33A4466A2F237D05D3EB11
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..R............M.......M.......M.......M........O.......O.......O..S...M.......M...........3...MN......MN......Rich...........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x14001e25c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x676FAD5C [Sat Dec 28 07:48:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	1db3bac59c066f9b53b8b3b6b99b874b

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F1230BEEBF0h
dec eax
add esp, 28h
jmp 00007F1230BEE447h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F1230BEE5E2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F1230BEE5E5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F1230BEE5DDh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F1230BEE5EAh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [00036D39h]
jne 00007F1230BEE5E2h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F1230BEE5D3h
ret
dec eax
ror ecx, 10h
jmp 00007F1230BEECEBh
int3
int3
dec eax
mov dword ptr [esp+00h], ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x52400	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x60000	0x3450	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x64000	0xc8c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4c7c0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4c980	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4c680	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3f000	0x920	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3df70	0x3e000	2b6c6c8b93239d65e2449c4cc33eda20	False	0.5452683971774194	data	6.461526088950339	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3f000	0x151e8	0x15200	530663d6c229cb4dbaf0a1dc62a8561d	False	0.4157151442307692	data	4.936178076870312	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x55000	0xaa9c	0x7c00	9ce9d6ecd277af9d66cef31780bbf5ef	False	0.10660282258064516	DOS executable (block device driver \377\3)	1.588705678471102	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x60000	0x3450	0x3600	b6a68cd5b1e86136baf9e34e01cfad8b	False	0.4622395833333333	data	5.530289196450094	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x64000	0xc8c	0xe00	a952b87812e4781581800f8699e0d5a4	False	0.49302455357142855	data	5.228153224182403	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	QueryDosDeviceW, WriteProcessMemory, GetCommandLineW, GetCurrentProcess, WriteFile, OutputDebugStringA, GetModuleFileNameW, GetProcessId, CreateMutexW, GetLocaleInfoW, LocalAlloc, CreateFileW, GetVersionExW, K32GetProcessImageFileNameW, GetSystemDirectoryW, ResumeThread, GetModuleHandleA, OpenProcess, GetLogicalDriveStringsW, CreateToolhelp32Snapshot, MultiByteToWideChar, Process32NextW, GetDiskFreeSpaceExW, GetSystemDirectoryA, LoadLibraryA, lstrcatW, GlobalAlloc, Process32FirstW, GlobalFree, GetSystemInfo, LoadLibraryW, GetLocalTime, VirtualProtectEx, GetThreadContext, GetProcAddress, VirtualAllocEx, LocalFree, ExitProcess, GetCurrentProcessId, GlobalMemoryStatusEx, CreateProcessW, GetModuleHandleW, FreeLibrary, GetConsoleWindow, lstrcpyW, CreateRemoteThread, CreateProcessA, SetThreadContext, GetModuleFileNameA, GetTickCount, lstrcmpW, GetDriveTypeW, GetExitCodeProcess, SetFilePointer, ReleaseMutex, GlobalSize, DeleteFileW, GlobalLock, GetFileSize, GlobalUnlock, FindFirstFileW, ExpandEnvironmentStringsW, FindClose, GetFileAttributesW, TerminateThread, VirtualProtect, IsBadReadPtr, CreateThread, IsDebuggerPresent, SetUnhandledExceptionFilter, WriteConsoleW, GetCurrentThreadId, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, SetFilePointerEx, SetStdHandle, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, GetStartupInfoW, CreateWaitableTimerW, SetWaitableTimer, TryEnterCriticalSection, WideCharToMultiByte, ResetEvent, CreateEventW, lstrlenW, CancelIo, GetNativeSystemInfo, SetLastError, lstrcmpiW, CreateEventA, CloseHandle, SetEvent, Sleep, WaitForSingleObject, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, EnterCriticalSection, HeapCreate, HeapFree, GetProcessHeap, DeleteCriticalSection, HeapDestroy, DecodePointer, HeapAlloc, HeapReAlloc, GetLastError, HeapSize, InitializeCriticalSectionEx, VirtualAlloc, VirtualFree, FlsGetValue, FlsAlloc, GetFileType, GetCommandLineA, GetStdHandle, VirtualQuery, GetModuleHandleExW, FreeLibraryAndExitThread, ExitThread, LoadLibraryExW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, RtlPcToFileHeader, RtlUnwindEx, lstrcpyA, CreateFileA, GetSystemDefaultLangID, DeviceIoControl, TerminateProcess, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, IsProcessorFeaturePresent, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetCPInfo, LCMapStringEx, EncodePointer, CompareStringEx, GetStringTypeW, RaiseException, OutputDebugStringW, SwitchToThread
USER32.dll	GetForegroundWindow, GetLastInputInfo, GetClipboardData, GetWindowTextW, GetKeyState, ReleaseDC, GetDesktopWindow, SetClipboardData, CloseClipboard, wsprintfW, ExitWindowsEx, ShowWindow, PostThreadMessageA, GetInputState, GetDC, GetSystemMetrics, EmptyClipboard, MsgWaitForMultipleObjects, DispatchMessageW, PeekMessageW, TranslateMessage, OpenClipboard
GDI32.dll	CreateCompatibleBitmap, SelectObject, CreateDIBSection, SetDIBColorTable, CreateCompatibleDC, StretchBlt, GetDIBits, GetDeviceCaps, GetObjectW, SetStretchBltMode, DeleteObject, DeleteDC
ADVAPI32.dll	RegQueryInfoKeyW, RegQueryValueExW, AllocateAndInitializeSid, FreeSid, CheckTokenMembership, ClearEventLogW, CloseEventLog, OpenEventLogW, LookupPrivilegeValueW, AdjustTokenPrivileges, GetCurrentHwProfileW, RegCloseKey, GetSidSubAuthorityCount, GetSidSubAuthority, RegEnumKeyExW, RegSetValueExW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, LookupAccountSidW, GetTokenInformation
SHELL32.dll	SHGetFolderPathW
ole32.dll	CreateStreamOnHGlobal, GetHGlobalFromStream, CoCreateInstance, CoUninitialize, CoInitialize
OLEAUT32.dll	SysFreeString, SysAllocString, SysStringLen
WS2_32.dll	select, WSAStartup, send, socket, connect, recv, htons, setsockopt, WSAIoctl, gethostbyname, WSAGetLastError, WSAEnumNetworkEvents, WSAWaitForMultipleEvents, WSAResetEvent, WSAEventSelect, WSASetLastError, WSACloseEvent, shutdown, gethostname, inet_ntoa, WSACleanup, closesocket, WSACreateEvent
WINMM.dll	timeGetTime
gdiplus.dll	GdipDisposeImage, GdipCreateBitmapFromHBITMAP, GdipGetImagePixelFormat, GdiplusShutdown, GdipDrawImageI, GdipFree, GdipSaveImageToStream, GdipGetImageWidth, GdipGetImagePalette, GdipDeleteGraphics, GdipGetImageEncodersSize, GdipGetImageGraphicsContext, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipAlloc, GdiplusStartup, GdipGetImageHeight, GdipGetImageEncoders, GdipGetImagePaletteSize, GdipCloneImage, GdipBitmapUnlockBits, GdipCreateBitmapFromStream
dxgi.dll	CreateDXGIFactory
DINPUT8.dll	DirectInput8Create

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 05:09:11.736093998 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:09:11.741063118 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:11.741139889 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:09:12.508999109 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:09:12.513953924 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:12.513966084 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:12.513972998 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:12.513983965 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:13.050507069 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:13.094055891 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:09:13.151724100 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:09:13.156697989 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:13.156709909 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:13.156718969 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:13.156729937 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:13.156748056 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:09:13.161488056 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:29.047307014 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:09:29.052237034 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:29.362479925 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:29.406611919 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:09:46.812992096 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:09:46.817830086 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:47.128043890 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:09:47.172316074 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:10:04.188111067 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:10:04.193089008 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:10:04.504214048 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:10:04.547348976 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:10:20.000600100 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:10:20.005343914 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:10:20.320851088 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:10:20.375580072 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:10:36.688102961 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:10:36.692910910 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:10:37.035748959 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:10:37.078643084 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:10:53.079045057 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:10:53.083985090 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:10:53.393924952 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:10:53.438163042 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:11:09.141457081 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:11:09.146411896 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:11:09.456440926 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:11:09.500596046 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:11:25.422620058 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:11:25.432383060 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:11:25.737649918 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:11:25.781897068 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:11:41.625755072 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:11:41.630597115 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:11:41.940706015 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:11:41.985099077 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:11:59.471335888 CET	49731	4433	192.168.2.4	192.238.134.113
Jan 2, 2025 05:11:59.476286888 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:11:59.787841082 CET	4433	49731	192.238.134.113	192.168.2.4
Jan 2, 2025 05:11:59.828851938 CET	49731	4433	192.168.2.4	192.238.134.113

Target ID:	0
Start time:	23:09:05
Start date:	01/01/2025
Path:	C:\Users\user\Desktop\f3fBEUL66b.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\f3fBEUL66b.exe"
Imagebase:	0x7ff6235c0000
File size:	390'656 bytes
MD5 hash:	77DD16D7ED3758BD83E04514F6E84F58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	45.4%
Total number of Nodes:	1142
Total number of Limit Nodes:	49

Executed Functions

Function 00007FF6235C6370 Relevance: 193.3, APIs: 81, Strings: 29, Instructions: 845
registrystringprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

gethostname.WS2_32 ref: 00007FF6235C6414
gethostbyname.WS2_32 ref: 00007FF6235C641E
inet_ntoa.WS2_32 ref: 00007FF6235C643B
inet_ntoa.WS2_32 ref: 00007FF6235C648B
MultiByteToWideChar.KERNEL32 ref: 00007FF6235C64E9
MultiByteToWideChar.KERNEL32 ref: 00007FF6235C650D
GetLastInputInfo.USER32 ref: 00007FF6235C6525
GetTickCount.KERNEL32 ref: 00007FF6235C652B
wsprintfW.USER32 ref: 00007FF6235C655E
MultiByteToWideChar.KERNEL32 ref: 00007FF6235C659F
LoadLibraryW.KERNEL32 ref: 00007FF6235C65AC
GetProcAddress.KERNEL32 ref: 00007FF6235C65C8
RegOpenKeyExW.KERNEL32 ref: 00007FF6235C666D
RegQueryValueExW.KERNEL32 ref: 00007FF6235C6698
RegCloseKey.KERNEL32 ref: 00007FF6235C66C5
FreeLibrary.KERNEL32 ref: 00007FF6235C66D6
GetSystemInfo.KERNEL32 ref: 00007FF6235C66EF
wsprintfW.USER32 ref: 00007FF6235C6707
GetDriveTypeW.KERNEL32 ref: 00007FF6235C6736
GetDiskFreeSpaceExW.KERNEL32 ref: 00007FF6235C6759
GlobalMemoryStatusEx.KERNEL32 ref: 00007FF6235C679D
GetForegroundWindow.USER32 ref: 00007FF6235C6819
GetWindowTextW.USER32 ref: 00007FF6235C6834
lstrlenW.KERNEL32 ref: 00007FF6235C6844
GetLocalTime.KERNEL32 ref: 00007FF6235C6883
wsprintfW.USER32 ref: 00007FF6235C689D
MultiByteToWideChar.KERNEL32 ref: 00007FF6235C657B

Part of subcall function 00007FF6235E8A40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235E8A66

lstrlenW.KERNEL32 ref: 00007FF6235C68C5
GetModuleHandleW.KERNEL32 ref: 00007FF6235C690E
GetProcAddress.KERNEL32 ref: 00007FF6235C691E
GetNativeSystemInfo.KERNEL32 ref: 00007FF6235C692D
GetSystemInfo.KERNEL32 ref: 00007FF6235C6931
wsprintfW.USER32 ref: 00007FF6235C6978
GetCurrentProcessId.KERNEL32 ref: 00007FF6235C698D
OpenProcess.KERNEL32 ref: 00007FF6235C69AB
K32GetProcessImageFileNameW.KERNEL32 ref: 00007FF6235C69CD
GetLogicalDriveStringsW.KERNEL32 ref: 00007FF6235C69E7
lstrcmpiW.KERNEL32 ref: 00007FF6235C6A28
lstrcmpiW.KERNEL32 ref: 00007FF6235C6A3C
QueryDosDeviceW.KERNEL32 ref: 00007FF6235C6A76

Part of subcall function 00007FF6235DDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6235DDFE8
Part of subcall function 00007FF6235DDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6235DDFEE

Part of subcall function 00007FF6235C9300: GetModuleHandleW.KERNEL32 ref: 00007FF6235C931D
Part of subcall function 00007FF6235C9300: GetProcAddress.KERNEL32 ref: 00007FF6235C932D
Part of subcall function 00007FF6235C9300: GetNativeSystemInfo.KERNEL32 ref: 00007FF6235C933D

lstrlenW.KERNEL32 ref: 00007FF6235C6A87
lstrcpyW.KERNEL32 ref: 00007FF6235C6AC8
CloseHandle.KERNEL32 ref: 00007FF6235C6AD1
CoInitializeEx.COMBASE ref: 00007FF6235C6AE2
CoCreateInstance.COMBASE ref: 00007FF6235C6B07
SysFreeString.OLEAUT32 ref: 00007FF6235C6BBC
CoUninitialize.OLE32 ref: 00007FF6235C6BFE
RegOpenKeyExW.KERNEL32 ref: 00007FF6235C6C67
RegQueryInfoKeyW.ADVAPI32 ref: 00007FF6235C6CC7
RegEnumKeyExW.ADVAPI32 ref: 00007FF6235C6D5F
lstrlenW.KERNEL32 ref: 00007FF6235C6D6C
lstrlenW.KERNEL32 ref: 00007FF6235C6D7E
RegCloseKey.ADVAPI32 ref: 00007FF6235C6DCC
lstrlenW.KERNEL32 ref: 00007FF6235C6DD9

Part of subcall function 00007FF6235E94E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235E951B

Part of subcall function 00007FF6235C7A60: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6235C7AEB
Part of subcall function 00007FF6235C7A60: Process32FirstW.KERNEL32 ref: 00007FF6235C7B08
Part of subcall function 00007FF6235C7A60: Process32NextW.KERNEL32 ref: 00007FF6235C7B43
Part of subcall function 00007FF6235C7A60: CloseHandle.KERNEL32 ref: 00007FF6235C7B50
Part of subcall function 00007FF6235C7A60: CoCreateInstance.COMBASE ref: 00007FF6235C7B9F

GetTickCount.KERNEL32 ref: 00007FF6235C6E21

Part of subcall function 00007FF6235E8E3C: GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6235E8E50

wsprintfW.USER32 ref: 00007FF6235C6E99
GetLocaleInfoW.KERNEL32 ref: 00007FF6235C6EB6
GetSystemDirectoryW.KERNEL32 ref: 00007FF6235C6EC8
GetCurrentHwProfileW.ADVAPI32 ref: 00007FF6235C6EDC
lstrlenW.KERNEL32 ref: 00007FF6235C6F5B
GetLocalTime.KERNEL32 ref: 00007FF6235C6F97
wsprintfW.USER32 ref: 00007FF6235C6FB1
RegOpenKeyExW.KERNEL32 ref: 00007FF6235C6FD6
RegDeleteValueW.KERNEL32 ref: 00007FF6235C6FEA
RegCloseKey.ADVAPI32 ref: 00007FF6235C6FF7
RegCreateKeyW.ADVAPI32 ref: 00007FF6235C700E
lstrlenW.KERNEL32 ref: 00007FF6235C701B
RegSetValueExW.KERNEL32 ref: 00007FF6235C7043
RegCloseKey.ADVAPI32 ref: 00007FF6235C7054
RegCloseKey.ADVAPI32 ref: 00007FF6235C7061
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6235C706E
Process32FirstW.KERNEL32 ref: 00007FF6235C70A9
Process32NextW.KERNEL32 ref: 00007FF6235C70FE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6235C7118
Process32FirstW.KERNEL32 ref: 00007FF6235C7153
Process32NextW.KERNEL32 ref: 00007FF6235C71AE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6235C71C8
Process32FirstW.KERNEL32 ref: 00007FF6235C7203
Process32NextW.KERNEL32 ref: 00007FF6235C725A

Strings

%sFree%d Gb , xrefs: 00007FF6235C67EE
ntdll.dll, xrefs: 00007FF6235C65A5
%d min, xrefs: 00007FF6235C6557
%d.%d.%d, xrefs: 00007FF6235C65FD
HDD:%d, xrefs: 00007FF6235C67A7
FriendlyName, xrefs: 00007FF6235C6BA2
x64, xrefs: 00007FF6235C6958
A:\, xrefs: 00007FF6235C6A1A
%d.%d, xrefs: 00007FF6235C688E, 00007FF6235C6FA2
Software, xrefs: 00007FF6235C6851
X64 %s, xrefs: 00007FF6235C696A
VenGROUP, xrefs: 00007FF6235C686B
B:\, xrefs: 00007FF6235C6A32
GetNativeSystemInfo, xrefs: 00007FF6235C6917
Telegram.exe, xrefs: 00007FF6235C720D
Network, xrefs: 00007FF6235C6F70
VenNetwork, xrefs: 00007FF6235C6860
WxWork.exe, xrefs: 00007FF6235C70B3
02e6e16e-c851-4d99-a47c-2e46c0c70650, xrefs: 00007FF6235C63D2
RtlGetNtVersionNumbers, xrefs: 00007FF6235C65BE
INSTALLTIME, xrefs: 00007FF6235C6F77, 00007FF6235C6FE3, 00007FF6235C7028
ProductName, xrefs: 00007FF6235C667F
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF6235C6645
VenREMARK, xrefs: 00007FF6235C68CB
AppEvents, xrefs: 00007FF6235C6F61
x86, xrefs: 00007FF6235C695F
WeChat.exe, xrefs: 00007FF6235C715D
Software\Tencent\Plugin\VAS, xrefs: 00007FF6235C6C59
kernel32.dll, xrefs: 00007FF6235C68FB

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Process32lstrlen$CloseCreateInfo$Systemwsprintf$ByteCharFirstHandleMultiNextOpenSnapshotTimeToolhelp32Wide$AddressFreeProcProcessQueryValue$Concurrency::cancel_current_taskCountCurrentDriveFileInstanceLibraryLocalModuleNativeTickWindow_invalid_parameter_noinfoinet_ntoalstrcmpi$DeleteDeviceDirectoryDiskEnumForegroundGlobalImageInitializeInputLastLoadLocaleLogicalMemoryNameProfileSpaceStatusStringStringsTextTypeUninitializegethostbynamegethostnamelstrcpy
String ID: %d min$%d.%d$%d.%d.%d$%sFree%d Gb $02e6e16e-c851-4d99-a47c-2e46c0c70650$A:\$AppEvents$B:\$FriendlyName$GetNativeSystemInfo$HDD:%d$INSTALLTIME$Network$ProductName$RtlGetNtVersionNumbers$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software$Software\Tencent\Plugin\VAS$Telegram.exe$VenGROUP$VenNetwork$VenREMARK$WeChat.exe$WxWork.exe$X64 %s$kernel32.dll$ntdll.dll$x64$x86
API String ID: 4136965836-3200011401
Opcode ID: b17bfef3c5afee729e7b4b2efb39d02ac95a7c3167d527ac3f9fa9ca5236cf69
Instruction ID: 64a839dd9fe7419d2199685663a746d62281941a30d6dfd23e3d3a5e7563891d
Opcode Fuzzy Hash: b17bfef3c5afee729e7b4b2efb39d02ac95a7c3167d527ac3f9fa9ca5236cf69
Instruction Fuzzy Hash: 97925F36A08B8286EF20DF25DC456E923A4FB85758F844172DE4EA7BA4EF3CD645C701

Function 00007FF6235DB5E0 Relevance: 103.7, APIs: 41, Strings: 18, Instructions: 429
registrylibrarysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SleepEx.KERNEL32 ref: 00007FF6235DB611
CloseHandle.KERNEL32 ref: 00007FF6235DB64D
GetCurrentProcess.KERNEL32 ref: 00007FF6235DB660
OpenProcessToken.ADVAPI32 ref: 00007FF6235DB675
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6235DB695
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6235DB6C1
CloseHandle.KERNEL32 ref: 00007FF6235DB6CE
GetModuleHandleA.KERNEL32 ref: 00007FF6235DB6DB
GetProcAddress.KERNEL32 ref: 00007FF6235DB6EB
GetCurrentProcessId.KERNEL32 ref: 00007FF6235DB703
OpenProcess.KERNEL32 ref: 00007FF6235DB712
GetLocalTime.KERNEL32 ref: 00007FF6235DB734
wsprintfW.USER32 ref: 00007FF6235DB77A
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6235DB787
CloseHandle.KERNEL32 ref: 00007FF6235DB7AD
AllocateAndInitializeSid.ADVAPI32 ref: 00007FF6235DB850

Part of subcall function 00007FF6235E8BE0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235E8C0B

CheckTokenMembership.KERNELBASE ref: 00007FF6235DB86A
FreeSid.ADVAPI32 ref: 00007FF6235DB882
RegOpenKeyExW.KERNEL32 ref: 00007FF6235DB8B4
RegDeleteValueW.KERNEL32 ref: 00007FF6235DB8C8
RegSetValueExW.KERNEL32 ref: 00007FF6235DB8F9
RegCloseKey.ADVAPI32 ref: 00007FF6235DB906
SleepEx.KERNEL32 ref: 00007FF6235DBA29
CreateEventA.KERNEL32 ref: 00007FF6235DBAA5
Sleep.KERNEL32 ref: 00007FF6235DBB4E
Sleep.KERNEL32 ref: 00007FF6235DBB84
CloseHandle.KERNEL32 ref: 00007FF6235DBBF2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235DBBFD
IsDebuggerPresent.KERNEL32 ref: 00007FF6235DBC1C
LoadLibraryW.KERNEL32 ref: 00007FF6235DBC48
GetProcAddress.KERNEL32 ref: 00007FF6235DBC72
FreeLibrary.KERNEL32 ref: 00007FF6235DBC83

Strings

SeDebugPrivilege, xrefs: 00007FF6235DB68C
4433, xrefs: 00007FF6235DB934
10443, xrefs: 00007FF6235DB960
NtSetInformationProcess, xrefs: 00007FF6235DB6E4
loginconfig, xrefs: 00007FF6235DB8D6
SOFTWARE, xrefs: 00007FF6235DB8A6
4433, xrefs: 00007FF6235DB940, 00007FF6235DB96C, 00007FF6235DB9CD, 00007FF6235DBA39, 00007FF6235DBA6D
192.238.134.113, xrefs: 00007FF6235DB918, 00007FF6235DB9B5, 00007FF6235DBA48, 00007FF6235DBADE
!analyze -v, xrefs: 00007FF6235DBCFE
VenkernalData_info, xrefs: 00007FF6235DB8BA, 00007FF6235DB8EB
%s-%04d%02d%02d-%02d%02d%02d.dmp, xrefs: 00007FF6235DBCF2
NtDll.dll, xrefs: 00007FF6235DB6D4
192.238.134.113, xrefs: 00007FF6235DB928
192.238.134.113, xrefs: 00007FF6235DB9A9
192.238.134.113, xrefs: 00007FF6235DB954
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 00007FF6235DB76C
MiniDumpWriteDump, xrefs: 00007FF6235DBC60
DbgHelp.dll, xrefs: 00007FF6235DBC39

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CloseHandle$ProcessSleep$OpenTokenValue$AddressCurrentFreeLibraryProc$AdjustAllocateCheckCreateDebuggerDeleteEventExceptionFilterInitializeLoadLocalLookupMembershipModulePresentPrivilegePrivilegesTimeUnhandled_invalid_parameter_noinfo_invalid_parameter_noinfo_noreturnwsprintf
String ID: !analyze -v$%4d.%2d.%2d-%2d:%2d:%2d$%s-%04d%02d%02d-%02d%02d%02d.dmp$10443$192.238.134.113$192.238.134.113$192.238.134.113$192.238.134.113$4433$4433$DbgHelp.dll$MiniDumpWriteDump$NtDll.dll$NtSetInformationProcess$SOFTWARE$SeDebugPrivilege$VenkernalData_info$loginconfig
API String ID: 2641691789-2327769729
Opcode ID: ff9f3d62963463a023575eae3f258ff63909172a07c88f7eb98f74ee8f8a178a
Instruction ID: 52af0123853e0578524daec42930afbace95883ac0e6498538a515f30cba174b
Opcode Fuzzy Hash: ff9f3d62963463a023575eae3f258ff63909172a07c88f7eb98f74ee8f8a178a
Instruction Fuzzy Hash: 31225E72A08B828AFF60DF25EC462A973A5FB89754F400275D98DA7BA4DF3CD144D702

Function 00007FF6235CF410 Relevance: 81.0, APIs: 35, Strings: 11, Instructions: 532
registryprocessfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastInputInfo.USER32 ref: 00007FF6235CF45C
GetTickCount.KERNEL32 ref: 00007FF6235CF462
wsprintfW.USER32 ref: 00007FF6235CF490
GetForegroundWindow.USER32 ref: 00007FF6235CF496
GetWindowTextW.USER32 ref: 00007FF6235CF4AE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6235CF4C3
Process32FirstW.KERNEL32 ref: 00007FF6235CF4F7
Process32NextW.KERNEL32 ref: 00007FF6235CF54B
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6235CF565
Process32FirstW.KERNEL32 ref: 00007FF6235CF59F
Process32NextW.KERNEL32 ref: 00007FF6235CF5EE
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6235CF608
Process32FirstW.KERNEL32 ref: 00007FF6235CF642
Process32NextW.KERNEL32 ref: 00007FF6235CF69E
RegOpenKeyExW.ADVAPI32 ref: 00007FF6235CF6EC
RegQueryValueExW.KERNEL32 ref: 00007FF6235CF71F
RegQueryValueExW.KERNEL32 ref: 00007FF6235CF783
RegCloseKey.ADVAPI32 ref: 00007FF6235CF90D
RegOpenKeyExW.ADVAPI32 ref: 00007FF6235CF943
RegQueryValueExW.KERNEL32 ref: 00007FF6235CF976
RegQueryValueExW.ADVAPI32 ref: 00007FF6235CF9D5
RegCloseKey.ADVAPI32 ref: 00007FF6235CF9EC
RegOpenKeyExW.ADVAPI32 ref: 00007FF6235CFA22
RegQueryValueExW.KERNEL32 ref: 00007FF6235CFA55
RegCloseKey.ADVAPI32 ref: 00007FF6235CFACB

Part of subcall function 00007FF6235DDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6235DDFE8
Part of subcall function 00007FF6235DDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6235DDFEE

RegQueryValueExW.ADVAPI32 ref: 00007FF6235CFAB4
SHGetFolderPathW.SHELL32 ref: 00007FF6235CFAEF
lstrcatW.KERNEL32 ref: 00007FF6235CFB03
CreateFileW.KERNEL32 ref: 00007FF6235CFB34
lstrlenW.KERNEL32 ref: 00007FF6235CFB44
WriteFile.KERNEL32 ref: 00007FF6235CFB61
CloseHandle.KERNEL32 ref: 00007FF6235CFB6A
FindFirstFileW.KERNEL32 ref: 00007FF6235CFB7E
FindClose.KERNEL32 ref: 00007FF6235CFB94
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235CFCFE

Strings

Startup, xrefs: 00007FF6235CF718, 00007FF6235CF77C
C:\ProgramData\Mylnk, xrefs: 00007FF6235CF896
\kernelquick.sys, xrefs: 00007FF6235CFAF5
Telegram.exe, xrefs: 00007FF6235CF64C
WeChat.exe, xrefs: 00007FF6235CF5A9
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 00007FF6235CF6B1
C:\Users, xrefs: 00007FF6235CF812
OpenAi_Service, xrefs: 00007FF6235CF96F, 00007FF6235CF9CE, 00007FF6235CFA4E, 00007FF6235CFAAD
SOFTWARE\Microsoft\Windows\CurrentVersion\Run, xrefs: 00007FF6235CF935, 00007FF6235CFA14
%d min, xrefs: 00007FF6235CF489
WXWork.exe, xrefs: 00007FF6235CF501

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Process32QueryValue$Close$CreateFirst$FileNextOpenSnapshotToolhelp32$Concurrency::cancel_current_taskFindWindow$CountFolderForegroundHandleInfoInputLastPathTextTickWrite_invalid_parameter_noinfo_noreturnlstrcatlstrlenwsprintf
String ID: %d min$C:\ProgramData\Mylnk$C:\Users$OpenAi_Service$SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$SOFTWARE\Microsoft\Windows\CurrentVersion\Run$Startup$Telegram.exe$WXWork.exe$WeChat.exe$\kernelquick.sys
API String ID: 3029130142-1423135667
Opcode ID: 9bbdac635c2dd5f4b36431d8b351f7093702bbf9f8214aaf6c10cd77f9a08fa0
Instruction ID: 3de5db53bba82c63879b07807e861d89ca6f36632b0c661d0cbf228952e34240
Opcode Fuzzy Hash: 9bbdac635c2dd5f4b36431d8b351f7093702bbf9f8214aaf6c10cd77f9a08fa0
Instruction Fuzzy Hash: 4D329032A08B8682EF208F24D8066BD77A0FB85B88F445172DE5DB7A95EF7CE544C701

Function 00007FF6235DAE60 Relevance: 75.8, APIs: 27, Strings: 16, Instructions: 529stringregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF6235DAE95
RegQueryValueExW.KERNEL32 ref: 00007FF6235DAEC6
RegQueryValueExW.ADVAPI32 ref: 00007FF6235DAF25
lstrlenW.KERNEL32 ref: 00007FF6235DAF32
lstrlenW.KERNEL32 ref: 00007FF6235DAF53
lstrlenW.KERNEL32 ref: 00007FF6235DAF66
lstrlenW.KERNEL32 ref: 00007FF6235DAFFF
lstrlenW.KERNEL32 ref: 00007FF6235DB020
lstrlenW.KERNEL32 ref: 00007FF6235DB033
lstrlenW.KERNEL32 ref: 00007FF6235DB0CB
lstrlenW.KERNEL32 ref: 00007FF6235DB0DE
lstrlenW.KERNEL32 ref: 00007FF6235DB161
lstrlenW.KERNEL32 ref: 00007FF6235DB182
lstrlenW.KERNEL32 ref: 00007FF6235DB195
lstrlenW.KERNEL32 ref: 00007FF6235DB22F
lstrlenW.KERNEL32 ref: 00007FF6235DB250
lstrlenW.KERNEL32 ref: 00007FF6235DB263
lstrlenW.KERNEL32 ref: 00007FF6235DB2FB
lstrlenW.KERNEL32 ref: 00007FF6235DB30E
lstrlenW.KERNEL32 ref: 00007FF6235DB391
lstrlenW.KERNEL32 ref: 00007FF6235DB3B2
lstrlenW.KERNEL32 ref: 00007FF6235DB3C5
lstrlenW.KERNEL32 ref: 00007FF6235DB45F
lstrlenW.KERNEL32 ref: 00007FF6235DB480
lstrlenW.KERNEL32 ref: 00007FF6235DB493
lstrlenW.KERNEL32 ref: 00007FF6235DB52B
lstrlenW.KERNEL32 ref: 00007FF6235DB53E

Strings

4433, xrefs: 00007FF6235DAFF8, 00007FF6235DB007, 00007FF6235DB0B9
p2:, xrefs: 00007FF6235DB188
10443, xrefs: 00007FF6235DB228, 00007FF6235DB237, 00007FF6235DB2E9
t2:, xrefs: 00007FF6235DB301
Console, xrefs: 00007FF6235DAE87
t1:, xrefs: 00007FF6235DB0D1
o1:, xrefs: 00007FF6235DB026
t3:, xrefs: 00007FF6235DB531
192.238.134.113, xrefs: 00007FF6235DAF2B, 00007FF6235DAF3A, 00007FF6235DAFE9
192.238.134.113, xrefs: 00007FF6235DB38A, 00007FF6235DB399, 00007FF6235DB449
p3:, xrefs: 00007FF6235DB3B8
192.238.134.113, xrefs: 00007FF6235DB15A, 00007FF6235DB169, 00007FF6235DB219
p1:, xrefs: 00007FF6235DAF59
Vendata, xrefs: 00007FF6235DAEBF, 00007FF6235DAF1E
o2:, xrefs: 00007FF6235DB256
o3:, xrefs: 00007FF6235DB486

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: lstrlen$QueryValue$Open
String ID: 10443$192.238.134.113$192.238.134.113$192.238.134.113$4433$Console$Vendata$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:
API String ID: 1772312705-4199381161
Opcode ID: e9763d1a573506a6c5f52fab13ecf1f8c208e4fec7a72f7b0df219955d443a2f
Instruction ID: 686b46c9b77c27b26eaf09e74544741afb666146166644165ca2e54244ab1be2
Opcode Fuzzy Hash: e9763d1a573506a6c5f52fab13ecf1f8c208e4fec7a72f7b0df219955d443a2f
Instruction Fuzzy Hash: 4022D161E18A6B82FE249B18EC5667D63A2FF95784F844071C94EF2A91EF7CE1458302

Function 00007FF6235C72D0 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6235CA300: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235CA4A0
Part of subcall function 00007FF6235CA300: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6235CA4A6

MultiByteToWideChar.KERNEL32 ref: 00007FF6235C767F
MultiByteToWideChar.KERNEL32 ref: 00007FF6235C76A6

Strings

X64, xrefs: 00007FF6235C74F1, 00007FF6235C750E
<, xrefs: 00007FF6235C79DD
\DisplaySessionContainers.log, xrefs: 00007FF6235C78A3
open, xrefs: 00007FF6235C7826
key, xrefs: 00007FF6235C7832

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ByteCharMultiWide$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: <$X64$\DisplaySessionContainers.log$key$open
API String ID: 143101810-941791203
Opcode ID: f76fe1e3af8c1626c0839f141aa352af69c2a58d8fadc86e79eac3175ccb6e0d
Instruction ID: 39c31376b0c3e8e2a36275624bf87bc77f7002adaaf4fdaf503de51bea22027b
Opcode Fuzzy Hash: f76fe1e3af8c1626c0839f141aa352af69c2a58d8fadc86e79eac3175ccb6e0d
Instruction Fuzzy Hash: BD22C632A18B8296EF10DB25E8012AE73A5FB85B98F504271DE9DA3BD8DF3CD144C741

Function 00007FF6235CFD10 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDesktopWindow.USER32 ref: 00007FF6235CFD3C
GetDC.USER32 ref: 00007FF6235CFD45
CreateCompatibleDC.GDI32 ref: 00007FF6235CFD51
GetDC.USER32 ref: 00007FF6235CFD5C
GetDeviceCaps.GDI32 ref: 00007FF6235CFD6D
GetDeviceCaps.GDI32 ref: 00007FF6235CFD7D
ReleaseDC.USER32 ref: 00007FF6235CFD9A
GetSystemMetrics.USER32 ref: 00007FF6235CFDC3
GetSystemMetrics.USER32 ref: 00007FF6235CFDFE
GetSystemMetrics.USER32 ref: 00007FF6235CFE4C
GetSystemMetrics.USER32 ref: 00007FF6235CFE66
CreateCompatibleBitmap.GDI32 ref: 00007FF6235CFE84
SelectObject.GDI32 ref: 00007FF6235CFE98
SetStretchBltMode.GDI32 ref: 00007FF6235CFEA6
GetSystemMetrics.USER32 ref: 00007FF6235CFEB1
GetSystemMetrics.USER32 ref: 00007FF6235CFECB
StretchBlt.GDI32 ref: 00007FF6235CFF0C
GetDIBits.GDI32 ref: 00007FF6235CFFD2

Part of subcall function 00007FF6235DDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6235DDFE8
Part of subcall function 00007FF6235DDFB8: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6235DDFEE

Part of subcall function 00007FF6235D0220: GlobalAlloc.KERNEL32 ref: 00007FF6235D0258
Part of subcall function 00007FF6235D0220: GlobalLock.KERNEL32 ref: 00007FF6235D0264
Part of subcall function 00007FF6235D0220: GlobalUnlock.KERNEL32 ref: 00007FF6235D027B
Part of subcall function 00007FF6235D0220: CreateStreamOnHGlobal.OLE32 ref: 00007FF6235D0291
Part of subcall function 00007FF6235D0220: EnterCriticalSection.KERNEL32 ref: 00007FF6235D02DF
Part of subcall function 00007FF6235D0220: LeaveCriticalSection.KERNEL32 ref: 00007FF6235D02EC
Part of subcall function 00007FF6235D0220: GdipCreateBitmapFromStream.GDIPLUS ref: 00007FF6235D031A
Part of subcall function 00007FF6235D0220: GdipDisposeImage.GDIPLUS ref: 00007FF6235D0330
Part of subcall function 00007FF6235D0220: DeleteObject.GDI32 ref: 00007FF6235D05A4
Part of subcall function 00007FF6235D0220: EnterCriticalSection.KERNEL32 ref: 00007FF6235D05B6
Part of subcall function 00007FF6235D0220: EnterCriticalSection.KERNEL32 ref: 00007FF6235D05C6
Part of subcall function 00007FF6235D0220: GdiplusShutdown.GDIPLUS ref: 00007FF6235D05D4

DeleteObject.GDI32 ref: 00007FF6235D0091
DeleteObject.GDI32 ref: 00007FF6235D009A
ReleaseDC.USER32 ref: 00007FF6235D00A5
DeleteObject.GDI32 ref: 00007FF6235D0165
DeleteObject.GDI32 ref: 00007FF6235D016E
ReleaseDC.USER32 ref: 00007FF6235D0179
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235D020D

Strings

6, xrefs: 00007FF6235CFF72
gfff, xrefs: 00007FF6235CFE08
(, xrefs: 00007FF6235CFF15
gfff, xrefs: 00007FF6235CFDE2
, xrefs: 00007FF6235CFED1

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: MetricsObjectSystem$Delete$CreateCriticalGlobalSection$EnterRelease$BitmapCapsCompatibleConcurrency::cancel_current_taskDeviceGdipStreamStretch$AllocBitsDesktopDisposeFromGdiplusImageLeaveLockModeSelectShutdownUnlockWindow_invalid_parameter_noinfo_noreturn
String ID: $($6$gfff$gfff
API String ID: 1610826097-2922166585
Opcode ID: 2c18c53c0be2d662d746d61cea65be54ad576e71b11c79782397f3a75276bebe
Instruction ID: be32782cce5002f6afe2a8e24dbe6637e88ee32bf2efcafdbe7b91c303a7bd84
Opcode Fuzzy Hash: 2c18c53c0be2d662d746d61cea65be54ad576e71b11c79782397f3a75276bebe
Instruction Fuzzy Hash: 30D10672A1878582EB159F35E81636AB3A1FF8AB84F008235DE4EB7B55DF3CD4808741

Function 00007FF6235C8A40 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 255
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(00001334,00000000,00000000,00001334,?,00007FF6235C8C70), ref: 00007FF6235C8A53
OpenProcess.KERNEL32 ref: 00007FF6235C8A63
OpenProcessToken.ADVAPI32 ref: 00007FF6235C8A86
CloseHandle.KERNEL32 ref: 00007FF6235C8A93
SysStringLen.OLEAUT32 ref: 00007FF6235C8AE1
SysStringLen.OLEAUT32 ref: 00007FF6235C8AF9
CloseHandle.KERNEL32 ref: 00007FF6235C8B5F
CloseHandle.KERNEL32 ref: 00007FF6235C8B68
SysFreeString.OLEAUT32 ref: 00007FF6235C8BA1
SysFreeString.OLEAUT32 ref: 00007FF6235C8BE5
GetCurrentProcessId.KERNEL32 ref: 00007FF6235C8C4B
wsprintfW.USER32 ref: 00007FF6235C8C62

Part of subcall function 00007FF6235C8A40: GetVersionExW.KERNEL32 ref: 00007FF6235C8C91
Part of subcall function 00007FF6235C8A40: GetCurrentProcess.KERNEL32 ref: 00007FF6235C8CBD
Part of subcall function 00007FF6235C8A40: OpenProcessToken.ADVAPI32 ref: 00007FF6235C8CD3
Part of subcall function 00007FF6235C8A40: GetTokenInformation.KERNELBASE ref: 00007FF6235C8D08
Part of subcall function 00007FF6235C8A40: GetLastError.KERNEL32 ref: 00007FF6235C8D16
Part of subcall function 00007FF6235C8A40: LocalAlloc.KERNEL32 ref: 00007FF6235C8D35
Part of subcall function 00007FF6235C8A40: GetTokenInformation.KERNELBASE ref: 00007FF6235C8D68
Part of subcall function 00007FF6235C8A40: GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF6235C8D75
Part of subcall function 00007FF6235C8A40: GetSidSubAuthority.ADVAPI32 ref: 00007FF6235C8D83
Part of subcall function 00007FF6235C8A40: LocalFree.KERNEL32 ref: 00007FF6235C8D8E
Part of subcall function 00007FF6235C8A40: CloseHandle.KERNEL32 ref: 00007FF6235C8DA4
Part of subcall function 00007FF6235C8A40: wsprintfW.USER32 ref: 00007FF6235C8E03

Strings

VenNetwork, xrefs: 00007FF6235C8C30
None/%s, xrefs: 00007FF6235C8DF2
NO/, xrefs: 00007FF6235C8DE9
-N/, xrefs: 00007FF6235C8DE0

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Process$CloseHandleStringToken$CurrentFreeOpen$AuthorityInformationLocalwsprintf$AllocCountErrorLastVersion
String ID: -N/$NO/$None/%s$VenNetwork
API String ID: 166307840-819860926
Opcode ID: 2f4f0c352e8847fd7525cd0cddb264fb330a96b85be20a458fd84ca8cfda45ef
Instruction ID: c41c82ae0b7f3832ca3d526d94d224b7f01351da65ba0c7906f5702b66d02c30
Opcode Fuzzy Hash: 2f4f0c352e8847fd7525cd0cddb264fb330a96b85be20a458fd84ca8cfda45ef
Instruction Fuzzy Hash: FEB15E36A0974282FE209B21EC522B963A4FF85B88F044875DE4EB7B94DF3CE445D742

Function 00007FF6235C8710 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 244
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00007FF6235C8782
SysAllocString.OLEAUT32 ref: 00007FF6235C87DF
GetTokenInformation.KERNELBASE ref: 00007FF6235C8829
GetLastError.KERNEL32 ref: 00007FF6235C8833
GetProcessHeap.KERNEL32 ref: 00007FF6235C8849
HeapAlloc.KERNEL32 ref: 00007FF6235C885A
GetTokenInformation.KERNELBASE ref: 00007FF6235C888C
LookupAccountSidW.ADVAPI32 ref: 00007FF6235C88CA
GetLastError.KERNEL32 ref: 00007FF6235C88D4
SysAllocString.OLEAUT32 ref: 00007FF6235C895C
SysAllocString.OLEAUT32 ref: 00007FF6235C89C6
GetProcessHeap.KERNEL32 ref: 00007FF6235C89EB
HeapFree.KERNEL32 ref: 00007FF6235C89F9
GetCurrentProcessId.KERNEL32(00001334,00000000,00000000,00001334,?,00007FF6235C8C70), ref: 00007FF6235C8A53
OpenProcess.KERNEL32 ref: 00007FF6235C8A63
OpenProcessToken.ADVAPI32 ref: 00007FF6235C8A86
CloseHandle.KERNEL32 ref: 00007FF6235C8A93

Strings

NONE_MAPPED, xrefs: 00007FF6235C88E1

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: AllocProcess$HeapString$Token$ErrorInformationLastOpen$AccountCloseCurrentFreeHandleLookup
String ID: NONE_MAPPED
API String ID: 1410310566-2950899194
Opcode ID: 153f7837cc86bcbbc492fb4a375331227a21e9cb239b2b2f7dd34d1ee50442fc
Instruction ID: 4e044e175b8f61479cb8a6838e549cd59e52653818d409b6018c2b2303d445ba
Opcode Fuzzy Hash: 153f7837cc86bcbbc492fb4a375331227a21e9cb239b2b2f7dd34d1ee50442fc
Instruction Fuzzy Hash: E6A17132609B4682FE659B11EC12279A2E4EF85B84F584875DE4DB7BD0EF3CE845C312

Function 00007FF6235C7A60 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 216
stringregistrycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6235C7AEB
Process32FirstW.KERNEL32 ref: 00007FF6235C7B08
Process32NextW.KERNEL32 ref: 00007FF6235C7B43
CloseHandle.KERNEL32 ref: 00007FF6235C7B50
CoCreateInstance.COMBASE ref: 00007FF6235C7B9F
wsprintfW.USER32 ref: 00007FF6235C7CA5
RegOpenKeyExW.ADVAPI32 ref: 00007FF6235C7CD5
RegQueryValueExW.KERNEL32 ref: 00007FF6235C7D36
lstrcatW.KERNEL32 ref: 00007FF6235C7D4A
lstrcatW.KERNEL32 ref: 00007FF6235C7D5A
RegCloseKey.ADVAPI32 ref: 00007FF6235C7D67
lstrlenW.KERNEL32 ref: 00007FF6235C7DA4
lstrcatW.KERNEL32 ref: 00007FF6235C7DB8
CloseHandle.KERNEL32 ref: 00007FF6235C7DE5
lstrcatW.KERNEL32 ref: 00007FF6235C7DFD
lstrcatW.KERNEL32 ref: 00007FF6235C7E0D

Strings

Windows Defender IOfficeAntiVirus implementation , xrefs: 00007FF6235C7A84
CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}, xrefs: 00007FF6235C7C97

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: lstrcat$Close$CreateHandleProcess32$FirstInstanceNextOpenQuerySnapshotToolhelp32Valuelstrlenwsprintf
String ID: CLSID\{%.8X-%.4X-%.4X-%.2X%.2X-%.2X%.2X%.2X%.2X%.2X%.2X}$Windows Defender IOfficeAntiVirus implementation
API String ID: 582347850-1583895642
Opcode ID: 172064aca06d7bab2ac812725ebad370c198c4fa5686a0e3f00f667ec9231332
Instruction ID: 5c1f6858eda687d44cb501bed3fd5ca0ace5f0c13b8cd8d52797e7e95f14333e
Opcode Fuzzy Hash: 172064aca06d7bab2ac812725ebad370c198c4fa5686a0e3f00f667ec9231332
Instruction Fuzzy Hash: 49A18332A08B828AEB60CF35EC416AA77A1FB85B98F544171DE4DA7B98DF3CD544C701

Function 00007FF6235CB410 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 232
memorytimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateEventW.KERNEL32 ref: 00007FF6235CB444

Part of subcall function 00007FF6235C1200: GetProcessHeap.KERNEL32 ref: 00007FF6235C1236

HeapCreate.KERNEL32 ref: 00007FF6235CB50F
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6235CB56F
CreateEventW.KERNEL32 ref: 00007FF6235CB5A2
CreateEventW.KERNEL32 ref: 00007FF6235CB5C2
CreateEventW.KERNEL32 ref: 00007FF6235CB5E2
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6235CB6B3
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF6235CB6C7
timeGetTime.WINMM ref: 00007FF6235CB739
CreateEventW.KERNEL32 ref: 00007FF6235CB74F
CreateEventW.KERNEL32 ref: 00007FF6235CB763

Strings

<, xrefs: 00007FF6235CB484
<, xrefs: 00007FF6235CB47D

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Create$Event$CountCriticalInitializeSectionSpin$Heap$ProcessTimetime
String ID: <$<
API String ID: 2446585644-213342407
Opcode ID: d796c4475e9fa8e1e86eef5c02ee225e2c55a59838e1fea022d1642caceff4b5
Instruction ID: e42a17c09067a1fc158723ed1ac46fe2500d83873187eb4e7ad6d64118b59569
Opcode Fuzzy Hash: d796c4475e9fa8e1e86eef5c02ee225e2c55a59838e1fea022d1642caceff4b5
Instruction Fuzzy Hash: 12B14C72605B818AEB448F35E8963A933A9FB44B08F58453CCF4C6B795DF38A164C729

Function 00007FF6235DC400 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 128fileCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00007FF6235DC42F
CreateFileW.KERNEL32 ref: 00007FF6235DC45A
DeviceIoControl.KERNEL32 ref: 00007FF6235DC4AA
DeviceIoControl.KERNEL32 ref: 00007FF6235DC511

Part of subcall function 00007FF6235DC640: WideCharToMultiByte.KERNEL32 ref: 00007FF6235DC675
Part of subcall function 00007FF6235DC640: WideCharToMultiByte.KERNEL32 ref: 00007FF6235DC6B0

DeviceIoControl.KERNEL32 ref: 00007FF6235DC571
DeviceIoControl.KERNEL32 ref: 00007FF6235DC5D0

Part of subcall function 00007FF6235DC2D0: CreateFileA.KERNEL32 ref: 00007FF6235DC379
Part of subcall function 00007FF6235DC2D0: DeviceIoControl.KERNEL32 ref: 00007FF6235DC3C1

CloseHandle.KERNEL32 ref: 00007FF6235DC5FE
CloseHandle.KERNEL32 ref: 00007FF6235DC623

Strings

\\.\HCD%d, xrefs: 00007FF6235DC423

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ControlDevice$ByteCharCloseCreateFileHandleMultiWide$wsprintf
String ID: \\.\HCD%d
API String ID: 2324936672-2696249065
Opcode ID: fba3a6acf6e72ed7b72618c4283ac656f0c243164c030697ae0719591fc402df
Instruction ID: 33d61edc8bc53793247b2e15d33df21efdae473c43c4df8f473df9eaf04ef9ec
Opcode Fuzzy Hash: fba3a6acf6e72ed7b72618c4283ac656f0c243164c030697ae0719591fc402df
Instruction Fuzzy Hash: 1D517C32A08B8586EF609F10F8417AAB7A4FB85794F042174DA8EA7B95DF3CD415CB41

Function 00007FF6235DBDF0 Relevance: 15.0, APIs: 10, Instructions: 33threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6235DBDFB
GetConsoleWindow.KERNEL32 ref: 00007FF6235DBE01
ShowWindow.USER32 ref: 00007FF6235DBE0C
GetCurrentThreadId.KERNEL32 ref: 00007FF6235DBE12
PostThreadMessageA.USER32 ref: 00007FF6235DBE22
GetInputState.USER32 ref: 00007FF6235DBE28
CreateThread.KERNEL32 ref: 00007FF6235DBE47
WaitForSingleObject.KERNEL32 ref: 00007FF6235DBE5C
CloseHandle.KERNEL32 ref: 00007FF6235DBE69
Sleep.KERNEL32 ref: 00007FF6235DBE74

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Thread$Window$CloseConsoleCreateCurrentExceptionFilterHandleInputMessageObjectPostShowSingleSleepStateUnhandledWait
String ID:
API String ID: 2277684705-0
Opcode ID: 1f499c150cbe33159222533ec4b742c736879ee302e7e86ebc66b87cb5efa357
Instruction ID: 0d915dd834cb085e2468a2a6ec8b09b26b0c79fc669a335f1963073459e8aa57
Opcode Fuzzy Hash: 1f499c150cbe33159222533ec4b742c736879ee302e7e86ebc66b87cb5efa357
Instruction Fuzzy Hash: B7011635A18B0282EB149B31FC1A52A22A2FF89B51B4041B5C90EF2BB4EF3CA0458206

Function 00007FF6235F2048 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6235F208D

Part of subcall function 00007FF6235F1704: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235F1718

Part of subcall function 00007FF6235EE95C: RtlFreeHeap.NTDLL(?,?,?,00007FF6235F6862,?,?,?,00007FF6235F6BDF,?,?,00000000,00007FF6235F7025,?,?,?,00007FF6235F6F57), ref: 00007FF6235EE972
Part of subcall function 00007FF6235EE95C: GetLastError.KERNEL32(?,?,?,00007FF6235F6862,?,?,?,00007FF6235F6BDF,?,?,00000000,00007FF6235F7025,?,?,?,00007FF6235F6F57), ref: 00007FF6235EE97C

Part of subcall function 00007FF6235E4028: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6235E3FD7,?,?,?,?,?,00007FF6235E3EC2), ref: 00007FF6235E4031
Part of subcall function 00007FF6235E4028: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6235E3FD7,?,?,?,?,?,00007FF6235E3EC2), ref: 00007FF6235E4056

Part of subcall function 00007FF6235FA1B4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235FA0FF

_get_daylight.LIBCMT ref: 00007FF6235F207C

Part of subcall function 00007FF6235F1764: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235F1778

_get_daylight.LIBCMT ref: 00007FF6235F22F2
_get_daylight.LIBCMT ref: 00007FF6235F2303
_get_daylight.LIBCMT ref: 00007FF6235F2314
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6235F2554), ref: 00007FF6235F233B

Strings

Eastern Summer Time, xrefs: 00007FF6235F23F9
Eastern Standard Time, xrefs: 00007FF6235F23E1

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 5190737fcedb8824ad4a2f5adc1dd419c442ee6d8cf329e1688e58de2abb36f5
Instruction ID: 265cbcc3cbb4225f14002e0725e6f58129375a2eb0afb1f648b580bce911653d
Opcode Fuzzy Hash: 5190737fcedb8824ad4a2f5adc1dd419c442ee6d8cf329e1688e58de2abb36f5
Instruction Fuzzy Hash: 35D1D076A1824286EF20AF26DC521B967A1FF85B84F408175EE4DF7A85DF3CE441C782

Function 00007FF6235C80C0 Relevance: 10.9, APIs: 7, Instructions: 424COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6235DC400: wsprintfW.USER32 ref: 00007FF6235DC42F
Part of subcall function 00007FF6235DC400: CreateFileW.KERNEL32 ref: 00007FF6235DC45A
Part of subcall function 00007FF6235DC400: DeviceIoControl.KERNEL32 ref: 00007FF6235DC4AA
Part of subcall function 00007FF6235DC400: DeviceIoControl.KERNEL32 ref: 00007FF6235DC511
Part of subcall function 00007FF6235DC400: DeviceIoControl.KERNEL32 ref: 00007FF6235DC571
Part of subcall function 00007FF6235DC400: DeviceIoControl.KERNEL32 ref: 00007FF6235DC5D0

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235C86F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235C86F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235C86FC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235C8702

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ControlDevice_invalid_parameter_noinfo_noreturn$CreateFilewsprintf
String ID:
API String ID: 3155671162-0
Opcode ID: ada6dbc8d5a54c1d03fe828c81b952750c404f4c930501da61a70443052744b7
Instruction ID: 7c171a03107955756c817cc7224c07dbdd57bd25f95115deec9d3d794320806f
Opcode Fuzzy Hash: ada6dbc8d5a54c1d03fe828c81b952750c404f4c930501da61a70443052744b7
Instruction Fuzzy Hash: 0C02AD22F18B8285EF00DB61E8523AD23A1AB45798F004676EE5DB7BD9DF3CE485D341

Function 00007FF6235F22C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6235F22F2

Part of subcall function 00007FF6235F1764: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235F1778

_get_daylight.LIBCMT ref: 00007FF6235F2303

Part of subcall function 00007FF6235F1704: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235F1718

_get_daylight.LIBCMT ref: 00007FF6235F2314

Part of subcall function 00007FF6235F1734: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235F1748

Part of subcall function 00007FF6235EE95C: RtlFreeHeap.NTDLL(?,?,?,00007FF6235F6862,?,?,?,00007FF6235F6BDF,?,?,00000000,00007FF6235F7025,?,?,?,00007FF6235F6F57), ref: 00007FF6235EE972
Part of subcall function 00007FF6235EE95C: GetLastError.KERNEL32(?,?,?,00007FF6235F6862,?,?,?,00007FF6235F6BDF,?,?,00000000,00007FF6235F7025,?,?,?,00007FF6235F6F57), ref: 00007FF6235EE97C

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6235F2554), ref: 00007FF6235F233B

Strings

Eastern Summer Time, xrefs: 00007FF6235F23F9
Eastern Standard Time, xrefs: 00007FF6235F23E1

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 2133f9b6c4e90f95ebb1c2c4b763d73db315d9997485f014e8f6b7b9b98ca04f
Instruction ID: e4e4ea388e692640b5cc82aabcf9d17c5745a3f7ac635ff1ffafbf6a5f9be0c7
Opcode Fuzzy Hash: 2133f9b6c4e90f95ebb1c2c4b763d73db315d9997485f014e8f6b7b9b98ca04f
Instruction Fuzzy Hash: BF51AE76A1864286FF20DF62DC921A9B760BB49784F404176EE8DF3B95DF7CE4018782

Function 00007FF6235E8EB0 Relevance: 9.2, APIs: 6, Instructions: 249COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235E8ED2
_get_daylight.LIBCMT ref: 00007FF6235E8F32
_get_daylight.LIBCMT ref: 00007FF6235E8F43
_get_daylight.LIBCMT ref: 00007FF6235E8F54
_isindst.LIBCMT ref: 00007FF6235E8FA5
_isindst.LIBCMT ref: 00007FF6235E8FF8

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: 94003a780ed234a965d2311ace6d53ea410cbd1e40622ac1b689e0d0deb2975f
Instruction ID: 09e9ae8af175c63c8ca3cdba9258e7d494222053abb6f9e17b3da1c64a3925ce
Opcode Fuzzy Hash: 94003a780ed234a965d2311ace6d53ea410cbd1e40622ac1b689e0d0deb2975f
Instruction Fuzzy Hash: A791D5B2F043468BEF588F25CD022B963A1EB54B88F449139DA0DEB789EF3CE5418741

Function 00007FF6235C3B00 Relevance: 4.7, APIs: 3, Instructions: 151timenetworkCOMMON

Download Yara Rule

APIs

select.WS2_32 ref: 00007FF6235C3BF5
recv.WS2_32 ref: 00007FF6235C3C1B

Part of subcall function 00007FF6235C1500: VirtualAlloc.KERNEL32 ref: 00007FF6235C1575
Part of subcall function 00007FF6235C1500: VirtualFree.KERNELBASE ref: 00007FF6235C15AF

timeGetTime.WINMM ref: 00007FF6235C3D04

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Virtual$AllocFreeTimerecvselecttime
String ID:
API String ID: 1996171534-0
Opcode ID: 2935555a22fa52e62a83a0f83548e4e7340cb669a6483980d0d32167c7629015
Instruction ID: a88969151cf9a7204623293615bcd0c1ba1916be6cb86cd52ea9fee040edee8e
Opcode Fuzzy Hash: 2935555a22fa52e62a83a0f83548e4e7340cb669a6483980d0d32167c7629015
Instruction Fuzzy Hash: 1C719D72A08A8581EB209F28D8152AD73A0FB95B8CF159635CF4DA3795DF3CE484C745

Function 00007FF6235C1500 Relevance: 2.6, APIs: 2, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF6235C1575
VirtualFree.KERNELBASE ref: 00007FF6235C15AF

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: bdec6c309521b78e3869a161020c8be31cfe41798d2485b5db3fb8b25cd2d730
Instruction ID: f808d2cfcf17dfcc3331bdddd72b3be36820add191761f7e249163ea8a60dd2a
Opcode Fuzzy Hash: bdec6c309521b78e3869a161020c8be31cfe41798d2485b5db3fb8b25cd2d730
Instruction Fuzzy Hash: 7141F832708A418AEB09CF2AE851679A795FB54FC8F044539EE0EE7785EF38D946C740

Function 00007FF6235D0220 Relevance: 45.3, APIs: 30, Instructions: 260
memorywindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32 ref: 00007FF6235D0258
GlobalLock.KERNEL32 ref: 00007FF6235D0264
GlobalUnlock.KERNEL32 ref: 00007FF6235D027B
CreateStreamOnHGlobal.OLE32 ref: 00007FF6235D0291
GlobalFree.KERNEL32 ref: 00007FF6235D05F4

Part of subcall function 00007FF6235C61E0: InitializeCriticalSectionEx.KERNEL32 ref: 00007FF6235C6231
Part of subcall function 00007FF6235C61E0: GetLastError.KERNEL32 ref: 00007FF6235C623B

EnterCriticalSection.KERNEL32 ref: 00007FF6235D02DF
LeaveCriticalSection.KERNEL32 ref: 00007FF6235D02EC
GdipCreateBitmapFromStream.GDIPLUS ref: 00007FF6235D031A
GdipDisposeImage.GDIPLUS ref: 00007FF6235D0330
GdipDisposeImage.GDIPLUS ref: 00007FF6235D034E
CreateStreamOnHGlobal.OLE32 ref: 00007FF6235D036B
GetHGlobalFromStream.OLE32 ref: 00007FF6235D0392
GlobalLock.KERNEL32 ref: 00007FF6235D039C
GlobalFree.KERNEL32 ref: 00007FF6235D03BB
DeleteObject.GDI32 ref: 00007FF6235D03EB
EnterCriticalSection.KERNEL32 ref: 00007FF6235D03FD
EnterCriticalSection.KERNEL32 ref: 00007FF6235D040D
GdiplusShutdown.GDIPLUS ref: 00007FF6235D041B
LeaveCriticalSection.KERNEL32 ref: 00007FF6235D0428
LeaveCriticalSection.KERNEL32 ref: 00007FF6235D0432
DeleteObject.GDI32 ref: 00007FF6235D05A4
EnterCriticalSection.KERNEL32 ref: 00007FF6235D05B6
EnterCriticalSection.KERNEL32 ref: 00007FF6235D05C6
GdiplusShutdown.GDIPLUS ref: 00007FF6235D05D4
LeaveCriticalSection.KERNEL32 ref: 00007FF6235D05E1
LeaveCriticalSection.KERNEL32 ref: 00007FF6235D05EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235D0618

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$Global$EnterLeave$Stream$CreateGdip$DeleteDisposeFreeFromGdiplusImageLockObjectShutdown$AllocBitmapErrorInitializeLastUnlock_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 953580087-0
Opcode ID: 3ce228b2e6512ff9c91a5f2ff2817171e9ad90a018f9af23587c8ebbaf042eaa
Instruction ID: edcc086c57539e17d13e59514a496d3c74c725ced655b386908778f6bb8ee389
Opcode Fuzzy Hash: 3ce228b2e6512ff9c91a5f2ff2817171e9ad90a018f9af23587c8ebbaf042eaa
Instruction Fuzzy Hash: 76C15736B08B428AEF00DF61E8152AD23B5FF45B98B004175CE5EB7A99DF38E459C345

Function 00007FF6235CC340 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 297
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GdipGetImagePixelFormat.GDIPLUS ref: 00007FF6235CC377
GdipGetImageHeight.GDIPLUS ref: 00007FF6235CC3F4
GdipGetImageWidth.GDIPLUS ref: 00007FF6235CC41A
GdipGetImagePaletteSize.GDIPLUS ref: 00007FF6235CC470
GdipGetImagePalette.GDIPLUS ref: 00007FF6235CC4F1
CreateCompatibleDC.GDI32 ref: 00007FF6235CC588
SelectObject.GDI32 ref: 00007FF6235CC599
SetDIBColorTable.GDI32 ref: 00007FF6235CC5B7
SelectObject.GDI32 ref: 00007FF6235CC5CC
DeleteDC.GDI32 ref: 00007FF6235CC5F6
GdipBitmapLockBits.GDIPLUS ref: 00007FF6235CC646
GdipBitmapUnlockBits.GDIPLUS ref: 00007FF6235CC6D3
GdipCreateBitmapFromScan0.GDIPLUS ref: 00007FF6235CC702
GdipGetImageGraphicsContext.GDIPLUS ref: 00007FF6235CC71D
GdipDrawImageI.GDIPLUS ref: 00007FF6235CC737
GdipDeleteGraphics.GDIPLUS ref: 00007FF6235CC740
GdipDisposeImage.GDIPLUS ref: 00007FF6235CC74D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235CC79F

Strings

&, xrefs: 00007FF6235CC3D4

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Gdip$Image$Bitmap$BitsCreateDeleteGraphicsObjectPaletteSelect$ColorCompatibleContextDisposeDrawFormatFromHeightLockPixelScan0SizeTableUnlockWidth_invalid_parameter_noinfo
String ID: &
API String ID: 4034434136-3042966939
Opcode ID: 239e805813e04336424a29340b1b3b4cd56234119952a51b41bc6ad9426f54d6
Instruction ID: 2d9592a194e30a07d24c9259f8479198e0f0bce723c00558e6ae6a5481887c16
Opcode Fuzzy Hash: 239e805813e04336424a29340b1b3b4cd56234119952a51b41bc6ad9426f54d6
Instruction Fuzzy Hash: 87D1BD72604B828AEB608F25D9456BD37A4FB04B98F018475DF1EB7B94DF38E942C741

Function 00007FF6235C3820 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 157
networkstringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResetEvent.KERNEL32 ref: 00007FF6235C3840
timeGetTime.WINMM ref: 00007FF6235C384F
socket.WS2_32 ref: 00007FF6235C387C
lstrlenW.KERNEL32 ref: 00007FF6235C389E
WideCharToMultiByte.KERNEL32 ref: 00007FF6235C38C2
lstrlenW.KERNEL32 ref: 00007FF6235C38DA
WideCharToMultiByte.KERNEL32 ref: 00007FF6235C38FD
gethostbyname.WS2_32 ref: 00007FF6235C390A
htons.WS2_32 ref: 00007FF6235C3938
connect.WS2_32 ref: 00007FF6235C3962
setsockopt.WS2_32 ref: 00007FF6235C399E
setsockopt.WS2_32 ref: 00007FF6235C39D1
setsockopt.WS2_32 ref: 00007FF6235C3A04
setsockopt.WS2_32 ref: 00007FF6235C3A2D
WSAIoctl.WS2_32 ref: 00007FF6235C3A80

Strings

0u, xrefs: 00007FF6235C39EB

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: setsockopt$ByteCharMultiWidelstrlen$EventIoctlResetTimeconnectgethostbynamehtonssockettime
String ID: 0u
API String ID: 3082052849-3203441087
Opcode ID: 9bb4aa29c9e6661a1d5a7a947209a0091e729a32abab4caebb3e9084a2693f54
Instruction ID: 2e04c61bda02fe404c892af7219f452a4c363861e89316398e95ebf017a5404f
Opcode Fuzzy Hash: 9bb4aa29c9e6661a1d5a7a947209a0091e729a32abab4caebb3e9084a2693f54
Instruction Fuzzy Hash: 62716072608B8186DB20CF21F84476AB7A5FB85798F004239EE8E67B94DF3DD119CB05

Function 00007FF6235C8C30 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 101
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF6235C8C4B
wsprintfW.USER32 ref: 00007FF6235C8C62

Part of subcall function 00007FF6235C8A40: GetCurrentProcessId.KERNEL32(00001334,00000000,00000000,00001334,?,00007FF6235C8C70), ref: 00007FF6235C8A53
Part of subcall function 00007FF6235C8A40: OpenProcess.KERNEL32 ref: 00007FF6235C8A63
Part of subcall function 00007FF6235C8A40: OpenProcessToken.ADVAPI32 ref: 00007FF6235C8A86
Part of subcall function 00007FF6235C8A40: CloseHandle.KERNEL32 ref: 00007FF6235C8A93

GetVersionExW.KERNEL32 ref: 00007FF6235C8C91
GetCurrentProcess.KERNEL32 ref: 00007FF6235C8CBD
OpenProcessToken.ADVAPI32 ref: 00007FF6235C8CD3
GetTokenInformation.KERNELBASE ref: 00007FF6235C8D08
GetLastError.KERNEL32 ref: 00007FF6235C8D16
LocalAlloc.KERNEL32 ref: 00007FF6235C8D35
GetTokenInformation.KERNELBASE ref: 00007FF6235C8D68
GetSidSubAuthorityCount.ADVAPI32 ref: 00007FF6235C8D75
GetSidSubAuthority.ADVAPI32 ref: 00007FF6235C8D83
LocalFree.KERNEL32 ref: 00007FF6235C8D8E
CloseHandle.KERNEL32 ref: 00007FF6235C8DA4
wsprintfW.USER32 ref: 00007FF6235C8E03

Strings

VenNetwork, xrefs: 00007FF6235C8C30

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Process$Token$CurrentOpen$AuthorityCloseHandleInformationLocalwsprintf$AllocCountErrorFreeLastVersion
String ID: VenNetwork
API String ID: 4155081256-3057682757
Opcode ID: 3ae0895a5e42d8c7213368631a9542ba106a9abfd0f70956460d22f64f12b84e
Instruction ID: 9cebdf75f21e14f4b05846095e3acca7ae9fc3092a5f12aa2e7abe780e6a5a12
Opcode Fuzzy Hash: 3ae0895a5e42d8c7213368631a9542ba106a9abfd0f70956460d22f64f12b84e
Instruction Fuzzy Hash: F4414D36A0CB8282EF619B21EC567BA2360FB96B45F444475CA4EB3B94DF3CD445D702

Function 00007FF6235DBEF0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeviceIoControl.KERNEL32 ref: 00007FF6235DBF94
DeviceIoControl.KERNEL32 ref: 00007FF6235DC003
GlobalAlloc.KERNEL32 ref: 00007FF6235DC032
DeviceIoControl.KERNEL32 ref: 00007FF6235DC07C
GlobalFree.KERNEL32 ref: 00007FF6235DC09E
DeviceIoControl.KERNEL32 ref: 00007FF6235DC0ED
GlobalAlloc.KERNEL32 ref: 00007FF6235DC115
DeviceIoControl.KERNEL32 ref: 00007FF6235DC157
GlobalFree.KERNEL32 ref: 00007FF6235DC170
GlobalFree.KERNEL32 ref: 00007FF6235DC18F

Strings

%s-%s|, xrefs: 00007FF6235DC1FB
- External Hub, xrefs: 00007FF6235DC17B

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ControlDeviceGlobal$Free$Alloc
String ID: - External Hub$%s-%s|
API String ID: 3253977144-729331614
Opcode ID: a64a8a154bc7d147da862556ab1e51a765a2c970b97e8182b802ad51ffa46e8a
Instruction ID: bc8b06142d6cc0e90d42fb904e0a3bb57b7be012fdd6be8f13c97dbc6637315b
Opcode Fuzzy Hash: a64a8a154bc7d147da862556ab1e51a765a2c970b97e8182b802ad51ffa46e8a
Instruction Fuzzy Hash: 9CB19A72A08B8585EB60CF60A8413AEB7A0FB85794F444275DB8DB7B94DF3CD545C701

Function 00007FF6235CD9C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235CDA44
GetLastInputInfo.USER32 ref: 00007FF6235CDAAB
GetTickCount.KERNEL32 ref: 00007FF6235CDAB1
wsprintfW.USER32 ref: 00007FF6235CDAE4
RegOpenKeyExW.KERNEL32 ref: 00007FF6235CDB72
RegQueryValueExW.KERNEL32 ref: 00007FF6235CDBA3

Strings

Console, xrefs: 00007FF6235CDB64
IpDatespecial, xrefs: 00007FF6235CDB9C
%d min, xrefs: 00007FF6235CDADD

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CountInfoInputLastOpenQueryTickValue_invalid_parameter_noinfo_noreturnwsprintf
String ID: %d min$Console$IpDatespecial
API String ID: 357503962-2712035571
Opcode ID: f10f92fbc072fe067106cb54d6c34107b9c6c4e7fb02d7e9705fa94ab09b83a4
Instruction ID: 7d33377bb761467bd2ab3d5630899d324c1067446614078733148a883d25ed89
Opcode Fuzzy Hash: f10f92fbc072fe067106cb54d6c34107b9c6c4e7fb02d7e9705fa94ab09b83a4
Instruction Fuzzy Hash: 3951DE32608E8285EF208F28EC463B933A4FB44B59F448172CA4DA7798EF3CD189C705

Function 00007FF6235CC7B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS ref: 00007FF6235CC7E4
GdipGetImageEncoders.GDIPLUS ref: 00007FF6235CC871
GdipCreateBitmapFromScan0.GDIPLUS ref: 00007FF6235CC915
GdipCreateBitmapFromHBITMAP.GDIPLUS ref: 00007FF6235CC92D
GdipSaveImageToStream.GDIPLUS ref: 00007FF6235CC944
GdipDisposeImage.GDIPLUS ref: 00007FF6235CC951
GdipDisposeImage.GDIPLUS ref: 00007FF6235CC95E

Strings

&, xrefs: 00007FF6235CC8FD

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Gdip$Image$BitmapCreateDisposeEncodersFrom$SaveScan0SizeStream
String ID: &
API String ID: 370471037-3042966939
Opcode ID: 28b2eeaec2d98f14f4e8f3b60e7ba4f1bea8e24f035ccc537625c12df49cfb7a
Instruction ID: 0ac3f5be1ad1d3e437baee30821acc9e4541697c7eae54e8ecedca9b91cb893a
Opcode Fuzzy Hash: 28b2eeaec2d98f14f4e8f3b60e7ba4f1bea8e24f035ccc537625c12df49cfb7a
Instruction Fuzzy Hash: DF518132A08B4286EF119B219C025B963A1FB45BA8F4446B1DE5DB7BE4DF3CE943C341

Function 00007FF6235C9300 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6235C931D
GetProcAddress.KERNEL32 ref: 00007FF6235C932D
GetNativeSystemInfo.KERNEL32 ref: 00007FF6235C933D
GetSystemInfo.KERNEL32 ref: 00007FF6235C9341

Strings

GetNativeSystemInfo, xrefs: 00007FF6235C9326
kernel32.dll, xrefs: 00007FF6235C9307

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 3433367815-192647395
Opcode ID: 06b04ae401ee5d5c7cc9b92bd00cef418c8d008ef26561d2b8b72a7f6fbba0c7
Instruction ID: 156977813321a98c6cc0f461c49c9cff0404fc1c2b9cc9cd059a3e1980f4cd0d
Opcode Fuzzy Hash: 06b04ae401ee5d5c7cc9b92bd00cef418c8d008ef26561d2b8b72a7f6fbba0c7
Instruction Fuzzy Hash: D9F09615E18B8283FE60A710DC023B93361FFA9B04F905775E98EB1A94EF5CE2D4C601

Function 00007FF6235C8E30 Relevance: 9.1, APIs: 6, Instructions: 67registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32 ref: 00007FF6235C8E92
RegQueryValueExW.KERNEL32 ref: 00007FF6235C8EE9
lstrcmpW.KERNEL32 ref: 00007FF6235C8EFF
RegCloseKey.KERNEL32 ref: 00007FF6235C8F2F
RegCloseKey.ADVAPI32 ref: 00007FF6235C8F3D

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcmp
String ID:
API String ID: 4288439342-0
Opcode ID: 9757e75af8232627abeb9f8389a1c3797a9351f61d8f1bccc733d4b1246574e8
Instruction ID: 83385638f06a9d1e12de2c2047411d5fbdaacafa1aa359e63a4818cf4b3dc888
Opcode Fuzzy Hash: 9757e75af8232627abeb9f8389a1c3797a9351f61d8f1bccc733d4b1246574e8
Instruction Fuzzy Hash: 2D318631618B8182EB60CB25EC8966A73A4FB85B94F504271DE5DA3BD8DF3DD804CB01

Function 00007FF6235C8F60 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 239COMMON

Download Yara Rule

APIs

CreateDXGIFactory.DXGI ref: 00007FF6235C8FAC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235C92F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235C92F7

Strings

%s%s %d %d , xrefs: 00007FF6235C909F
%s%s %d*%d , xrefs: 00007FF6235C91F4

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateFactory
String ID: %s%s %d %d $%s%s %d*%d
API String ID: 2331002265-1924168580
Opcode ID: e8d6461351b0342cbb6652825b90b278b984841a945ce86b9280404ee83501b8
Instruction ID: db9e9bb6c1e19f91b7977c745d74ca8ce9e282c2ccc8e58c1251fa93963625a2
Opcode Fuzzy Hash: e8d6461351b0342cbb6652825b90b278b984841a945ce86b9280404ee83501b8
Instruction Fuzzy Hash: FFA18E32B04B8585EB10CF65D8452EE77B5FB89B98F504622EE9DA7B98CF38D081C701

Function 00007FF6235E8BE0 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235E8C0B
CreateThread.KERNEL32 ref: 00007FF6235E8C4C
GetLastError.KERNEL32 ref: 00007FF6235E8C5A
CloseHandle.KERNEL32 ref: 00007FF6235E8C70
FreeLibrary.KERNEL32 ref: 00007FF6235E8C7F

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: 2bf2d8e4056023ef3a5b5264bbcf8491965b7124c54493676a6e58e8f064e49f
Instruction ID: a365cf055ad4f5c238c47dc5974f75fc3352e610164ac606274c5fbc6d743ab9
Opcode Fuzzy Hash: 2bf2d8e4056023ef3a5b5264bbcf8491965b7124c54493676a6e58e8f064e49f
Instruction Fuzzy Hash: 05216235A0AB5285EE14DF65EC12079A3A0BF89F90F0445B5DE5EB7B95DF3CE4408601

Function 00007FF6235DC2D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32 ref: 00007FF6235DC379
DeviceIoControl.KERNEL32 ref: 00007FF6235DC3C1

Strings

\\.\, xrefs: 00007FF6235DC31E
L, xrefs: 00007FF6235DC3A9

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ControlCreateDeviceFile
String ID: L$\\.\
API String ID: 107608037-1891537229
Opcode ID: 21bc0f6301598303c13827e0319026f3a4049949566ec9a53abc1aeea47cf04e
Instruction ID: c2a726f7fcdaf3e95069de55b2b279948dc3771a9475f2afefdd43a9b679bb0c
Opcode Fuzzy Hash: 21bc0f6301598303c13827e0319026f3a4049949566ec9a53abc1aeea47cf04e
Instruction Fuzzy Hash: EC31B46260D78581EB508F11B85137A7B94EB85BE4F084374EBAE6BBC6CF3CD5058701

Function 00007FF6235C3E30 Relevance: 6.1, APIs: 4, Instructions: 120threadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF6235C3E51
send.WS2_32 ref: 00007FF6235C3F43
send.WS2_32 ref: 00007FF6235C3F90
GetCurrentThreadId.KERNEL32 ref: 00007FF6235C3FBA

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CurrentThreadsend
String ID:
API String ID: 302076607-0
Opcode ID: 1d5fac0907bdd9d84bc34d83d8396e4accfe818cb4c73ff339665f4c5f5d32ef
Instruction ID: e307a380ff8ee15f188c057a353ed5862ac9bbfe932e7cce951f339a5d9d8386
Opcode Fuzzy Hash: 1d5fac0907bdd9d84bc34d83d8396e4accfe818cb4c73ff339665f4c5f5d32ef
Instruction Fuzzy Hash: AA51B332A04B4687EB148F25E84536AB7B0FB45B88F048875CB4DA7B95DF3CE592C345

Function 00007FF6235DC6E0 Relevance: 4.6, APIs: 3, Instructions: 79stringCOMMON

Download Yara Rule

APIs

GetSystemDefaultLangID.KERNEL32 ref: 00007FF6235DC723
DeviceIoControl.KERNEL32 ref: 00007FF6235DC773

Part of subcall function 00007FF6235DC640: WideCharToMultiByte.KERNEL32 ref: 00007FF6235DC675
Part of subcall function 00007FF6235DC640: WideCharToMultiByte.KERNEL32 ref: 00007FF6235DC6B0

lstrcpyA.KERNEL32 ref: 00007FF6235DC7F2

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ByteCharMultiWide$ControlDefaultDeviceLangSystemlstrcpy
String ID:
API String ID: 3058672631-0
Opcode ID: 62bbaa5f944f4d7b3208405c1483dc30ee100de22e3906a95e19890dc0bb8ba5
Instruction ID: 60e543cf339bd35c0a9a540a5533cd8e24b538c5206627e59705de47534ff002
Opcode Fuzzy Hash: 62bbaa5f944f4d7b3208405c1483dc30ee100de22e3906a95e19890dc0bb8ba5
Instruction Fuzzy Hash: 1231A531A0C78285EF20CB11E8453AAA3A1EB8A790F544175EF9DA7B89DF3DD445CB01

Function 00007FF6235CC9B0 Relevance: 4.5, APIs: 3, Instructions: 38COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6235C61E0: InitializeCriticalSectionEx.KERNEL32 ref: 00007FF6235C6231
Part of subcall function 00007FF6235C61E0: GetLastError.KERNEL32 ref: 00007FF6235C623B

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6235CC7D4), ref: 00007FF6235CC9DA
GdiplusStartup.GDIPLUS ref: 00007FF6235CCA0F
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF6235CC7D4), ref: 00007FF6235CCA27

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$EnterErrorGdiplusInitializeLastLeaveStartup
String ID:
API String ID: 2723390537-0
Opcode ID: c1fce392dff7f0e0a1fd8d320c51b28cecfe9cf3d04554c50c1a4421144027e9
Instruction ID: e0d73f0363d465544815f395fce1b11049f85d8d70e4dbc11558b1378433fd89
Opcode Fuzzy Hash: c1fce392dff7f0e0a1fd8d320c51b28cecfe9cf3d04554c50c1a4421144027e9
Instruction Fuzzy Hash: 6B015232908B81C6EB509F15E80536AB7E5F785B45F481065EB8EA3B94CF3CD155CB41

Function 00007FF6235C3DA0 Relevance: 3.0, APIs: 2, Instructions: 41timeCOMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 00007FF6235C3DCD
timeGetTime.WINMM ref: 00007FF6235C3DF1

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: SleepTimetime
String ID:
API String ID: 346578373-0
Opcode ID: a07444b426276808b022deff05d84a514b99e0a0f66664c5b3036afdf0babcf4
Instruction ID: b794f765b3ba29150413389fdfd525b96e2d12c65115ec2e08ea6c33a21015db
Opcode Fuzzy Hash: a07444b426276808b022deff05d84a514b99e0a0f66664c5b3036afdf0babcf4
Instruction Fuzzy Hash: 63018022B1864587EB644B24E98937C27A0F745788F441674C75EA7AD0CF3CD4E5C706

Function 00007FF6235E8AA8 Relevance: 3.0, APIs: 2, Instructions: 31threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6235E8AB6
ExitThread.KERNEL32 ref: 00007FF6235E8ABE

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 41641528019013f9ff929c92362d335c34901b889fac2650327ddb4de509bf94
Instruction ID: dc3c8235b71ec3be9db65534b7da1d96ea97fef6e17fb761d0f7c30b8684d7f5
Opcode Fuzzy Hash: 41641528019013f9ff929c92362d335c34901b889fac2650327ddb4de509bf94
Instruction Fuzzy Hash: 12F09021E1AB0242EF04BBB09C0B07D12A0AF56F10F1804B4DD0DF7792DF3CA4458302

Function 00007FF6235DDFB8 Relevance: 3.0, APIs: 2, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6235DDFE8
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6235DDFEE

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 8afa6a4327cd587ea362fe0c4f5b4bf1e5e9001c34c8a508c9f4177e13cca725
Instruction ID: 7a7403794ff3c795e3de862cefafe3f4b1eea26fa61f43b897d5b3691dbca884
Opcode Fuzzy Hash: 8afa6a4327cd587ea362fe0c4f5b4bf1e5e9001c34c8a508c9f4177e13cca725
Instruction Fuzzy Hash: FBE0B641E1D20F45FD2922A62C2747900800F5A7B1E282BB2EA7EF82C2AF1CA5558153

Function 00007FF6235EE95C Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF6235F6862,?,?,?,00007FF6235F6BDF,?,?,00000000,00007FF6235F7025,?,?,?,00007FF6235F6F57), ref: 00007FF6235EE972
GetLastError.KERNEL32(?,?,?,00007FF6235F6862,?,?,?,00007FF6235F6BDF,?,?,00000000,00007FF6235F7025,?,?,?,00007FF6235F6F57), ref: 00007FF6235EE97C

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: a2b1b4d253dc9b48524949a201526306b0bcc39bf10aa9e0b1341fdbb23a067c
Instruction ID: 92a287f075fd423a1b6a64b469e6e1e4d4bd7ae1e591c418516d52cc2961b93f
Opcode Fuzzy Hash: a2b1b4d253dc9b48524949a201526306b0bcc39bf10aa9e0b1341fdbb23a067c
Instruction Fuzzy Hash: 1BE08C10F1970242FF586BF2AC4B03826A0AF85F00F0054B4CD4DF7391DF3CA8404212

Function 00007FF6235C1730 Relevance: 2.6, APIs: 2, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF6235C1796
VirtualFree.KERNELBASE ref: 00007FF6235C17CA

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 17a02dcf2f47f10d7a08db77411b6b44ca6662cc7d290d042544fe107c4b0b33
Instruction ID: 4117824edbef12e6ea82ed289f486b4b695c88acfbbf091246a70206726d1921
Opcode Fuzzy Hash: 17a02dcf2f47f10d7a08db77411b6b44ca6662cc7d290d042544fe107c4b0b33
Instruction Fuzzy Hash: BE21A931718A4186DB24CB2AF84112AB7B1FB85B84B144535EB9EE3B58EF3CE5818744

Function 00007FF6235C1670 Relevance: 2.6, APIs: 2, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF6235C16C4
VirtualFree.KERNEL32 ref: 00007FF6235C16FE

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 4c8156205564e744c18fa944b02d568327434d479cf77dfe2f9176b33a9ea29c
Instruction ID: b1f10b3a3c03b46c74ee48fcef386297a80331f697683afb83c35b60ff592100
Opcode Fuzzy Hash: 4c8156205564e744c18fa944b02d568327434d479cf77dfe2f9176b33a9ea29c
Instruction Fuzzy Hash: 2111EC31B24A4141DB048F36E841129A3A5FF95BC4B144571ED4EF7798EF3CD992C780

Function 00007FF6235DE0E0 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6235DDD80: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6235DDD94

__scrt_release_startup_lock.LIBCMT ref: 00007FF6235DE177

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 2217363868-0
Opcode ID: df8c2cae6130cff53013dc258be4a77fac826802f49534194485c90f58f48bf0
Instruction ID: 5abf3c1047360e3d20512f0ab03f6f14a31752be6f33d60f4c81a8c30d3ad25c
Opcode Fuzzy Hash: df8c2cae6130cff53013dc258be4a77fac826802f49534194485c90f58f48bf0
Instruction Fuzzy Hash: 90315B21A0C64B41FE11AB659D533B963A1AF82B84F4400F9DA4EFB3E7CF2CE4448243

Function 00007FF6235C1000 Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32 ref: 00007FF6235C1022

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 2276b2cfde0ec166953e0ec75e850ce31f8cbc4b3846b0cdc97fb7f8133b5954
Instruction ID: 19ee98008202e2e78e6a2b75aa5eebce7af204a2500f22eaf4bcc930d743139d
Opcode Fuzzy Hash: 2276b2cfde0ec166953e0ec75e850ce31f8cbc4b3846b0cdc97fb7f8133b5954
Instruction Fuzzy Hash: E7E08636B05645CAEB11EF24EC4A0A47364FB59700F404172E98CD7B95DF2CE115CF01

Function 00007FF6235EF070 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF6235F27CD,?,?,00000000,00007FF6235EA69B,?,?,?,00007FF6235EC873,?,?,?,00007FF6235EC769), ref: 00007FF6235EF0AE

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 016c47a342e12657c725cebeaa7b4028c5a2c41f1cbc7a3001cbfc12b323d78a
Instruction ID: dfebc6261205e45322efbe123a3134f807b7ef9c7e0a95ad7e9972374cd1ed0d
Opcode Fuzzy Hash: 016c47a342e12657c725cebeaa7b4028c5a2c41f1cbc7a3001cbfc12b323d78a
Instruction Fuzzy Hash: 8EF0F851A0974242FE646BA25D4367512815F85BA2F0A06B0DD2FF63C1EF7CE4819227

Non-executed Functions

Function 00007FF6235C9480 Relevance: 68.5, APIs: 29, Strings: 10, Instructions: 221libraryloaderinjectionCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF6235C94F6
CreateProcessA.KERNEL32 ref: 00007FF6235C9559
GetCurrentProcess.KERNEL32 ref: 00007FF6235C9567
OpenProcessToken.ADVAPI32 ref: 00007FF6235C957C
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6235C959A
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6235C95E2
OpenProcess.KERNEL32 ref: 00007FF6235C95FB
LoadLibraryA.KERNEL32 ref: 00007FF6235C9625
GetProcAddress.KERNEL32 ref: 00007FF6235C9635
LoadLibraryA.KERNEL32 ref: 00007FF6235C9646
GetProcAddress.KERNEL32 ref: 00007FF6235C9656
LoadLibraryA.KERNEL32 ref: 00007FF6235C9667
GetProcAddress.KERNEL32 ref: 00007FF6235C9677
LoadLibraryA.KERNEL32 ref: 00007FF6235C9688
GetProcAddress.KERNEL32 ref: 00007FF6235C9698
GetCurrentProcess.KERNEL32 ref: 00007FF6235C96A2
GetProcessId.KERNEL32 ref: 00007FF6235C96AB
GetModuleFileNameA.KERNEL32 ref: 00007FF6235C96DF
VirtualAllocEx.KERNEL32 ref: 00007FF6235C9715
WriteProcessMemory.KERNEL32 ref: 00007FF6235C973C
VirtualProtectEx.KERNEL32 ref: 00007FF6235C976F
VirtualAllocEx.KERNEL32 ref: 00007FF6235C978E
WriteProcessMemory.KERNEL32 ref: 00007FF6235C97B8
VirtualProtectEx.KERNEL32 ref: 00007FF6235C97E4
CreateRemoteThread.KERNEL32 ref: 00007FF6235C9807
Sleep.KERNEL32 ref: 00007FF6235C981A
VirtualProtectEx.KERNEL32 ref: 00007FF6235C983E
VirtualProtectEx.KERNEL32 ref: 00007FF6235C9862
ResumeThread.KERNEL32 ref: 00007FF6235C986B

Strings

SeDebugPrivilege, xrefs: 00007FF6235C9593
@, xrefs: 00007FF6235C9777
h, xrefs: 00007FF6235C94DD
WaitForSingleObject, xrefs: 00007FF6235C9691
Kernel32.dll, xrefs: 00007FF6235C961E, 00007FF6235C963B, 00007FF6235C965C, 00007FF6235C967D
OpenProcess, xrefs: 00007FF6235C962E
%s%s, xrefs: 00007FF6235C9511
ExitProcess, xrefs: 00007FF6235C964F
WinExec, xrefs: 00007FF6235C9670
Windows\System32\svchost.exe, xrefs: 00007FF6235C94FC

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Process$Virtual$AddressLibraryLoadProcProtect$AllocCreateCurrentMemoryOpenThreadTokenWrite$AdjustDirectoryFileLookupModuleNamePrivilegePrivilegesRemoteResumeSleepSystemValue
String ID: %s%s$@$ExitProcess$Kernel32.dll$OpenProcess$SeDebugPrivilege$WaitForSingleObject$WinExec$Windows\System32\svchost.exe$h
API String ID: 3040193174-4212407401
Opcode ID: 6fd3f4fde48d0361eb2d5c202ab323ad8a247f6fe0c7ba3ad29a459755052d7c
Instruction ID: 36f0b74f71216cd9df3a99610c6f3aef83727a69a2ae5d85a172baa53183cb9f
Opcode Fuzzy Hash: 6fd3f4fde48d0361eb2d5c202ab323ad8a247f6fe0c7ba3ad29a459755052d7c
Instruction Fuzzy Hash: 18A15E32A04B8285EB219F21EC557E923A4FB89788F404175DE4DB7BA4EF3CD245C705

Function 00007FF6235CADB0 Relevance: 63.3, APIs: 30, Strings: 6, Instructions: 286stringclipboardfileCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,00000000,00000000,00002514,00000000,00000000,00000000,00007FF6235C7A51), ref: 00007FF6235CAE08
GetTickCount.KERNEL32 ref: 00007FF6235CAE0E
GetTickCount.KERNEL32 ref: 00007FF6235CAE25
OpenClipboard.USER32 ref: 00007FF6235CAE33
GetClipboardData.USER32 ref: 00007FF6235CAE3E
GlobalSize.KERNEL32 ref: 00007FF6235CAE53
GlobalLock.KERNEL32 ref: 00007FF6235CAE63
wsprintfW.USER32 ref: 00007FF6235CAECE
WaitForSingleObject.KERNEL32 ref: 00007FF6235CAEE0
CreateFileW.KERNEL32 ref: 00007FF6235CAF14
SetFilePointer.KERNEL32 ref: 00007FF6235CAF3C
lstrlenW.KERNEL32 ref: 00007FF6235CAF47
WriteFile.KERNEL32 ref: 00007FF6235CAF6A
CloseHandle.KERNEL32 ref: 00007FF6235CAF73
ReleaseMutex.KERNEL32 ref: 00007FF6235CAF80
GlobalUnlock.KERNEL32 ref: 00007FF6235CAF9B
CloseClipboard.USER32 ref: 00007FF6235CAFA1
GetForegroundWindow.USER32 ref: 00007FF6235CAFBB
GetWindowTextW.USER32 ref: 00007FF6235CAFD8
lstrlenW.KERNEL32 ref: 00007FF6235CB00E
GetLocalTime.KERNEL32 ref: 00007FF6235CB021
wsprintfW.USER32 ref: 00007FF6235CB074
GetKeyState.USER32 ref: 00007FF6235CB153
lstrlenW.KERNEL32 ref: 00007FF6235CB1A0
lstrlenW.KERNEL32 ref: 00007FF6235CB1C1
wsprintfW.USER32 ref: 00007FF6235CB211
wsprintfW.USER32 ref: 00007FF6235CB22F
lstrlenW.KERNEL32 ref: 00007FF6235CB2A7

Strings

[esc], xrefs: 00007FF6235CADFC
%s%s, xrefs: 00007FF6235CB24D
[, xrefs: 00007FF6235CB05C
%s%s, xrefs: 00007FF6235CB21B
%s%s, xrefs: 00007FF6235CB207
[, xrefs: 00007FF6235CAEC2

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: lstrlen$wsprintf$ClipboardFileGlobal$CloseCountTickWindow$CreateDataForegroundHandleLocalLockMutexObjectOpenPointerReleaseSingleSizeSleepStateTextTimeUnlockWaitWrite
String ID: [$[$%s%s$%s%s$%s%s$[esc]
API String ID: 3669393114-972647286
Opcode ID: fffc5d82002a8ed72db2a007b73f01bf304c84ff01a829126f2514e0b534c1bd
Instruction ID: 5fe271d4972e76dcd7578be7e31315fcd09b842b704ff75a2d759539496f29d3
Opcode Fuzzy Hash: fffc5d82002a8ed72db2a007b73f01bf304c84ff01a829126f2514e0b534c1bd
Instruction Fuzzy Hash: 21D18D36A0CB4282FF109B65EC4A2B963A4FF85744F404572D94EB2BA4DF7CE548D742

Function 00007FF6235CD410 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 385stringtimeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00007FF6235CD437
wsprintfW.USER32 ref: 00007FF6235CD47F
lstrlenW.KERNEL32 ref: 00007FF6235CD4C5
lstrlenW.KERNEL32 ref: 00007FF6235CD4E6
lstrlenW.KERNEL32 ref: 00007FF6235CD4F9
lstrlenW.KERNEL32 ref: 00007FF6235CD58D
lstrlenW.KERNEL32 ref: 00007FF6235CD5AC
lstrlenW.KERNEL32 ref: 00007FF6235CD5BF
lstrlenW.KERNEL32 ref: 00007FF6235CD649
lstrlenW.KERNEL32 ref: 00007FF6235CD65C
CreateEventA.KERNEL32 ref: 00007FF6235CD7AD

Strings

p1:, xrefs: 00007FF6235CD4EF
%4d.%2d.%2d-%2d:%2d:%2d, xrefs: 00007FF6235CD471
t1:, xrefs: 00007FF6235CD652
o1:, xrefs: 00007FF6235CD5B5

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: lstrlen$CreateEventLocalTimewsprintf
String ID: %4d.%2d.%2d-%2d:%2d:%2d$o1:$p1:$t1:
API String ID: 2157945651-1225219777
Opcode ID: ffa54dc6aacd8b7c489ab2f030bdae777e95d9fe9fee655a7fecff1d3dc8717e
Instruction ID: 501b26f40ff63bf26ecb37c87fa53e07661afe0622b8dc2adde40f6f1eec5f34
Opcode Fuzzy Hash: ffa54dc6aacd8b7c489ab2f030bdae777e95d9fe9fee655a7fecff1d3dc8717e
Instruction Fuzzy Hash: F2F1D362A1869286EF209F25DC423BD23E1FB45B98F004672DA4EF7AD5DF7CA581C701

Function 00007FF6235C9900 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 118libraryloaderfileCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF6235C9935
GetProcAddress.KERNEL32 ref: 00007FF6235C9948
GetProcAddress.KERNEL32 ref: 00007FF6235C9976
FreeLibrary.KERNEL32 ref: 00007FF6235C99A7
CreateFileW.KERNEL32 ref: 00007FF6235C99D4
GetProcAddress.KERNEL32 ref: 00007FF6235C9A1C
WriteFile.KERNEL32 ref: 00007FF6235C9A66
CloseHandle.KERNEL32 ref: 00007FF6235C9A7E
Sleep.KERNEL32 ref: 00007FF6235C9A91
GetProcAddress.KERNEL32 ref: 00007FF6235C9AA1
FreeLibrary.KERNEL32 ref: 00007FF6235C9ABC

Strings

InternetReadFile, xrefs: 00007FF6235C9A12
wininet.dll, xrefs: 00007FF6235C9923
InternetOpenW, xrefs: 00007FF6235C993E
InternetCloseHandle, xrefs: 00007FF6235C9A97
InternetOpenUrlW, xrefs: 00007FF6235C996C
MSIE 6.0, xrefs: 00007FF6235C9959

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: AddressProc$Library$FileFree$CloseCreateHandleLoadSleepWrite
String ID: InternetCloseHandle$InternetOpenUrlW$InternetOpenW$InternetReadFile$MSIE 6.0$wininet.dll
API String ID: 2977986460-1099148085
Opcode ID: 067ce2f794736821cf202725aa30ed0aa3c92a2ab4f8812fc9fc05c1c4d827d7
Instruction ID: e78c3f0f82054ecaceca633a4b68d1fbef42c4c18775cc2c1460a99527304642
Opcode Fuzzy Hash: 067ce2f794736821cf202725aa30ed0aa3c92a2ab4f8812fc9fc05c1c4d827d7
Instruction Fuzzy Hash: 3741C025A0974282EF20DB11BC1677A67A0FB8AB94F484170DD9E67B94EF3CD444CB41

Function 00007FF6235D0DA0 Relevance: 27.3, APIs: 18, Instructions: 322clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6235DD26C: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6235DD289
Part of subcall function 00007FF6235DD26C: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF6235DD2AC
Part of subcall function 00007FF6235DD26C: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6235DD341

Part of subcall function 00007FF6235D15A0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6235D15B9
Part of subcall function 00007FF6235D15A0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6235D15DE
Part of subcall function 00007FF6235D15A0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6235D1608
Part of subcall function 00007FF6235D15A0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6235D16A2
Part of subcall function 00007FF6235D15A0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6235D16B2
Part of subcall function 00007FF6235D15A0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6235D16D7
Part of subcall function 00007FF6235D15A0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6235D1701

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235D0FE2
lstrlenW.KERNEL32 ref: 00007FF6235D1005
Sleep.KERNEL32 ref: 00007FF6235D1065
OpenClipboard.USER32 ref: 00007FF6235D107B
GetClipboardData.USER32 ref: 00007FF6235D108A
GlobalLock.KERNEL32 ref: 00007FF6235D109B
GlobalUnlock.KERNEL32 ref: 00007FF6235D10B6
CloseClipboard.USER32 ref: 00007FF6235D10BC
CloseClipboard.USER32 ref: 00007FF6235D10D8
OpenClipboard.USER32 ref: 00007FF6235D1100
EmptyClipboard.USER32 ref: 00007FF6235D110A
GlobalAlloc.KERNEL32 ref: 00007FF6235D1122
GlobalLock.KERNEL32 ref: 00007FF6235D1133
GlobalUnlock.KERNEL32 ref: 00007FF6235D115D
SetClipboardData.USER32 ref: 00007FF6235D116B
CloseClipboard.USER32 ref: 00007FF6235D1171
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235D11FE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235D1204

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Lockitstd::_$Clipboard$GlobalLockit::_$Lockit::~_$Close_invalid_parameter_noinfo_noreturn$DataLockOpenUnlock$AllocEmptySetgloballocaleSleeplstrlenstd::locale::_
String ID:
API String ID: 1851032462-0
Opcode ID: 7627f68610b1894b460692bd5adc3dbaa890ec027b034b53a83515536de8aba5
Instruction ID: 3889251a7a7f51d47e8aceec3cb8c04fc9afe61548fa37e819c6c68e0416892e
Opcode Fuzzy Hash: 7627f68610b1894b460692bd5adc3dbaa890ec027b034b53a83515536de8aba5
Instruction Fuzzy Hash: FED1E362B0878A82EF109F65E8022AD63A1FF89B94F104175EA5DB7BD9DF3CE441C701

Function 00007FF6235CCD40 Relevance: 26.7, APIs: 7, Strings: 8, Instructions: 406threadinjectionprocessCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32 ref: 00007FF6235CCF12
CreateProcessA.KERNEL32 ref: 00007FF6235CCF6E
VirtualAllocEx.KERNEL32 ref: 00007FF6235CCF97
WriteProcessMemory.KERNEL32 ref: 00007FF6235CCFBC
GetThreadContext.KERNEL32 ref: 00007FF6235CCFE0
SetThreadContext.KERNEL32 ref: 00007FF6235CD001
ResumeThread.KERNEL32 ref: 00007FF6235CD014

Strings

@, xrefs: 00007FF6235CCF8A
nlyloadinmyself, xrefs: 00007FF6235CCD94
%s%s, xrefs: 00007FF6235CCF27
h, xrefs: 00007FF6235CCEE6
plugmark, xrefs: 00007FF6235CCE43
02e6e16e-c851-4d99-a47c-2e46c0c70650, xrefs: 00007FF6235CD262
Windows\System32\svchost.exe, xrefs: 00007FF6235CCF18
%s %s, xrefs: 00007FF6235CD05B, 00007FF6235CD1EF, 00007FF6235CD2D3, 00007FF6235CD369

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Thread$ContextProcess$AllocCreateDirectoryMemoryResumeSystemVirtualWrite
String ID: %s %s$%s%s$02e6e16e-c851-4d99-a47c-2e46c0c70650$@$Windows\System32\svchost.exe$h$nlyloadinmyself$plugmark
API String ID: 4033188109-2064863529
Opcode ID: 39cb0ed868284d1e7928880f05503a86ba10bcdc2c17875e8f87faef0a13c5dc
Instruction ID: 3ef134e4529b70517c83a2d352bb31b804f72350f6f4097955da69a56908f5e3
Opcode Fuzzy Hash: 39cb0ed868284d1e7928880f05503a86ba10bcdc2c17875e8f87faef0a13c5dc
Instruction Fuzzy Hash: D112A162B08A8282EB20CF25D8452BD77A1FB95B88F448576DF4DA7B96DF3CD185C301

Function 00007FF6235CE3E9 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 64shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6235CE3E9
OpenProcessToken.ADVAPI32 ref: 00007FF6235CE3FE
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6235CE426
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6235CE44A
GetLastError.KERNEL32 ref: 00007FF6235CE450
CloseHandle.KERNEL32 ref: 00007FF6235CE45D
ExitWindowsEx.USER32 ref: 00007FF6235CE56F
GetCurrentProcess.KERNEL32 ref: 00007FF6235CE575
OpenProcessToken.ADVAPI32 ref: 00007FF6235CE58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6235CE5B2
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6235CE5D6
GetLastError.KERNEL32 ref: 00007FF6235CE5DC
CloseHandle.KERNEL32 ref: 00007FF6235CE5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF6235CE415, 00007FF6235CE5A5

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: 40da0a47c9c7c1cc3a1aa31b778f4d13c03be2ed2b90204a7f89449c4a5765b5
Instruction ID: 8d48bab0fffe0a3e7302714e766bb312b9bc217679b46a5e82347c05d6d46121
Opcode Fuzzy Hash: 40da0a47c9c7c1cc3a1aa31b778f4d13c03be2ed2b90204a7f89449c4a5765b5
Instruction Fuzzy Hash: 7C312D35908F8282EB208F25FC153AA6364FB86B5AF104475DA4EB7AA4CF3DD189C705

Function 00007FF6235DA680 Relevance: 25.8, APIs: 17, Instructions: 347memoryCOMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6235CD242), ref: 00007FF6235DA6C5
GetNativeSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6235CD242), ref: 00007FF6235DA74A
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6235CD242), ref: 00007FF6235DA79F
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6235CD242), ref: 00007FF6235DA7BE
VirtualAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6235CD242), ref: 00007FF6235DA821
GetProcessHeap.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6235CD242), ref: 00007FF6235DA842
HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6235CD242), ref: 00007FF6235DA856
VirtualFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6235CD242), ref: 00007FF6235DA873
VirtualFree.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6235CD242), ref: 00007FF6235DA88F
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6235CD242), ref: 00007FF6235DA8AC
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6235CD242), ref: 00007FF6235DAB92

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Virtual$Alloc$ErrorLast$FreeHeap$InfoNativeProcessSystem
String ID:
API String ID: 1282860858-0
Opcode ID: bc094b2e2349ffbc07eff65132924311638ab0ecebfd180c525b8fe56df94986
Instruction ID: 769492e65b552be008d7e7a9ea16f1e8e9ca386439a47b249fa8f82f868c14be
Opcode Fuzzy Hash: bc094b2e2349ffbc07eff65132924311638ab0ecebfd180c525b8fe56df94986
Instruction Fuzzy Hash: 4AD19F32B19A4A86EF608F16E85677A73A1EF45B84F054075DE4EB7B80EF3CE4418302

Function 00007FF6235CE46D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 62shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6235CE46D
OpenProcessToken.ADVAPI32 ref: 00007FF6235CE482
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6235CE4AA
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6235CE4CE
GetLastError.KERNEL32 ref: 00007FF6235CE4D4
CloseHandle.KERNEL32 ref: 00007FF6235CE4E1
ExitWindowsEx.USER32 ref: 00007FF6235CE56F
GetCurrentProcess.KERNEL32 ref: 00007FF6235CE575
OpenProcessToken.ADVAPI32 ref: 00007FF6235CE58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6235CE5B2
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6235CE5D6
GetLastError.KERNEL32 ref: 00007FF6235CE5DC
CloseHandle.KERNEL32 ref: 00007FF6235CE5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF6235CE499, 00007FF6235CE5A5

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: a792fc21bd502bb1f53feba3e0ea592908ea8fd6b5dd88df7bff687d3cdc374e
Instruction ID: d8d20577fccc83676e32f2f78ae1279a43637d7b6c6e0a7ea9f2e756fd481b16
Opcode Fuzzy Hash: a792fc21bd502bb1f53feba3e0ea592908ea8fd6b5dd88df7bff687d3cdc374e
Instruction Fuzzy Hash: C5313C35608F8282EB208F25FC153AA6364FB86B5AF104076D94EB7AA4DF3DD189C705

Function 00007FF6235CE4EE Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 61shutdownCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6235CE4EE
OpenProcessToken.ADVAPI32 ref: 00007FF6235CE503
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6235CE52B
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6235CE54F
GetLastError.KERNEL32 ref: 00007FF6235CE555
CloseHandle.KERNEL32 ref: 00007FF6235CE562
ExitWindowsEx.USER32 ref: 00007FF6235CE56F
GetCurrentProcess.KERNEL32 ref: 00007FF6235CE575
OpenProcessToken.ADVAPI32 ref: 00007FF6235CE58A
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6235CE5B2
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6235CE5D6
GetLastError.KERNEL32 ref: 00007FF6235CE5DC
CloseHandle.KERNEL32 ref: 00007FF6235CE5F1

Strings

SeShutdownPrivilege, xrefs: 00007FF6235CE51A, 00007FF6235CE5A5

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue$ExitWindows
String ID: SeShutdownPrivilege
API String ID: 1423298842-3733053543
Opcode ID: c4512c4a51b1fe7d902806900a56825f16f8507878c75a96d79f3f5efe7084bf
Instruction ID: 19caa1370020ab5b39216cb058e4b0de3b9d4c5d84c5a8b0eea2601bc08e78a7
Opcode Fuzzy Hash: c4512c4a51b1fe7d902806900a56825f16f8507878c75a96d79f3f5efe7084bf
Instruction Fuzzy Hash: 60311C35608F8282EB208F25FC153AA6364FB86B5AF104075D94EB7AA4DF3DD189C705

Function 00007FF6235F8824 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF6235F8872
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235F8EDE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235F9054
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235F9312
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235F9532
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235F976F
memcpy_s.LIBCPMT ref: 00007FF6235F984A
memcpy_s.LIBCPMT ref: 00007FF6235F98F5
memcpy_s.LIBCPMT ref: 00007FF6235F99C4

Strings

1#IND, xrefs: 00007FF6235F895F
1#SNAN, xrefs: 00007FF6235F8982
1#QNAN, xrefs: 00007FF6235F898B
1#INF, xrefs: 00007FF6235F899B

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 8a8cdf450ad9da4e3e91848c83b2fc9670f44cdb81e1e9276785e569651f6bed
Instruction ID: 81aa9b350c14a56582d1cfd7481e3f0105ca9b30a35974d97a0dd0ded17f693c
Opcode Fuzzy Hash: 8a8cdf450ad9da4e3e91848c83b2fc9670f44cdb81e1e9276785e569651f6bed
Instruction Fuzzy Hash: BCB2D272A186828BEB648E64D9427FD37A1FB55388F505175DE0DB7A84DF3CAA00CB42

Function 00007FF6235D0880 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 129registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6235D08F0
RegQueryValueExW.ADVAPI32 ref: 00007FF6235D096F
lstrcpyW.KERNEL32 ref: 00007FF6235D0AF2
RegCloseKey.ADVAPI32 ref: 00007FF6235D0B04
RegCloseKey.ADVAPI32 ref: 00007FF6235D0B12

Strings

%08X, xrefs: 00007FF6235D0A8D

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Close$OpenQueryValuelstrcpy
String ID: %08X
API String ID: 2032971926-3773563069
Opcode ID: 32c954eb57fda164b81f0150aeb248f5c32c45763a12c98c87c6a1606aaef6c8
Instruction ID: 6a9cabadd5fb9b90b4b621395ed031bf34d7f330baf66822631de55586a14ef8
Opcode Fuzzy Hash: 32c954eb57fda164b81f0150aeb248f5c32c45763a12c98c87c6a1606aaef6c8
Instruction Fuzzy Hash: C7516172608AC281EB70CB15E8457ABB3A1FF85754F804135DB9DA3A98DF3CD549CB09

Function 00007FF6235F797C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6235EED10: GetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED1F
Part of subcall function 00007FF6235EED10: FlsGetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED34
Part of subcall function 00007FF6235EED10: SetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EEDBF

TranslateName.LIBCMT ref: 00007FF6235F79E6
TranslateName.LIBCMT ref: 00007FF6235F7A21
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF6235ED778), ref: 00007FF6235F7A68
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF6235ED778), ref: 00007FF6235F7AA0
GetLocaleInfoW.KERNEL32 ref: 00007FF6235F7C5D

Strings

utf8, xrefs: 00007FF6235F7B84

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: ed249922890c5a667d77dbf9e0f0f5ff4edc5bc12cc14daec0a02a097362d650
Instruction ID: 51504353add50202b1c2e2f8b5b135ae6d3e066f2557fb0b5d69ebb7b6b09d3b
Opcode Fuzzy Hash: ed249922890c5a667d77dbf9e0f0f5ff4edc5bc12cc14daec0a02a097362d650
Instruction Fuzzy Hash: AF918A32A0874282EF24AF61DC022B923A5EB46BC0F4585B5DE8CB7785EF3DE551C342

Function 00007FF6235F83C4 Relevance: 10.7, APIs: 7, Instructions: 172COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6235EED10: GetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED1F
Part of subcall function 00007FF6235EED10: FlsGetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED34
Part of subcall function 00007FF6235EED10: SetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EEDBF

Part of subcall function 00007FF6235EED10: FlsSetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED55

GetUserDefaultLCID.KERNEL32(00000000,00000092,?,?), ref: 00007FF6235F8534

Part of subcall function 00007FF6235EED10: FlsSetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED82
Part of subcall function 00007FF6235EED10: FlsSetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED93
Part of subcall function 00007FF6235EED10: FlsSetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EEDA4

EnumSystemLocalesW.KERNEL32(00000000,00000092,?,?,00000000,?,?,00007FF6235ED771), ref: 00007FF6235F851B
ProcessCodePage.LIBCMT ref: 00007FF6235F855E
IsValidCodePage.KERNEL32 ref: 00007FF6235F8570
IsValidLocale.KERNEL32 ref: 00007FF6235F8586
GetLocaleInfoW.KERNEL32 ref: 00007FF6235F85E2
GetLocaleInfoW.KERNEL32 ref: 00007FF6235F85FE

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 22d8bcddac7133f8b6f7a06d5e5334a0f8ea8210c2b9d064d69f21135d6cdb9b
Instruction ID: a7a8a12237501ad6537ba34b5b4000f960643d24338a0885ee7c73683d17ebcb
Opcode Fuzzy Hash: 22d8bcddac7133f8b6f7a06d5e5334a0f8ea8210c2b9d064d69f21135d6cdb9b
Instruction Fuzzy Hash: 01717A22B08B029AFF509F60DC566B923A4BF06B48F6444B5CE0DB3B95EF3CA445C352

Function 00007FF6235DE66C Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF6235DE688
RtlCaptureContext.KERNEL32 ref: 00007FF6235DE6B5
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6235DE6CF
RtlVirtualUnwind.KERNEL32 ref: 00007FF6235DE710
IsDebuggerPresent.KERNEL32 ref: 00007FF6235DE764
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6235DE781
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6235DE78C

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 045e81cc47e066d153aaaf5b50bd9fe289779446efb159575806e036ae1ed661
Instruction ID: da369609e8753de1991605f95e6aad94a0081cd2d5fd1b5e7a1e41285d75d8a3
Opcode Fuzzy Hash: 045e81cc47e066d153aaaf5b50bd9fe289779446efb159575806e036ae1ed661
Instruction Fuzzy Hash: 3D313C72609B8286EB608F60EC417FD73A4FB85744F44407ADA4EA7B98EF38D648C715

Function 00007FF6235CE36A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 31COMMON

Download Yara Rule

APIs

OpenEventLogW.ADVAPI32 ref: 00007FF6235CE397
ClearEventLogW.ADVAPI32 ref: 00007FF6235CE3AA
CloseEventLog.ADVAPI32 ref: 00007FF6235CE3B3

Strings

System, xrefs: 00007FF6235CE382
Application, xrefs: 00007FF6235CE36A
Security, xrefs: 00007FF6235CE376

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Event$ClearCloseOpen
String ID: Application$Security$System
API String ID: 1391105993-2169399579
Opcode ID: 1bb91c5c2b3888595093d95bda04c9b415b5dc93057c8244563c58f3f028a90d
Instruction ID: d2780398d5acbd2e0f98e0359d762874cccd7006cc5df0a9699ad1e54fa30938
Opcode Fuzzy Hash: 1bb91c5c2b3888595093d95bda04c9b415b5dc93057c8244563c58f3f028a90d
Instruction Fuzzy Hash: 53F03126A09F4281EE158B15FC02265A3A8FF89BA5F045475CD4EA3764EF3DE0968705

Function 00007FF6235E3D0C Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6235E3D85
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6235E3D9D
RtlVirtualUnwind.KERNEL32 ref: 00007FF6235E3DD8
IsDebuggerPresent.KERNEL32 ref: 00007FF6235E3E11
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6235E3E1B
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6235E3E26

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: fa8f028e9fcd13a2b73484911b7de9c78ca1ddcb2e97266c57a75bc76a24fdd2
Instruction ID: d36e2ea9d0b95d2f34cf83cd00c93231f6ba2955e55512f3efa4312fcd7313ed
Opcode Fuzzy Hash: fa8f028e9fcd13a2b73484911b7de9c78ca1ddcb2e97266c57a75bc76a24fdd2
Instruction Fuzzy Hash: 96318F32608B8186DB60CF25EC412AE73A4FB89B54F540176EE8DA7B98DF3CD545CB01

Function 00007FF6235F4190 Relevance: 7.8, APIs: 5, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235F41DC
FindFirstFileExW.KERNEL32 ref: 00007FF6235F42E6

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: FileFindFirst_invalid_parameter_noinfo
String ID:
API String ID: 2227656907-0
Opcode ID: 68b5c0f69695cefe4d2b1cac7d4572eefde3aab897b1af24f4d9a3b1cd0a2181
Instruction ID: 66ac8f4aa1cba6157ebc7d0ee937df1827bce4fbac32f01a67ad25342382d931
Opcode Fuzzy Hash: 68b5c0f69695cefe4d2b1cac7d4572eefde3aab897b1af24f4d9a3b1cd0a2181
Instruction Fuzzy Hash: 30B1D662B1869241EE60DB21EC062BE63A1FB46BD4F445171EE5DB7BC9DF3CE4418302

Function 00007FF6235DC82C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6235DC88D
IsDebuggerPresent.KERNEL32 ref: 00007FF6235DC8A5
OutputDebugStringW.KERNEL32 ref: 00007FF6235DC8B6

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF6235DC8AF

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 6ee909605b01ed677f0d258b83eb54f87cb27d04152a024ec70f484db7e8edcc
Instruction ID: b492db7000ec387ba1120b4cd9a77c99f72a8807d4421e77c457f4259e448e93
Opcode Fuzzy Hash: 6ee909605b01ed677f0d258b83eb54f87cb27d04152a024ec70f484db7e8edcc
Instruction Fuzzy Hash: 1C116A32A18B4296FB049B22EA463B933A0FB04745F404175CA4DE2A90EF7CE075C711

Function 00007FF6235EB5F0 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF6235EB656
memcpy_s.LIBCPMT ref: 00007FF6235EB681

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: a3a34dc7f104a5757306e0e4006adbba08ef9a00a3e13a0073f806107d450ba3
Instruction ID: cd7be3f5232b954bc446ca1dd2507cfabae263405a53ed04311f687cc9fa3d80
Opcode Fuzzy Hash: a3a34dc7f104a5757306e0e4006adbba08ef9a00a3e13a0073f806107d450ba3
Instruction Fuzzy Hash: 33C1D372A1CB8687EF248F16A44566ABBE1F784B85F449134DB4EA3B44DF3DE801CB40

Function 00007FF6235F7E40 Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6235EED10: GetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED1F
Part of subcall function 00007FF6235EED10: FlsGetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED34
Part of subcall function 00007FF6235EED10: SetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EEDBF

Part of subcall function 00007FF6235EED10: FlsSetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED55

GetLocaleInfoW.KERNEL32 ref: 00007FF6235F7EAC

Part of subcall function 00007FF6235F3FCC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235F3FE9

GetLocaleInfoW.KERNEL32 ref: 00007FF6235F7EF5

Part of subcall function 00007FF6235F3FCC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235F4042

GetLocaleInfoW.KERNEL32 ref: 00007FF6235F7FBD

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: 47a608bb907d4de4290f427b339ca80dcd83f241fa12a378f23bb4634d50531a
Instruction ID: 936c6b935a38517ed9f2a16ce9a5aff3faf984ca90570b57866d551f6f4e039e
Opcode Fuzzy Hash: 47a608bb907d4de4290f427b339ca80dcd83f241fa12a378f23bb4634d50531a
Instruction Fuzzy Hash: C861AC32A0864286EF249F21E8422B973A5FB45780F5081B5DFAEF3691DF3CE591C702

Function 00007FF6235F0FB0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF6235ED94A), ref: 00007FF6235F1024

Strings

GetLocaleInfoEx, xrefs: 00007FF6235F0FCC, 00007FF6235F0FDD

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 3b61ae466ef5758e0e9e9450f631c2e40b05ac649b5573246797acb4bca5b173
Instruction ID: 0df03b9cca02c606930b058caf547646e97a988d502380400e38647fefacd878
Opcode Fuzzy Hash: 3b61ae466ef5758e0e9e9450f631c2e40b05ac649b5573246797acb4bca5b173
Instruction Fuzzy Hash: C601A221B08B8186EF009B56B9021AAA764BF85BD0F584075DE4DB7F59CF3CDA418741

Function 00007FF6235F3A00 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF6235F3C4F
RaiseException.KERNEL32 ref: 00007FF6235F3C60

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 122b1925bd55db41e804c5b079ebde0f01de1123b2666aa23313b6dae26d6c44
Instruction ID: 5a6055f661338f0db93261174cae1336b845cdaa8da44c9b19ebbbf678fb5ef4
Opcode Fuzzy Hash: 122b1925bd55db41e804c5b079ebde0f01de1123b2666aa23313b6dae26d6c44
Instruction Fuzzy Hash: 79B16A73604B898BEB15CF2AC8463683BA0F785B48F198962DE5DA77A4CF3DD451C701

Function 00007FF6235E75E0 Relevance: 2.8, Strings: 2, Instructions: 350COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6235E774E
, xrefs: 00007FF6235E7990

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 551e646fd59d23c1ee018d61c48a67f2a52f50f5278fc9195615cae8faf456cd
Instruction ID: 7e2cca900c8afaea65aff76b2b4d8bdb8995c456f94bca16c2ad45b858d3e2f1
Opcode Fuzzy Hash: 551e646fd59d23c1ee018d61c48a67f2a52f50f5278fc9195615cae8faf456cd
Instruction Fuzzy Hash: 0CE1CE76A0874282EF688E29885213D33A0FF45B88F2452B5DB5EB7794DF39E841D742

Function 00007FF6235EF950 Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF6235EFA5D
gfff, xrefs: 00007FF6235EFADA

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: a347cb712251c494c0ac76841d0ca458a250c6be9a7c463d0ead6691c264c289
Instruction ID: 6675576ae5650dfb1920db31ddf384ff57ff76d0c18c13a6e3f6708633c2ec9e
Opcode Fuzzy Hash: a347cb712251c494c0ac76841d0ca458a250c6be9a7c463d0ead6691c264c289
Instruction Fuzzy Hash: 28517963B183C186EB218E35AC027697B91E745B94F09C2B1CF9CABAC5CF3DD4408702

Function 00007FF6235EA798 Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF6235EA8E0

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 773e53d09e5455f04dc57cd524f4ca394a315c5928bf5f5768ba6214c405212f
Instruction ID: d1b4e552091d2403a878a341ad4c06272e2ba52b7d5374dd180d5f62f98081b6
Opcode Fuzzy Hash: 773e53d09e5455f04dc57cd524f4ca394a315c5928bf5f5768ba6214c405212f
Instruction Fuzzy Hash: 4612AF22A08BC186EB51CF3899562FD73A4FB59748F059275EFDCA6692DF38E185C300

Function 00007FF6235F5FD4 Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22158b38decd8d90c74f2f99d25a665006446744f2e1b5a41cef00b0dd0ad41
Instruction ID: c2861c34f75a8515b4495453d5a6b1083b30ccdaa52c67861a442f682d6e5a67
Opcode Fuzzy Hash: e22158b38decd8d90c74f2f99d25a665006446744f2e1b5a41cef00b0dd0ad41
Instruction Fuzzy Hash: BFE16136A04B8186EB20DB61E8422FE77A4FB55788F404632DF8DA3796EF78D245C341

Function 00007FF6235C2E50 Relevance: 1.8, Strings: 1, Instructions: 571COMMON

Download Yara Rule

Strings

[RO] %ld bytes, xrefs: 00007FF6235C3450, 00007FF6235C35BB

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID: [RO] %ld bytes
API String ID: 0-772938740
Opcode ID: 4874844c38418d14ede67d35d8ec1f57646d452b183219fb2a06a3d7a21df842
Instruction ID: 4793e979891e84d869a1d78e1bf280b36cbb83f617a1e13be30bfca42b09fe47
Opcode Fuzzy Hash: 4874844c38418d14ede67d35d8ec1f57646d452b183219fb2a06a3d7a21df842
Instruction Fuzzy Hash: FB42BE336093C58FC329CF28D84029E7BA0F755B48F048569DB8AA7B86DB3CE855CB51

Function 00007FF6235F8088 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6235EED10: GetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED1F
Part of subcall function 00007FF6235EED10: FlsGetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED34
Part of subcall function 00007FF6235EED10: SetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EEDBF

Part of subcall function 00007FF6235EED10: FlsSetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED55

GetLocaleInfoW.KERNEL32 ref: 00007FF6235F80F0

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: fd4313f3ed39529f0e214070d5eb9b22141959494d17c08f529f82dcba2f0cc7
Instruction ID: 09c4265360497fb845cc6557fd3ea7d1d4d2de6b460d5e4a595c98b4af00e8fd
Opcode Fuzzy Hash: fd4313f3ed39529f0e214070d5eb9b22141959494d17c08f529f82dcba2f0cc7
Instruction Fuzzy Hash: 60318032B0868286FF24AB21DC427AA73A1FB45780F548575DE9DE3695DF3CE5418701

Function 00007FF6235F7CD8 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6235EED10: GetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED1F
Part of subcall function 00007FF6235EED10: FlsGetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED34
Part of subcall function 00007FF6235EED10: SetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EEDBF

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6235F84C7,00000000,00000092,?,?,00000000,?,?,00007FF6235ED771), ref: 00007FF6235F7D76

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 15ac7d5427dd9fc22c9c1f247fbd5354b0666d540418ec543f069a2b87512e20
Instruction ID: 343bb88fce13496851979802b33cb093bf63ca2f2777d4a484ec56101db95528
Opcode Fuzzy Hash: 15ac7d5427dd9fc22c9c1f247fbd5354b0666d540418ec543f069a2b87512e20
Instruction Fuzzy Hash: 0C110263A086458AEF148F25D8816B837A1FB81FE0F958135CA2DA33C0CF38D6D1C741

Function 00007FF6235F8290 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6235EED10: GetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED1F
Part of subcall function 00007FF6235EED10: FlsGetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED34
Part of subcall function 00007FF6235EED10: SetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EEDBF

GetLocaleInfoW.KERNEL32(?,?,?,00007FF6235F803A), ref: 00007FF6235F82C7

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: 02c8055d8d650acd3e8a74c68ff88f338c75fb4c0e3c19cf7d436b4e0503b1ee
Instruction ID: 2eece46668bd3b87725f70e4a979541a241c293b53dd9fce9ca47a29548d8bac
Opcode Fuzzy Hash: 02c8055d8d650acd3e8a74c68ff88f338c75fb4c0e3c19cf7d436b4e0503b1ee
Instruction Fuzzy Hash: CB113A32F1865283EF748725FC42A7E2260EB417A4F648671DE6DB36D4EF2DE8818301

Function 00007FF6235F7DA8 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6235EED10: GetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED1F
Part of subcall function 00007FF6235EED10: FlsGetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED34
Part of subcall function 00007FF6235EED10: SetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EEDBF

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF6235F8483,00000000,00000092,?,?,00000000,?,?,00007FF6235ED771), ref: 00007FF6235F7E26

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 5727eb7e919169bab7f3b731904feba02bf0749f82d0e8f83876c19ff70cc26c
Instruction ID: 47bfc05def80cdfacd31e857f52489725eda750cf7f8e217dff22ef1bb9c605b
Opcode Fuzzy Hash: 5727eb7e919169bab7f3b731904feba02bf0749f82d0e8f83876c19ff70cc26c
Instruction Fuzzy Hash: 8001F572F0824146EF205B25EC427B976A1EB41BE4F558272DB2CF72C4CFBC98818701

Function 00007FF6235F0AD8 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF6235F0F7F,?,?,?,?,?,?,?,?,00000000,00007FF6235F7328), ref: 00007FF6235F0B27

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 0f058bcf8847595df1816a53f4d47a97cac47f7a866e7bb19b671d0c18a11263
Instruction ID: 9ab0df9e942a5a8e945f8944475b640165e52d5bbbc792dd26cec60c9d3d7c13
Opcode Fuzzy Hash: 0f058bcf8847595df1816a53f4d47a97cac47f7a866e7bb19b671d0c18a11263
Instruction Fuzzy Hash: A9F01972B08B4183FA04DB65EC925A9A366FB99B80F548075EA8DE7765CF3CD460C341

Function 00007FF6235EF4BC Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF6235EF7FE

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 91511e75055787009b36da5e0b5904dd2b35cdbec92fe664924b5d59d9c2ed42
Instruction ID: b728f93016c7b769824af7a165d121903ba5c012a20a2525686fce047ace6875
Opcode Fuzzy Hash: 91511e75055787009b36da5e0b5904dd2b35cdbec92fe664924b5d59d9c2ed42
Instruction Fuzzy Hash: 96A14563B0978686EF21CF29A8017A97B91AB50B84F068172DE8DA7795DF3DD502C702

Function 00007FF6235E684C Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

, xrefs: 00007FF6235E6A2E

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 5fb6afdc90124b9ccfbc1fc7428f51e6266c183c57cc2358b46b47bb293d3794
Instruction ID: e6d9cd1b6c69625c03ae6b3cc668452c0b53d9f99e6d3cee694e0dc0c684ec60
Opcode Fuzzy Hash: 5fb6afdc90124b9ccfbc1fc7428f51e6266c183c57cc2358b46b47bb293d3794
Instruction Fuzzy Hash: 38B16C72A0878585EF648F29C85223C7BF4F749B88F2851B6CA4EA7396CF39D441D702

Function 00007FF6235F29E4 Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6235F2A89

Part of subcall function 00007FF6235F0A28: HeapAlloc.KERNEL32(?,?,00000000,00007FF6235EEEEA,?,?,000045EA9EF29F99,00007FF6235E8DA5,?,?,?,?,00007FF6235F27E6,?,?,00000000), ref: 00007FF6235F0A7D

Part of subcall function 00007FF6235EE95C: RtlFreeHeap.NTDLL(?,?,?,00007FF6235F6862,?,?,?,00007FF6235F6BDF,?,?,00000000,00007FF6235F7025,?,?,?,00007FF6235F6F57), ref: 00007FF6235EE972
Part of subcall function 00007FF6235EE95C: GetLastError.KERNEL32(?,?,?,00007FF6235F6862,?,?,?,00007FF6235F6BDF,?,?,00000000,00007FF6235F7025,?,?,?,00007FF6235F6F57), ref: 00007FF6235EE97C

Part of subcall function 00007FF6235FA24C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235FA27F

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
String ID:
API String ID: 916656526-0
Opcode ID: 211458dcc4182629a49dfa16bd233c2fd01fa5b79e8a7313d1c8d1c4e015e553
Instruction ID: 7e5b13d3b8cd43e0560a17bafd9b842477538e3e8d25910e1902148472cb26ae
Opcode Fuzzy Hash: 211458dcc4182629a49dfa16bd233c2fd01fa5b79e8a7313d1c8d1c4e015e553
Instruction Fuzzy Hash: 5041F265B2974301EE709E266C537BAA680BF96BC0F444575EE8DF7B85EF3CE4008642

Function 00007FF6235D9330 Relevance: .7, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d3e26cd520c0d7484bca21c75386a0081201fe8f2cf936fcf25e5b7a4aa551
Instruction ID: 1c356eb182f70e9734377680b3a582e99785c4b22ea016af80cb66b08aeaffe5
Opcode Fuzzy Hash: f9d3e26cd520c0d7484bca21c75386a0081201fe8f2cf936fcf25e5b7a4aa551
Instruction Fuzzy Hash: EC22CEB7B3805047D36DCB1DEC52FA97692B7A5308748A02CBA07D3F45EA3DEA458A44

Function 00007FF6235D79D0 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbab6f601d912f7832fe87e6cb8010b159b99cec89eaaed4f22644e13967388
Instruction ID: 5d3b825dbee109a967e869bf1479519b3c8b189f547c64ba6db977c9f44ae900
Opcode Fuzzy Hash: 2dbab6f601d912f7832fe87e6cb8010b159b99cec89eaaed4f22644e13967388
Instruction Fuzzy Hash: 66C1DC73B186A58BEB09CE26E951569B792F7C4BD0B55C134DA0E67B88DF3CD801CB00

Function 00007FF6235E71DC Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e5dc7f97a53f24eb071f4a4c5281cd4cfcae3ea760a8a1df74637965631acf6
Instruction ID: 97de3b5104f9d7e6623ed680764242e230e57c746452908791cb27633546d390
Opcode Fuzzy Hash: 3e5dc7f97a53f24eb071f4a4c5281cd4cfcae3ea760a8a1df74637965631acf6
Instruction Fuzzy Hash: 2CD1E422A0874286EF68CE29D85227D27A1FB09B48F1452B5DF5DB76D4DF3DE841C342

Function 00007FF6235ED5C0 Relevance: .3, Instructions: 310COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: 21e64ea7c375e93a6d3691ec49e9bdd76ef4fc5f4d0d1dcdba5dc2295bd766ac
Instruction ID: c94a0c36471d07c93107ae932fd902569cd4d0fe633324c83385dbab2218ed2c
Opcode Fuzzy Hash: 21e64ea7c375e93a6d3691ec49e9bdd76ef4fc5f4d0d1dcdba5dc2295bd766ac
Instruction Fuzzy Hash: C4C1D466A0878249EF609B629C127BA67E0FB94788F404076DE8DF76D9EF3CD541C702

Function 00007FF6235F73EC Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLast$Value_invalid_parameter_noinfo
String ID:
API String ID: 1500699246-0
Opcode ID: d774b1686d68766547d9d0affe500116b26f703ac014ee2f743871d76f2ddb8c
Instruction ID: 213ea04fc42f92b8c1cf30848c7f3eeb4cc19dadbf556d3c9e2a3cf2f372c8cb
Opcode Fuzzy Hash: d774b1686d68766547d9d0affe500116b26f703ac014ee2f743871d76f2ddb8c
Instruction Fuzzy Hash: 61B1D022A1864682EF649F25DC126B933A1EB45BC8F404275DE4DF76C9DF3CE541C782

Function 00007FF6235E64C8 Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf611d711d996cef35472e7504a5935af8ed11963d98eb5a37693ba2286e55b
Instruction ID: eaf22552c118c07571bc74d35fc3007aac0065bdc9f839948502a53f217036fa
Opcode Fuzzy Hash: 9cf611d711d996cef35472e7504a5935af8ed11963d98eb5a37693ba2286e55b
Instruction Fuzzy Hash: F4B19F7291874585EF648F29C85227C3BE0EB49F88F2811B6CB4DA7396CF39E841D746

Function 00007FF6235EAF20 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c771e48c11f0d915594974b4bba5b1cef921b70c42e7a63ac30c42f7e56c6b99
Instruction ID: c4a64ccfb2a90f0d30e26169038f94ee4a80f933452476d56abcfe623b5226d1
Opcode Fuzzy Hash: c771e48c11f0d915594974b4bba5b1cef921b70c42e7a63ac30c42f7e56c6b99
Instruction Fuzzy Hash: 1981A176A18B5186EF648F25D88237923A0FB84BA8F144676EE6EF7795CF38D0418301

Function 00007FF6235EFFD0 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c06df77d5c41abf0c9103d11d2ff5cfa312f76e721c7628385afe64dabe37a34
Instruction ID: 64777c795675ff3620574a30385c68a2346ef9b4f67627324af23d85b9c63b01
Opcode Fuzzy Hash: c06df77d5c41abf0c9103d11d2ff5cfa312f76e721c7628385afe64dabe37a34
Instruction Fuzzy Hash: 5381D272A0878186EFB48B19E84237A6B91FF56794F484275DE8DA3B85CF3DE5408B01

Function 00007FF6235D2FA0 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f6a1a1a1cf9baf0de81f1e4df80e775a01d7d2970379cd065fadcfc056c7f6
Instruction ID: f1ed803bb26c853c642f9dfa635114602febb033e0ad8b7e35627c422fb70bbf
Opcode Fuzzy Hash: f6f6a1a1a1cf9baf0de81f1e4df80e775a01d7d2970379cd065fadcfc056c7f6
Instruction Fuzzy Hash: 8661E662B18BCD82DE208F59F8426A96360FB59790F549335EB9DA7B54EF3DE180C340

Function 00007FF6235E5A1C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction ID: 2962f31ab6ca0feba2a21f19ad6247d3861f604dac2b731fe3aaa47155d1be6a
Opcode Fuzzy Hash: 8e69dfdcc94a0aa650623f7423aa354004c1f2fa01d5c1268249020d4c21f447
Instruction Fuzzy Hash: C2519276A1875186EB248F29D89123833A1EB44B68F288571CE4DB7794CF3AE843C741

Function 00007FF6235E51FC Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction ID: 46693d545f5ae9a163b69e14be56877d11eaf08e190711b9657fde26398d26f2
Opcode Fuzzy Hash: 68a3f5aab59b2fac328bd6ba34d5b1cd1fa94c6914f84dc4a79da3b9d8ff9a98
Instruction Fuzzy Hash: DC519D36A18B5182EF648F29C85122C37A1EB48B68F248571DE4DB77A4CF3AE843C741

Function 00007FF6235E560C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction ID: 48475c190c7c1cf6d905e24755e5b94a0bc2d29e405c87abf62290f39674ea2a
Opcode Fuzzy Hash: 27099d1c67046ba5536a5c52bb1b19252402c8bb4a5167aa336477e7b6d5f807
Instruction Fuzzy Hash: 8351A176A18B5186EF248F29C44123837A0EB44BA8F258571CE4DB7795CF3AEC53D781

Function 00007FF6235E5408 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
Instruction ID: e4ec2c82bf75ce59960429d66fe8e898935d79b78f7bf63e097dcebf9d1aa26a
Opcode Fuzzy Hash: f6a3dccb135ddd09f63c505db29ff29986bf9dd63497299e7c799fac6b959aa4
Instruction Fuzzy Hash: 4351B377A1875186EB648F2AD44133C37A1EB44B58F2845B2CE4DB77A4DF3AE842C781

Function 00007FF6235E5818 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
Instruction ID: 2fe903500dbd0f01123f8b06e9d34259810356eac98a671e0158bc9e467afa09
Opcode Fuzzy Hash: e46230d8c0bb23a9b26f12389beaf27d8e9063d4bba2e4d98de2a57eaa924be5
Instruction Fuzzy Hash: 38518D72A1875586EB248F29C84127837B0EB48B68F384571DE4DB7795DF3AE842C781

Function 00007FF6235E4FF8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
Instruction ID: cf42e2d80941d5939bb66525166259ad2c02258ba1f6bd06bfdfa669e85cef3a
Opcode Fuzzy Hash: db363646d287334b7a31293e9082935613ba5dde14aee32d187fc7345eaa1eeb
Instruction Fuzzy Hash: A551A377A1879186EF248F29C84523837A0EB44B59F248571DE8DB77A4DF3AEC42C781

Function 00007FF6235EC7BC Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 992bdeb28752ac81bb160f4e9466717d9b532df2d17ea574ae2dd87a94b6b211
Instruction ID: f64652a6ae1de06d6bb59aff8d82d8dadff4c4154830825fe858519cef5dfdad
Opcode Fuzzy Hash: 992bdeb28752ac81bb160f4e9466717d9b532df2d17ea574ae2dd87a94b6b211
Instruction Fuzzy Hash: 2041D172714A5582EF08CF6ADD25169A3A1BB48FC0B49A032EE8DE7B58DF3CD4428340

Function 00007FF6235FCB60 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6db13767cb4ef8546692f7daaddc1c348767b8ea185383b737debd21f48b2f6e
Instruction ID: 3f4867af5ae1b2e9116dc21f66924572d48eb97ecf2b3a13a72f1b4065891b18
Opcode Fuzzy Hash: 6db13767cb4ef8546692f7daaddc1c348767b8ea185383b737debd21f48b2f6e
Instruction Fuzzy Hash: FCF044716582558AEB948F68A813A297798F748380B908479D58DD3F14DB7CD0509F09

Function 00007FF6235DE814 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9500c7797480eaac07bce270d35ebf5893055aa53205c196292c9b063e5a007a
Instruction ID: 7eca23d234f7e567c6c60f9a891be01b74d191a48992c7d1311b307ef0168b13
Opcode Fuzzy Hash: 9500c7797480eaac07bce270d35ebf5893055aa53205c196292c9b063e5a007a
Instruction Fuzzy Hash: 1EA0022190CE47D0EE048B00ED5213023B0EB96B01B4D00F1C40DF14A09F3DB540C397

Function 00007FF6235C4C50 Relevance: 33.2, APIs: 22, Instructions: 199windowthreadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF6235C4C65
SwitchToThread.KERNEL32 ref: 00007FF6235C4C9D
SetLastError.KERNEL32 ref: 00007FF6235C4CDC
SetEvent.KERNEL32 ref: 00007FF6235C4D17
MsgWaitForMultipleObjects.USER32 ref: 00007FF6235C4D4B
PeekMessageW.USER32 ref: 00007FF6235C4D66
TranslateMessage.USER32 ref: 00007FF6235C4D75
DispatchMessageW.USER32 ref: 00007FF6235C4D80
PeekMessageW.USER32 ref: 00007FF6235C4D97
CloseHandle.KERNEL32 ref: 00007FF6235C4DC4
send.WS2_32 ref: 00007FF6235C4E01
SetEvent.KERNEL32 ref: 00007FF6235C4E18
WSACloseEvent.WS2_32 ref: 00007FF6235C4E2D
shutdown.WS2_32 ref: 00007FF6235C4E49
closesocket.WS2_32 ref: 00007FF6235C4E53
EnterCriticalSection.KERNEL32 ref: 00007FF6235C4E70
ResetEvent.KERNEL32 ref: 00007FF6235C4E7D
ResetEvent.KERNEL32 ref: 00007FF6235C4E8A
ResetEvent.KERNEL32 ref: 00007FF6235C4E97
SetEvent.KERNEL32 ref: 00007FF6235C4F2C
LeaveCriticalSection.KERNEL32 ref: 00007FF6235C4F39
SetLastError.KERNEL32 ref: 00007FF6235C4F79

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Event$Message$Reset$CloseCriticalErrorLastPeekSectionThread$CurrentDispatchEnterHandleLeaveMultipleObjectsSwitchTranslateWaitclosesocketsendshutdown
String ID:
API String ID: 4058177064-0
Opcode ID: d4a00dac0fba48dd619eb6ba1b780ae101c1c81bf132304460c16c28b79e9ffb
Instruction ID: dc96b266e8c26585ed017fa63904918ecacf2150da4bc685a44014443bc7377d
Opcode Fuzzy Hash: d4a00dac0fba48dd619eb6ba1b780ae101c1c81bf132304460c16c28b79e9ffb
Instruction Fuzzy Hash: CF918D76B08B8297EB599B21DD566B973A0FB44744F004975CB6DE3AA0CF3CE4A4C702

Function 00007FF6235D0620 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 140stringprocessCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF6235D0698
lstrlenW.KERNEL32 ref: 00007FF6235D06BA
wsprintfW.USER32 ref: 00007FF6235D0722
ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6235D0786
lstrcatW.KERNEL32 ref: 00007FF6235D07C1
lstrcatW.KERNEL32 ref: 00007FF6235D07CE
lstrcpyW.KERNEL32 ref: 00007FF6235D07DC
CreateProcessW.KERNEL32 ref: 00007FF6235D085B

Strings

%s\shell\open\command, xrefs: 00007FF6235D0714
WinSta0\Default, xrefs: 00007FF6235D0813
h, xrefs: 00007FF6235D07E5
"%1, xrefs: 00007FF6235D078C

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: lstrcatlstrlen$CreateEnvironmentExpandProcessStringslstrcpywsprintf
String ID: "%1$%s\shell\open\command$WinSta0\Default$h
API String ID: 1783372451-551013563
Opcode ID: eac3ac33eed5e84588de99090fdd2237e456d1a0e0148cdd7090aa018ec508cf
Instruction ID: 3302dfa8a9c6ceb4e3db101ee7af39eefb1d806964ca3ec6658dd6d9100354f7
Opcode Fuzzy Hash: eac3ac33eed5e84588de99090fdd2237e456d1a0e0148cdd7090aa018ec508cf
Instruction Fuzzy Hash: 94615B32A18B8685EF20DB61DC422E923A0FF89748F444176DA4DB7A99EF3CD645CB41

Function 00007FF6235C4270 Relevance: 21.1, APIs: 14, Instructions: 119networkstringCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 00007FF6235C429F
WSAIoctl.WS2_32 ref: 00007FF6235C42F8
setsockopt.WS2_32 ref: 00007FF6235C431D
setsockopt.WS2_32 ref: 00007FF6235C4342
WSACreateEvent.WS2_32 ref: 00007FF6235C4348
lstrlenW.KERNEL32 ref: 00007FF6235C4355
WideCharToMultiByte.KERNEL32 ref: 00007FF6235C4378
lstrlenW.KERNEL32 ref: 00007FF6235C4390
WideCharToMultiByte.KERNEL32 ref: 00007FF6235C43B3
gethostbyname.WS2_32 ref: 00007FF6235C43C0
htons.WS2_32 ref: 00007FF6235C43ED
WSAEventSelect.WS2_32 ref: 00007FF6235C4413
connect.WS2_32 ref: 00007FF6235C442D
WSAGetLastError.WS2_32 ref: 00007FF6235C443C

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ByteCharEventMultiWidelstrlensetsockopt$CreateErrorIoctlLastSelectconnectgethostbynamehtonssocket
String ID:
API String ID: 1455939504-0
Opcode ID: e29aee751ba035bfa70c15ae0e3b0f7247e17a471693f6df1d39858999031e9a
Instruction ID: 2fbcbcd1945130e37de4af129045be748488025c0806f685b074c955d225a50e
Opcode Fuzzy Hash: e29aee751ba035bfa70c15ae0e3b0f7247e17a471693f6df1d39858999031e9a
Instruction Fuzzy Hash: 5D516172608B9186EB208F21E84566AB7A5FB85BA4F100235EE9DA3F98CF3CD045C705

Function 00007FF6235D15A0 Relevance: 18.2, APIs: 12, Instructions: 153COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6235D15B9
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6235D15DE
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6235D1608
std::_Facet_Register.LIBCPMT ref: 00007FF6235D1688
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6235D16A2
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6235D16B2
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6235D16D7
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6235D1701
std::_Facet_Register.LIBCPMT ref: 00007FF6235D1777
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6235D1791
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6235D17AA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6235D17B0

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: abf8e540b54f698cc9b45021eb612f4fee3d5b077170ba2ec9f9a82e9aa791c4
Instruction ID: a9ef9c8b2c52f7ff9a6896eed249985fc66fb55d63eb7481af06a22e7a951065
Opcode Fuzzy Hash: abf8e540b54f698cc9b45021eb612f4fee3d5b077170ba2ec9f9a82e9aa791c4
Instruction Fuzzy Hash: BE518E32A08B4685FE519B25EC061B923A5FF55B90F0802B2DA9DB77A5DF3CE443D302

Function 00007FF6235C46A0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 171networktimeCOMMON

Download Yara Rule

APIs

WSAEnumNetworkEvents.WS2_32 ref: 00007FF6235C46C7
WSAGetLastError.WS2_32 ref: 00007FF6235C46D8
WSAResetEvent.WS2_32 ref: 00007FF6235C4717
WSAEventSelect.WS2_32 ref: 00007FF6235C479C
WSAGetLastError.WS2_32 ref: 00007FF6235C47A7
timeGetTime.WINMM ref: 00007FF6235C47D2
timeGetTime.WINMM ref: 00007FF6235C481D
send.WS2_32 ref: 00007FF6235C4852
WSAGetLastError.WS2_32 ref: 00007FF6235C485D

Strings

, xrefs: 00007FF6235C48F8

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLast$EventTimetime$EnumEventsNetworkResetSelectsend
String ID:
API String ID: 957247320-3916222277
Opcode ID: 2310baa555e0df77a8bcfccd4f7fd94b27c56680d13eb448f7d2580fe2531f2f
Instruction ID: a5f8e8e8f963b29902f508ee0ab0e025abafed032b5a1dd4ae1b59d07f7b8223
Opcode Fuzzy Hash: 2310baa555e0df77a8bcfccd4f7fd94b27c56680d13eb448f7d2580fe2531f2f
Instruction Fuzzy Hash: 48716BB2A087828BEB618F29D885769B7E0FB44B48F144474CB4DE36D5CF7DE4868B41

Function 00007FF6235C5A80 Relevance: 16.7, APIs: 11, Instructions: 154networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6235C5AC4
WSASetLastError.WS2_32 ref: 00007FF6235C5C69
LeaveCriticalSection.KERNEL32 ref: 00007FF6235C5C73

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: cb0b3ee4ce24505bbac61aa70540e6acda4bbb341cea077ae408a959c4223429
Instruction ID: 9637e26df39d94919ebb656c66a43a59600cfdfc46769b43a19d94c6d2a1860b
Opcode Fuzzy Hash: cb0b3ee4ce24505bbac61aa70540e6acda4bbb341cea077ae408a959c4223429
Instruction Fuzzy Hash: BE618F32B08A4282EB589B12DD4A67D6365FB85B88F804871CE1EF76D0DF3CE859C701

Function 00007FF6235C5090 Relevance: 16.6, APIs: 11, Instructions: 87COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6235C50F5
LeaveCriticalSection.KERNEL32 ref: 00007FF6235C5107
SetLastError.KERNEL32 ref: 00007FF6235C51DB

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: 31685a7c47cc355b0b84d769594d8f48275261b6e3cd822618b6b5c873848fb6
Instruction ID: ed069e92236172d7025181ed9982fdc3b2ef70c40ac83622acb9e8f748f7541f
Opcode Fuzzy Hash: 31685a7c47cc355b0b84d769594d8f48275261b6e3cd822618b6b5c873848fb6
Instruction Fuzzy Hash: 04316B21B1CB8286EF589B569C8E1796361FF45B88F5408B4DE8EF7AD0CF2CA445C302

Function 00007FF6235D0B40 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 52registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6235D0B91
RegDeleteValueW.ADVAPI32 ref: 00007FF6235D0B9F
RegCloseKey.ADVAPI32 ref: 00007FF6235D0BAA
RegCreateKeyW.ADVAPI32 ref: 00007FF6235D0BCA
lstrlenW.KERNEL32 ref: 00007FF6235D0BD7
RegSetValueExW.ADVAPI32 ref: 00007FF6235D0BF9
RegCloseKey.ADVAPI32 ref: 00007FF6235D0C04

Strings

Software, xrefs: 00007FF6235D0B73
VenNetwork, xrefs: 00007FF6235D0B69

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CloseValue$CreateDeleteOpenlstrlen
String ID: Software$VenNetwork
API String ID: 3197061591-1820303132
Opcode ID: b270a5905e67aa2bd04960c5a5af98d5e64a07028cd1629e036b508084a2e799
Instruction ID: 5609330b5dcda39b3851cf7efaa45495ddd63995363bf1e0503add9793291963
Opcode Fuzzy Hash: b270a5905e67aa2bd04960c5a5af98d5e64a07028cd1629e036b508084a2e799
Instruction Fuzzy Hash: BB216F36608B4087EB108B22FC4566AB765FB85BE5F444131DE4EA3B68CFBCD149CB05

Function 00007FF6235C5FC0 Relevance: 15.1, APIs: 10, Instructions: 140COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF6235C5FE4
EnterCriticalSection.KERNEL32 ref: 00007FF6235C6004
SetLastError.KERNEL32 ref: 00007FF6235C6016
LeaveCriticalSection.KERNEL32 ref: 00007FF6235C606F

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalErrorLastSection$EnterLeave
String ID:
API String ID: 2124651672-0
Opcode ID: ba3e2043a30928e4cf0dd0a6aa21304fb3d64fad1c8207218715581e30546e70
Instruction ID: 487a537cfcc0c548a4b415e217ec5626af4dd4e304fe28fef7375016cae9ec84
Opcode Fuzzy Hash: ba3e2043a30928e4cf0dd0a6aa21304fb3d64fad1c8207218715581e30546e70
Instruction Fuzzy Hash: 2351DD32A086428BEB649F11E84653C77E5FB48B88F094579DE4EB7791CF38E901C742

Function 00007FF6235E4880 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235E48C0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235E4C88
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235E4F27

Strings

f, xrefs: 00007FF6235E4B0D
p, xrefs: 00007FF6235E4965
f, xrefs: 00007FF6235E4958
f, xrefs: 00007FF6235E49C2
p, xrefs: 00007FF6235E49CA

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$f$p$p$f
API String ID: 3215553584-1325933183
Opcode ID: 338c2a64cdc3021812c5b6ddca5db7159329e9a17ba8d876efc02d9e71b2fbd5
Instruction ID: 03326b666496861b2ed0d8af703911ef0734be598df87202784bf943078c0b1b
Opcode Fuzzy Hash: 338c2a64cdc3021812c5b6ddca5db7159329e9a17ba8d876efc02d9e71b2fbd5
Instruction Fuzzy Hash: 521272B2B0C35386FF209E14E9466797262FB88750F884171E69DB76C4DF3CE9808B16

Function 00007FF6235C4080 Relevance: 13.6, APIs: 9, Instructions: 111timenetworkCOMMON

Download Yara Rule

APIs

CreateWaitableTimerW.KERNEL32 ref: 00007FF6235C40C6
setsockopt.WS2_32 ref: 00007FF6235C4165
setsockopt.WS2_32 ref: 00007FF6235C418F
ResetEvent.KERNEL32 ref: 00007FF6235C41DE
SetLastError.KERNEL32 ref: 00007FF6235C420A
WSAGetLastError.WS2_32 ref: 00007FF6235C4216
SetLastError.KERNEL32 ref: 00007FF6235C4228
GetLastError.KERNEL32 ref: 00007FF6235C4241
SetLastError.KERNEL32 ref: 00007FF6235C4253

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLast$setsockopt$CreateEventResetTimerWaitable
String ID:
API String ID: 2911610646-0
Opcode ID: 34ebcb83ecca3e20ff49f256afc65ca9a808d404bf61d5c783bec37bfef76818
Instruction ID: 4a9e3725317065928bfe68ff7c9c0eb749f840af784f514644bcda195f63645d
Opcode Fuzzy Hash: 34ebcb83ecca3e20ff49f256afc65ca9a808d404bf61d5c783bec37bfef76818
Instruction Fuzzy Hash: 45518B72A09B8287EB158F25E90976973A0FB44748F000534DB4CA7B90DF7DE465CB01

Function 00007FF6235C5D10 Relevance: 13.6, APIs: 9, Instructions: 93timenetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,-00000004,00007FF6235C49B9), ref: 00007FF6235C5D5E
timeGetTime.WINMM(?,?,-00000004,00007FF6235C49B9), ref: 00007FF6235C5D95
LeaveCriticalSection.KERNEL32(?,?,-00000004,00007FF6235C49B9), ref: 00007FF6235C5DB5
timeGetTime.WINMM(?,?,-00000004,00007FF6235C49B9), ref: 00007FF6235C5DFA
SetEvent.KERNEL32 ref: 00007FF6235C5E27
LeaveCriticalSection.KERNEL32 ref: 00007FF6235C5E3B
WSASetLastError.WS2_32(?,?,-00000004,00007FF6235C49B9), ref: 00007FF6235C5E52
LeaveCriticalSection.KERNEL32(?,?,-00000004,00007FF6235C49B9), ref: 00007FF6235C5E61
WSASetLastError.WS2_32(?,?,-00000004,00007FF6235C49B9), ref: 00007FF6235C5E73

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$Leave$ErrorLastTimetime$EnterEvent
String ID:
API String ID: 3019579578-0
Opcode ID: 4019db875c6352495a6e2a967cb07e89537093c69e3cddfa206385f108ce449b
Instruction ID: 42a0dac32e141d8099e304626b37259b1565be8303497822e5540c94b077d074
Opcode Fuzzy Hash: 4019db875c6352495a6e2a967cb07e89537093c69e3cddfa206385f108ce449b
Instruction Fuzzy Hash: F3415B3290874287EB708B52E80623EB361FB84758F1409B5DA4EB3AD4DF3CF8858742

Function 00007FF6235C5E90 Relevance: 13.6, APIs: 9, Instructions: 77COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32 ref: 00007FF6235C5EAA
TryEnterCriticalSection.KERNEL32 ref: 00007FF6235C5ECB
TryEnterCriticalSection.KERNEL32 ref: 00007FF6235C5EDD
SetLastError.KERNEL32 ref: 00007FF6235C5EF6
LeaveCriticalSection.KERNEL32 ref: 00007FF6235C5F00
LeaveCriticalSection.KERNEL32 ref: 00007FF6235C5F0A

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeave
String ID:
API String ID: 4082018349-0
Opcode ID: bf041e3c240114bd2df664f35279ad8215a3420238d0dd4b213a5f2d55893e77
Instruction ID: bd2f8437412471316ee50e7359c2c91485df13ef13b45f335a91df1e25e8a649
Opcode Fuzzy Hash: bf041e3c240114bd2df664f35279ad8215a3420238d0dd4b213a5f2d55893e77
Instruction Fuzzy Hash: AB313B72A18A428AEB948F65D84927D33A4FF44B4CF4408B1DA0EF6694DF3CE499C702

Function 00007FF6235E0EA8 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF6235E0F05

Part of subcall function 00007FF6235E3268: __GetUnwindTryBlock.LIBCMT ref: 00007FF6235E32AB
Part of subcall function 00007FF6235E3268: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF6235E32D0

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6235E0FDD
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF6235E122B
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6235E1338

Strings

csm, xrefs: 00007FF6235E1000
csm, xrefs: 00007FF6235E0F1F
csm, xrefs: 00007FF6235E0F86

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: cb5b3d42660800b6706ee9e5169d6ae77bc1ec10b54460efee445a81ffa0bcf3
Instruction ID: 4e117cce551e98f2f08015c9d63351f7791022ea7cfaa282f3f4f1157c3e1a4d
Opcode Fuzzy Hash: cb5b3d42660800b6706ee9e5169d6ae77bc1ec10b54460efee445a81ffa0bcf3
Instruction Fuzzy Hash: AFD17F32A0878586EF24DB65D8423AD77A0FB49798F100175EE8DB7B96DF38E191C702

Function 00007FF6235F0B54 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FF6235F0CD0
GetProcAddress.KERNEL32 ref: 00007FF6235F0CDC

Strings

api-ms-, xrefs: 00007FF6235F0C1A
ext-ms-, xrefs: 00007FF6235F0C2D

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: c5e8058506f29389ada01458bdd8bed04f407a28a220f5367f3ecbd3c22801fb
Instruction ID: 9b6bb49964131fd39dc96ff36a06a149568fb511b37583a7e29fb302c304136d
Opcode Fuzzy Hash: c5e8058506f29389ada01458bdd8bed04f407a28a220f5367f3ecbd3c22801fb
Instruction Fuzzy Hash: 6041F161B19B0281FE15CB16AC0227A6295BF16BA0F494576DD4DFB784EF3CE4458302

Function 00007FF6235CE01F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 00007FF6235CE0E9
WriteFile.KERNEL32 ref: 00007FF6235CE119
CloseHandle.KERNEL32 ref: 00007FF6235CE12A
lstrlenW.KERNEL32 ref: 00007FF6235CE135
wsprintfW.USER32 ref: 00007FF6235CE159
lstrcpyW.KERNEL32 ref: 00007FF6235CE168

Part of subcall function 00007FF6235D0620: lstrlenW.KERNEL32 ref: 00007FF6235D0698
Part of subcall function 00007FF6235D0620: wsprintfW.USER32 ref: 00007FF6235D0722
Part of subcall function 00007FF6235D0620: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6235D0786
Part of subcall function 00007FF6235D0620: lstrcatW.KERNEL32 ref: 00007FF6235D07C1
Part of subcall function 00007FF6235D0620: lstrcatW.KERNEL32 ref: 00007FF6235D07CE

Strings

%s %s, xrefs: 00007FF6235CE152

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Filelstrcatlstrlenwsprintf$CloseCreateEnvironmentExpandHandleStringsWritelstrcpy
String ID: %s %s
API String ID: 958574092-2939940506
Opcode ID: 9d4b93ecebe44ad3dcfc41bef5c72ffa3e96dd61b2b13565d963145b1ed2cd72
Instruction ID: b1242a108d66212853ad98aecf1c081c74d48df3f637fe7531dad1c8c04f334a
Opcode Fuzzy Hash: 9d4b93ecebe44ad3dcfc41bef5c72ffa3e96dd61b2b13565d963145b1ed2cd72
Instruction Fuzzy Hash: 2D416226A18BC681EB118F2CD9052FD2360F795B4CF11A321DF4C66692EF39E2D5C300

Function 00007FF6235C4A90 Relevance: 12.1, APIs: 8, Instructions: 104networkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6235C4AD0
LeaveCriticalSection.KERNEL32 ref: 00007FF6235C4B20
send.WS2_32 ref: 00007FF6235C4B49
EnterCriticalSection.KERNEL32 ref: 00007FF6235C4B58
LeaveCriticalSection.KERNEL32 ref: 00007FF6235C4B6F
WSAGetLastError.WS2_32 ref: 00007FF6235C4BA9
EnterCriticalSection.KERNEL32 ref: 00007FF6235C4BB9
LeaveCriticalSection.KERNEL32 ref: 00007FF6235C4BFB

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ErrorLastsend
String ID:
API String ID: 3480985631-0
Opcode ID: 223d6e403172c637e9da5f06492e840e62a0238e832c6a19f43c9c4cbc36de86
Instruction ID: 3bb86c89cefeca6e7e402712b88e05a8ce37f839b076f2d83189bb67a95fb4b9
Opcode Fuzzy Hash: 223d6e403172c637e9da5f06492e840e62a0238e832c6a19f43c9c4cbc36de86
Instruction Fuzzy Hash: A1418D72608B8282EB558F26E9456AC73A4FB04F9CF180575CF1DA7B98CF38E551C711

Function 00007FF6235E9720 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235E9763
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235E9B50
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235E9DEC

Strings

p, xrefs: 00007FF6235E9815
f, xrefs: 00007FF6235E9885
p, xrefs: 00007FF6235E988D

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 42fb3e65d0f17d18353857ebdda260012259b146ac6ef5ada1715a4ca3ec7708
Instruction ID: c14f016fbf616df6ea894eb2b3c1f354b842c32dbefad8dd8f9bee5c1c220484
Opcode Fuzzy Hash: 42fb3e65d0f17d18353857ebdda260012259b146ac6ef5ada1715a4ca3ec7708
Instruction Fuzzy Hash: 3A12B462E0C35386FF245A15E9566BA72B6FB80754F844175EA8DF7AC4DF3CE4808B02

Function 00007FF6235C4470 Relevance: 10.6, APIs: 7, Instructions: 143threadnetworktimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF6235C448E
SetWaitableTimer.KERNEL32 ref: 00007FF6235C44C3
WSAWaitForMultipleEvents.WS2_32 ref: 00007FF6235C456D
GetCurrentThreadId.KERNEL32 ref: 00007FF6235C4676

Part of subcall function 00007FF6235C4A90: EnterCriticalSection.KERNEL32 ref: 00007FF6235C4AD0
Part of subcall function 00007FF6235C4A90: LeaveCriticalSection.KERNEL32 ref: 00007FF6235C4B20
Part of subcall function 00007FF6235C4A90: send.WS2_32 ref: 00007FF6235C4B49
Part of subcall function 00007FF6235C4A90: EnterCriticalSection.KERNEL32 ref: 00007FF6235C4B58
Part of subcall function 00007FF6235C4A90: LeaveCriticalSection.KERNEL32 ref: 00007FF6235C4B6F
Part of subcall function 00007FF6235C4A90: WSAGetLastError.WS2_32 ref: 00007FF6235C4BA9
Part of subcall function 00007FF6235C4A90: EnterCriticalSection.KERNEL32 ref: 00007FF6235C4BB9
Part of subcall function 00007FF6235C4A90: LeaveCriticalSection.KERNEL32 ref: 00007FF6235C4BFB

SetLastError.KERNEL32 ref: 00007FF6235C4616

Part of subcall function 00007FF6235C5FC0: SetLastError.KERNEL32 ref: 00007FF6235C5FE4

GetLastError.KERNEL32 ref: 00007FF6235C461C
WSAGetLastError.WS2_32 ref: 00007FF6235C4641

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$ErrorLast$EnterLeave$CurrentThread$EventsMultipleTimerWaitWaitablesend
String ID:
API String ID: 2807917265-0
Opcode ID: b86a4d89a2a610e9370193a82eb041067802b0227bafa79ad6b9f02f0420e125
Instruction ID: 0307d099120e8df021c8473a4302219e267b4ce5089a8c1e977a905310e4a63f
Opcode Fuzzy Hash: b86a4d89a2a610e9370193a82eb041067802b0227bafa79ad6b9f02f0420e125
Instruction Fuzzy Hash: 0E516DB170874286EF618F259C46A7923A4EB05B5CF141A71DE2DF76D9DF38E4808742

Function 00007FF6235CB9E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6235CBA4B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6235CBA93
_Getctype.LIBCPMT ref: 00007FF6235CBAAB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6235CBB63
_Getwctype.LIBCPMT ref: 00007FF6235CBBB1

Strings

bad locale name, xrefs: 00007FF6235CBB86

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1386471777-1405518554
Opcode ID: 69cc4a8b7b19662485723bada806c81d00e2c443d81482d7207a293efd463004
Instruction ID: 72c339d0248bf8ed6274fe64c3f3ae9f1b998627450faab1521a99c337d2dc13
Opcode Fuzzy Hash: 69cc4a8b7b19662485723bada806c81d00e2c443d81482d7207a293efd463004
Instruction Fuzzy Hash: 8E518622B09B458AFF14DBB0D8522BC33B4EF84748F444575DE8EB6A9ADF38E5568301

Function 00007FF6235D1E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6235D1E80
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6235D1EC8
_Getcoll.LIBCPMT ref: 00007FF6235D1EE0
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6235D1F6F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235D1FC9

Strings

bad locale name, xrefs: 00007FF6235D1FCF

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: std::_$Lockit$GetcollLocinfo::_Locinfo_ctorLockit::_Lockit::~__invalid_parameter_noinfo_noreturn
String ID: bad locale name
API String ID: 3908275632-1405518554
Opcode ID: 547efca0749532fe16a4a51e07bad1bbee508b3b10b870f5b11536083eee9189
Instruction ID: f9fad232a545e618948c83b5ef74b264e3bca1106acc61b9e71967b2dc130879
Opcode Fuzzy Hash: 547efca0749532fe16a4a51e07bad1bbee508b3b10b870f5b11536083eee9189
Instruction Fuzzy Hash: 59516722B09B4689FF50DBB0D8523BC33A5AF89748F444175DE4DBBA9ACF38D5469302

Function 00007FF6235E37CC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF6235E3A7E,?,?,?,00007FF6235E3770,?,?,?,00007FF6235E03A9), ref: 00007FF6235E3851
GetLastError.KERNEL32(?,?,?,00007FF6235E3A7E,?,?,?,00007FF6235E3770,?,?,?,00007FF6235E03A9), ref: 00007FF6235E385F
LoadLibraryExW.KERNEL32(?,?,?,00007FF6235E3A7E,?,?,?,00007FF6235E3770,?,?,?,00007FF6235E03A9), ref: 00007FF6235E3889
FreeLibrary.KERNEL32(?,?,?,00007FF6235E3A7E,?,?,?,00007FF6235E3770,?,?,?,00007FF6235E03A9), ref: 00007FF6235E38F7
GetProcAddress.KERNEL32(?,?,?,00007FF6235E3A7E,?,?,?,00007FF6235E3770,?,?,?,00007FF6235E03A9), ref: 00007FF6235E3903

Strings

api-ms-, xrefs: 00007FF6235E3871

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: bdcdafd802d049a58c0b09305f9ac5b25268f61174ed16779f6a01e1bd42f6da
Instruction ID: 00a0cc0352c1e0e30ce52f3e791cf45ea7b58da2eb18557997d121bd59760ec9
Opcode Fuzzy Hash: bdcdafd802d049a58c0b09305f9ac5b25268f61174ed16779f6a01e1bd42f6da
Instruction Fuzzy Hash: 7831AE21B1FB4291EE65DB02AC025762394BF48BA4F5A0576DD1DBB790EF3CE445C302

Function 00007FF6235D0C20 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 82processstringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32 ref: 00007FF6235D0C30
GetFileAttributesW.KERNEL32 ref: 00007FF6235D0CBD
GetLastError.KERNEL32 ref: 00007FF6235D0CCC
CreateProcessW.KERNEL32 ref: 00007FF6235D0D59

Strings

WinSta0\Default, xrefs: 00007FF6235D0CEB
h, xrefs: 00007FF6235D0D39

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: AttributesCreateErrorFileLastProcesslstrlen
String ID: WinSta0\Default$h
API String ID: 591566999-1620045033
Opcode ID: 1ceca65180fb4a563620d507f9660d1a76dcb955b3d7348028c680a32d12ef86
Instruction ID: 9d7b500770b0a687b0237bf37807427f6e35a2eae28f569c54b41216b4750289
Opcode Fuzzy Hash: 1ceca65180fb4a563620d507f9660d1a76dcb955b3d7348028c680a32d12ef86
Instruction Fuzzy Hash: 57319522A0C7C245DA709B14BD0137AA391FB85790F014335EA9DA7B99EF3CD0848701

Function 00007FF6235EED10 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED1F
FlsGetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED34
FlsSetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED55
FlsSetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED82
FlsSetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EED93
FlsSetValue.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EEDA4
SetLastError.KERNEL32(?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F,?,?,?,00007FF6235E66E3), ref: 00007FF6235EEDBF

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f2de6421f07b29a90cfdc6310c4a09f0568ac7a9393794dea83b72160e9ddcb3
Instruction ID: 44a1c6ba5138033fb46c131877c56ba3ce07e0adf8f886c9092e74da97af678a
Opcode Fuzzy Hash: f2de6421f07b29a90cfdc6310c4a09f0568ac7a9393794dea83b72160e9ddcb3
Instruction Fuzzy Hash: 12214924A2D70342FE9863615E4717952529F85BA4F190BB8ECBEF7BD6DF3CB4418202

Function 00007FF6235FCF20 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF6235FCF51
GetLastError.KERNEL32 ref: 00007FF6235FCF5D
CloseHandle.KERNEL32 ref: 00007FF6235FCF75
CreateFileW.KERNEL32 ref: 00007FF6235FCFA0
WriteConsoleW.KERNEL32 ref: 00007FF6235FCFBF

Strings

CONOUT$, xrefs: 00007FF6235FCF81

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 459cac5f161fe15dedf5efeb1a5c45af724dbddd491f92cbd2d9a7ab51bbc5e3
Instruction ID: bf11c6b751a56182af7c1339ac073cf4f7db7b06f9070c092522778251b66b93
Opcode Fuzzy Hash: 459cac5f161fe15dedf5efeb1a5c45af724dbddd491f92cbd2d9a7ab51bbc5e3
Instruction Fuzzy Hash: A6119031B18B4186EB509B12EC46729A6A4FB89BE4F000274EE5DE7BA4CF3CD5149742

Function 00007FF6235CACF0 Relevance: 10.5, APIs: 7, Instructions: 40filesynchronizationstringCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6235CAD09
CreateFileW.KERNEL32 ref: 00007FF6235CAD3D
SetFilePointer.KERNEL32 ref: 00007FF6235CAD62
lstrlenW.KERNEL32 ref: 00007FF6235CAD6B
WriteFile.KERNEL32 ref: 00007FF6235CAD89
CloseHandle.KERNEL32 ref: 00007FF6235CAD92
ReleaseMutex.KERNEL32 ref: 00007FF6235CAD9F

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: File$CloseCreateHandleMutexObjectPointerReleaseSingleWaitWritelstrlen
String ID:
API String ID: 4202892810-0
Opcode ID: 1770146ed1a2281a067c6a80d48e2834b530e15e6b9c6a9fb3f6106c2579b985
Instruction ID: f7f8d440b34ea085b65ea88ff0babc6fcf50038b18ae9b0f297011661b250417
Opcode Fuzzy Hash: 1770146ed1a2281a067c6a80d48e2834b530e15e6b9c6a9fb3f6106c2579b985
Instruction Fuzzy Hash: FC115175608A4282FB10DB55FC19725B760FB85BA4F044270ED6E63BE4CF7CD4498701

Function 00007FF6235CEF25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6235CEF4F
RegDeleteValueW.ADVAPI32 ref: 00007FF6235CEF63
RegSetValueExW.ADVAPI32 ref: 00007FF6235CEF8D
RegCloseKey.ADVAPI32 ref: 00007FF6235CEF9A

Strings

Console, xrefs: 00007FF6235CEF41
IpDatespecial, xrefs: 00007FF6235CEF5C, 00007FF6235CEF70

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Value$CloseDeleteOpen
String ID: Console$IpDatespecial
API String ID: 3183427449-1840232981
Opcode ID: 227ad8f4b06cdb6b08930102bada313d7f8b98b7889bc09013c0be248a67a942
Instruction ID: 7749fef6a3e45109941ad5a48ed8ce8d437cfcc848937b1c694a85fb2d40a0a7
Opcode Fuzzy Hash: 227ad8f4b06cdb6b08930102bada313d7f8b98b7889bc09013c0be248a67a942
Instruction Fuzzy Hash: B5015E36608EC286EB218F24EC167693764FB85B55F044162CE4D63B54DF3CD199CB05

Function 00007FF6235C9380 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 26processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 00007FF6235C9399
GetCommandLineW.KERNEL32 ref: 00007FF6235C939F
GetStartupInfoW.KERNEL32 ref: 00007FF6235C93AD
CreateProcessW.KERNEL32 ref: 00007FF6235C93F0
ExitProcess.KERNEL32 ref: 00007FF6235C93FB

Strings

, xrefs: 00007FF6235C93E4

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Process$CommandCreateExitFileInfoLineModuleNameStartup
String ID:
API String ID: 3421218197-3916222277
Opcode ID: aa1260efbfd046cd4269c4db6a47a0747b5d48ad13e0b0b72107f694596a2f32
Instruction ID: a77f2a6f7dca600d483b829387df7e83da0f022e6e61d137c0304fdd770dc48c
Opcode Fuzzy Hash: aa1260efbfd046cd4269c4db6a47a0747b5d48ad13e0b0b72107f694596a2f32
Instruction Fuzzy Hash: 3FF01D32618B8286DB609B20F84975AB3A0FB89744F500235EA8E96F64EF7CC149CB00

Function 00007FF6235C4940 Relevance: 9.1, APIs: 6, Instructions: 80networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF6235C4964
SetLastError.KERNEL32 ref: 00007FF6235C4977
WSAGetLastError.WS2_32 ref: 00007FF6235C49C8
SetLastError.KERNEL32 ref: 00007FF6235C4A32
WSASetLastError.WS2_32 ref: 00007FF6235C4A3D
GetLastError.KERNEL32 ref: 00007FF6235C4A43

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLast$recv
String ID:
API String ID: 316788870-0
Opcode ID: 1bfb22ba95e7e7656d2d5e0fb302539e9b3bee6e0c9b932fa958a4b538105933
Instruction ID: 7b13804e40c34f4448ae14573984c38c4e0aaab353b5cd5aa0259ae292f44f73
Opcode Fuzzy Hash: 1bfb22ba95e7e7656d2d5e0fb302539e9b3bee6e0c9b932fa958a4b538105933
Instruction Fuzzy Hash: 96315B72B0CA4282EF618F29E84676D63B1EB45B48F540976CE0DE76D8DF3DD8848706

Function 00007FF6235E1378 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMON

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF6235E1516
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6235E183F

Strings

csm, xrefs: 00007FF6235E153D
csm, xrefs: 00007FF6235E14BF
csm, xrefs: 00007FF6235E145D

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: f0c8ce6e5c114cb55c7e972b5d7e00f12528d3fa075699b5c4d5ef1c378b05c7
Instruction ID: 7cf712737710c93074518afc760a87d20fe62eef67b9362acb7444734c28e695
Opcode Fuzzy Hash: f0c8ce6e5c114cb55c7e972b5d7e00f12528d3fa075699b5c4d5ef1c378b05c7
Instruction Fuzzy Hash: 18E1D373A087828AEB249F35D8422AC37A0FB44B48F145175DE9DB7796DF38E582C702

Function 00007FF6235C5300 Relevance: 9.1, APIs: 6, Instructions: 63synchronizationtimeCOMMON

Download Yara Rule

APIs

ResetEvent.KERNEL32 ref: 00007FF6235C531C
ResetEvent.KERNEL32 ref: 00007FF6235C5329
timeGetTime.WINMM ref: 00007FF6235C532F
WaitForSingleObject.KERNEL32 ref: 00007FF6235C5379
ResetEvent.KERNEL32 ref: 00007FF6235C5396

Part of subcall function 00007FF6235C4C50: GetCurrentThreadId.KERNEL32 ref: 00007FF6235C4C65
Part of subcall function 00007FF6235C4C50: SwitchToThread.KERNEL32 ref: 00007FF6235C4C9D
Part of subcall function 00007FF6235C4C50: SetLastError.KERNEL32 ref: 00007FF6235C4CDC

ResetEvent.KERNEL32 ref: 00007FF6235C53BD

Part of subcall function 00007FF6235E8BE0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235E8C0B

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: EventReset$Thread$CurrentErrorLastObjectSingleSwitchTimeWait_invalid_parameter_noinfotime
String ID:
API String ID: 2235205178-0
Opcode ID: 590f28aa241335ba61f28d79a4cf37bde6970dd5790133cda3c336355218676e
Instruction ID: afc352ca76ca29f00ec0a11bcff4738d563ab94a0ffd2ebdb3b31334ccd3882a
Opcode Fuzzy Hash: 590f28aa241335ba61f28d79a4cf37bde6970dd5790133cda3c336355218676e
Instruction Fuzzy Hash: 4C217C32A08A8182EB50CF26EC4526973A4FB89F98F184971DE4DF77A8DF38D441C741

Function 00007FF6235EEE88 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,000045EA9EF29F99,00007FF6235E8DA5,?,?,?,?,00007FF6235F27E6,?,?,00000000,00007FF6235EA69B,?,?,?), ref: 00007FF6235EEE97
FlsSetValue.KERNEL32(?,?,000045EA9EF29F99,00007FF6235E8DA5,?,?,?,?,00007FF6235F27E6,?,?,00000000,00007FF6235EA69B,?,?,?), ref: 00007FF6235EEECD
FlsSetValue.KERNEL32(?,?,000045EA9EF29F99,00007FF6235E8DA5,?,?,?,?,00007FF6235F27E6,?,?,00000000,00007FF6235EA69B,?,?,?), ref: 00007FF6235EEEFA
FlsSetValue.KERNEL32(?,?,000045EA9EF29F99,00007FF6235E8DA5,?,?,?,?,00007FF6235F27E6,?,?,00000000,00007FF6235EA69B,?,?,?), ref: 00007FF6235EEF0B
FlsSetValue.KERNEL32(?,?,000045EA9EF29F99,00007FF6235E8DA5,?,?,?,?,00007FF6235F27E6,?,?,00000000,00007FF6235EA69B,?,?,?), ref: 00007FF6235EEF1C
SetLastError.KERNEL32(?,?,000045EA9EF29F99,00007FF6235E8DA5,?,?,?,?,00007FF6235F27E6,?,?,00000000,00007FF6235EA69B,?,?,?), ref: 00007FF6235EEF37

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 3654d854b1b7b54d09208102c236c7adbe92e0b1e90858cb6ea83a43bfdf338d
Instruction ID: 12560377369a3525d1c4affd89dc33a0013d53a559cb0e66290ebe12db790058
Opcode Fuzzy Hash: 3654d854b1b7b54d09208102c236c7adbe92e0b1e90858cb6ea83a43bfdf338d
Instruction Fuzzy Hash: 2D116A20A2D74342FE5467216D4703962526F89BB4F1806B8ECBEF77C6DF3CB4028202

Function 00007FF6235EBF30 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6235EBF55
GetProcAddress.KERNEL32 ref: 00007FF6235EBF6B
FreeLibrary.KERNEL32 ref: 00007FF6235EBF92

Strings

CorExitProcess, xrefs: 00007FF6235EBF64
mscoree.dll, xrefs: 00007FF6235EBF4C

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 69936be9a3c9092073ccdecace5a334f9bb4337f6d94747144cad9e03172cb9f
Instruction ID: 64ed8bb6614c576689ee6cc7f34b29876c2446bd73d3cfb078b79e6a9e771111
Opcode Fuzzy Hash: 69936be9a3c9092073ccdecace5a334f9bb4337f6d94747144cad9e03172cb9f
Instruction Fuzzy Hash: CFF06265A1DB0281FF108B64EC463396364BF49762F5806B5C96EF56E4DF3CD449C702

Function 00007FF6235CEFA3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF6235CEFC9
RegDeleteValueW.ADVAPI32 ref: 00007FF6235CEFDD
RegCloseKey.ADVAPI32 ref: 00007FF6235CEFEA

Strings

Console, xrefs: 00007FF6235CEFBB
IpDatespecial, xrefs: 00007FF6235CEFD6

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID: Console$IpDatespecial
API String ID: 849931509-1840232981
Opcode ID: 428edfecf080eeaca7e0c1c67ef556d191498152a1b600a56db6dc59e929ff35
Instruction ID: 7b7c1f6d212260709ec357d0f550afd8635d6bc7d6c9e2724587108296fdc897
Opcode Fuzzy Hash: 428edfecf080eeaca7e0c1c67ef556d191498152a1b600a56db6dc59e929ff35
Instruction Fuzzy Hash: 0DF0FF36608DC286EB208B14EC117A96364F78476AF004171CD1D77A68EF39D1998B05

Function 00007FF6235E0778 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF6235E089B
__AdjustPointer.LIBCMT ref: 00007FF6235E08E6

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 95c273c5d9a602b1e514679a9057b242ded82a174dba946a287035d63dc3020a
Instruction ID: 6d56afd12b2f69b7f1cf63f8336e210dd4f288ac7e496f17e211488f02072593
Opcode Fuzzy Hash: 95c273c5d9a602b1e514679a9057b242ded82a174dba946a287035d63dc3020a
Instruction Fuzzy Hash: 8FB18F22E0EB5681FE659F12984223D63A4EF54B84F0984B6DE8DF7785DF3CE4428742

Function 00007FF6235FC95C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF6235FC984
_set_statfp.LIBCMT ref: 00007FF6235FC99F
_set_statfp.LIBCMT ref: 00007FF6235FC9BB
_set_statfp.LIBCMT ref: 00007FF6235FC9F7

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 3a9c703ea5aaac55ee3dcba71a43574e980d604707a0521e319b1fc91c9c8b59
Instruction ID: 679085874d711da314797735f9aeb481a2c176af4182bcb3aa3b9f5df436b51d
Opcode Fuzzy Hash: 3a9c703ea5aaac55ee3dcba71a43574e980d604707a0521e319b1fc91c9c8b59
Instruction Fuzzy Hash: 5A117362E1CA0301FE641128DF5737561616F673B0F5906B4EEAEF62DACF2CB8404213

Function 00007FF6235EEF50 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6235E3C9B,?,?,00000000,00007FF6235E3F36,?,?,?,?,?,00007FF6235E3EC2), ref: 00007FF6235EEF6F
FlsSetValue.KERNEL32(?,?,?,00007FF6235E3C9B,?,?,00000000,00007FF6235E3F36,?,?,?,?,?,00007FF6235E3EC2), ref: 00007FF6235EEF8E
FlsSetValue.KERNEL32(?,?,?,00007FF6235E3C9B,?,?,00000000,00007FF6235E3F36,?,?,?,?,?,00007FF6235E3EC2), ref: 00007FF6235EEFB6
FlsSetValue.KERNEL32(?,?,?,00007FF6235E3C9B,?,?,00000000,00007FF6235E3F36,?,?,?,?,?,00007FF6235E3EC2), ref: 00007FF6235EEFC7
FlsSetValue.KERNEL32(?,?,?,00007FF6235E3C9B,?,?,00000000,00007FF6235E3F36,?,?,?,?,?,00007FF6235E3EC2), ref: 00007FF6235EEFD8

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4047813a2c2501da88736eb8979464a470432fe091b6a2381c64cb1679d0dde5
Instruction ID: 735ec2dbef0e7b8d787a79c0ac6713d07e74031fb4b16fa4a2c3381e1095a1b7
Opcode Fuzzy Hash: 4047813a2c2501da88736eb8979464a470432fe091b6a2381c64cb1679d0dde5
Instruction Fuzzy Hash: 4F117F20A2935342FE9853259D4317952416F45BF4F1857B8ECBDF67D6DF3CB4428202

Function 00007FF6235EEDE4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F), ref: 00007FF6235EEDF5
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F), ref: 00007FF6235EEE14
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F), ref: 00007FF6235EEE3C
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F), ref: 00007FF6235EEE4D
FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00007FF6235F7113,?,?,?,00007FF6235EF444,?,?,?,00007FF6235E843F), ref: 00007FF6235EEE5E

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f4b63a2d358e16832ea89596edc1dbf90b4b2fd2f1616095919a36d422ba38cd
Instruction ID: 0037c79c78daab39ce0ff5eb44980c0589f65dfb41116d0f132787731288ea34
Opcode Fuzzy Hash: f4b63a2d358e16832ea89596edc1dbf90b4b2fd2f1616095919a36d422ba38cd
Instruction Fuzzy Hash: 7F11F724E2930346FE9862215C5717922825F56B74F1C1BB8EDBEFA2D6DF3CB4419243

Function 00007FF6235C56C0 Relevance: 7.5, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6235C56E5
EnterCriticalSection.KERNEL32 ref: 00007FF6235C56EF
LeaveCriticalSection.KERNEL32 ref: 00007FF6235C56FF
LeaveCriticalSection.KERNEL32 ref: 00007FF6235C5709

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 7d1c33e0fc199dc1a1b2b98ae86d416f77ce0655480dcc5f384a8a26f1c27f0c
Instruction ID: 09b51a2d9446dfb872106853abb652f930e5a1399970fbb59a702b76014b74cd
Opcode Fuzzy Hash: 7d1c33e0fc199dc1a1b2b98ae86d416f77ce0655480dcc5f384a8a26f1c27f0c
Instruction Fuzzy Hash: 1D11F132628A42C7EF509B65F8953A963A0FB44759F841471DB8FA6B94CF3CE486C701

Function 00007FF6235CC0C0 Relevance: 7.5, APIs: 5, Instructions: 39COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF6235CC103
EnterCriticalSection.KERNEL32(?,?,?,00007FF6235CC094), ref: 00007FF6235CC115
EnterCriticalSection.KERNEL32 ref: 00007FF6235CC125
GdiplusShutdown.GDIPLUS ref: 00007FF6235CC133
LeaveCriticalSection.KERNEL32 ref: 00007FF6235CC140

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$Enter$DeleteGdiplusLeaveObjectShutdown
String ID:
API String ID: 1513102227-0
Opcode ID: cb3a45266a7c72afb3eef7b31d32061257325c5ad6beb33f20a6e81f88ef5b24
Instruction ID: d98ea987c817ee4813a30bd96f08ab08d7a707bcbc5530f56d0b85cb409492c5
Opcode Fuzzy Hash: cb3a45266a7c72afb3eef7b31d32061257325c5ad6beb33f20a6e81f88ef5b24
Instruction Fuzzy Hash: 4A113D32519F8281EF108F29E85502873B4FB44F68B284675DA5D667E0DF39D557C341

Function 00007FF6235C5640 Relevance: 7.5, APIs: 5, Instructions: 26synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6235C5652
WaitForSingleObject.KERNEL32 ref: 00007FF6235C5664
Sleep.KERNEL32 ref: 00007FF6235C566F
CloseHandle.KERNEL32 ref: 00007FF6235C568C
CloseHandle.KERNEL32 ref: 00007FF6235C5699

Part of subcall function 00007FF6235C4C50: GetCurrentThreadId.KERNEL32 ref: 00007FF6235C4C65
Part of subcall function 00007FF6235C4C50: SwitchToThread.KERNEL32 ref: 00007FF6235C4C9D
Part of subcall function 00007FF6235C4C50: SetLastError.KERNEL32 ref: 00007FF6235C4CDC

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CloseHandleObjectSingleThreadWait$CurrentErrorLastSleepSwitch
String ID:
API String ID: 1535946027-0
Opcode ID: 311de798c0593289d29e071e9f78a1d734eb52b4581ef33c1cbfd426072e5f36
Instruction ID: 317e9c73f36489d33eb9996a5b3e525ecd4060e824a1c3c3e06e034c60e15500
Opcode Fuzzy Hash: 311de798c0593289d29e071e9f78a1d734eb52b4581ef33c1cbfd426072e5f36
Instruction Fuzzy Hash: CBF0EC35608E4583EB149F29EC591692321FB8AF69F184670DE2EA73E4CF38D885C351

Function 00007FF6235E1AEC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6235E1B5C
_CallSETranslator.LIBVCRUNTIME ref: 00007FF6235E1BA7

Strings

MOC, xrefs: 00007FF6235E1B70
RCC, xrefs: 00007FF6235E1B78

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 85eb8fbd3e06a99c4afa559b4d80cf249f4e954e0195537aa802c98b0a840f84
Instruction ID: b93c212384eb30c6f3ec65bb4c1af079bad5d44f2a9e03f5d3fc7747bb5d2c70
Opcode Fuzzy Hash: 85eb8fbd3e06a99c4afa559b4d80cf249f4e954e0195537aa802c98b0a840f84
Instruction Fuzzy Hash: 6291C073A087958AEB14DF65E8412EC7BA0FB04788F104169EE8DB7B55DF38D292CB01

Function 00007FF6235DFD28 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6235DFD53
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF6235DFDEA
RtlUnwindEx.KERNEL32 ref: 00007FF6235DFE44

Strings

csm, xrefs: 00007FF6235DFDD1

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: c305225e0e2b3a2203a822812f960376c115b044745f784688940b7b0a399dcc
Instruction ID: 5c3f1ddfc2ec6504eb7d13a5f88d47ca068bd8ee450150b9a9d9474de922fe70
Opcode Fuzzy Hash: c305225e0e2b3a2203a822812f960376c115b044745f784688940b7b0a399dcc
Instruction Fuzzy Hash: FE51BD32B097468AEF94CB15E845A787392EB44B88F148171EA4EE7789DF3CE881C701

Function 00007FF6235E206C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6235E2094
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF6235E217C

Strings

csm, xrefs: 00007FF6235E20B6
csm, xrefs: 00007FF6235E21CE

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 544592ab7251effa554c0990b2f03f08321f7b0f5e6baf8f1fc1d42750b8d711
Instruction ID: 6790a40a79f63237f30a5e7e72e30b547895ef77f1d63b8ce270d7a76517d1a7
Opcode Fuzzy Hash: 544592ab7251effa554c0990b2f03f08321f7b0f5e6baf8f1fc1d42750b8d711
Instruction Fuzzy Hash: 9E51BF32A1838686EF68AF119C4636837A0FB55B94F1441B5DA8CB7BD9CF3CE490C702

Function 00007FF6235FAA5C Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6235FAADB
WriteFile.KERNEL32 ref: 00007FF6235FADA3
WriteFile.KERNEL32 ref: 00007FF6235FADE9
GetLastError.KERNEL32 ref: 00007FF6235FAE9F

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: b0a5a2f5e03aa4de9bb2610dcdd396f5b9cdbd820afb8483674e8d26cbad73da
Instruction ID: 13104d50926e3cb524d5c082000bfa2eec43a18e3b97476b19a4c04827f20bcf
Opcode Fuzzy Hash: b0a5a2f5e03aa4de9bb2610dcdd396f5b9cdbd820afb8483674e8d26cbad73da
Instruction Fuzzy Hash: F3D1F132B18A8189EB11CF65D8412AC37B2FB45798B0442B6DE5DF7BA9DF38D446C702

Function 00007FF6235D59A0 Relevance: 6.3, APIs: 4, Instructions: 260COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235D5B15
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6235D5B1B

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: 9836cfd4f00772ab983df51a940828b549011ef8ebab5eaf54ddafcf2ed5cfb4
Instruction ID: 59de96c3c27c4f826a875366f5d939d9ce3b840f6909e9f5737aeb9ef6e21be1
Opcode Fuzzy Hash: 9836cfd4f00772ab983df51a940828b549011ef8ebab5eaf54ddafcf2ed5cfb4
Instruction Fuzzy Hash: 2291E362B05A8A85EE14DB65D8462BD6361FB04BE0F948A71DF2DB7BC9DF7CD0818301

Function 00007FF6235D7610 Relevance: 6.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235D79B6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235D79BC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235D79C2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235D79C8

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: d455572cb0b53bd605dd2c5479bbb32fa5d957f89605b264ea43e35a7a78a5b6
Instruction ID: 6d84bfd2048539ab553117566005e34ecdbd18829945ffd185dcbdea6a5f3ec2
Opcode Fuzzy Hash: d455572cb0b53bd605dd2c5479bbb32fa5d957f89605b264ea43e35a7a78a5b6
Instruction Fuzzy Hash: D5B17C63F14B5985EF008FA4D8457AC2372FB08B98F405266DE6D77A99DF78A481C341

Function 00007FF6235FB384 Relevance: 6.2, APIs: 4, Instructions: 219COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF6235FB36F), ref: 00007FF6235FB4A0
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00007FF6235FB36F), ref: 00007FF6235FB52B

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: c0b9c452233083e8ba344db7b85cdb6942af15e1945070f1535423c6b6b64ca2
Instruction ID: ce9434a2984da29e23aca6b7fda80520ab46259c562c1bdf042e60b3c0605746
Opcode Fuzzy Hash: c0b9c452233083e8ba344db7b85cdb6942af15e1945070f1535423c6b6b64ca2
Instruction Fuzzy Hash: FA91B372A08A52C5FF50CF65D8822BD2BA1BB06B88F1441B9DE4EB7A95DF3CD445C702

Function 00007FF6235D8830 Relevance: 6.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235D8A74
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6235D8A80
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235D8A86
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235D8AE7

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: 6b86777ed2056881ec85e37c8b53bc7b1ae53672222ced7e915cb6963593c230
Instruction ID: 5d7d8d835399d715b0019d4bf06c38beea327f2bfd7ac1ba1983c970e37a3409
Opcode Fuzzy Hash: 6b86777ed2056881ec85e37c8b53bc7b1ae53672222ced7e915cb6963593c230
Instruction Fuzzy Hash: F171AF62B14B8A85EE04DB25D80936C63A1EB85FE0F558671DEAC67BC5DF7CE481C302

Function 00007FF6235CF160 Relevance: 6.2, APIs: 4, Instructions: 190processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6235CF1AD
Process32FirstW.KERNEL32 ref: 00007FF6235CF23F
Process32NextW.KERNEL32 ref: 00007FF6235CF333

Part of subcall function 00007FF6235E8A40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235E8A66

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6235CF3FB

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Process32$CreateFirstNextSnapshotToolhelp32_invalid_parameter_noinfo_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4260596558-0
Opcode ID: be836d38096120c0cd8b151b43bf66e5befb7495844985f2fd7b9594a703298f
Instruction ID: 53f59144c0c5b0129fbefbe7ff50f42c095698bcffc0c89c5030b69d75232f7e
Opcode Fuzzy Hash: be836d38096120c0cd8b151b43bf66e5befb7495844985f2fd7b9594a703298f
Instruction Fuzzy Hash: 0E71D362B0878691EE209B25D84227E63A1FB85BA8F448771EE7EA37C4DF7CD540C701

Function 00007FF6235E95E4 Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF6235E963B
GetSystemInfo.KERNEL32 ref: 00007FF6235E9654
VirtualAlloc.KERNEL32 ref: 00007FF6235E96C2
VirtualProtect.KERNEL32 ref: 00007FF6235E96DD

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: de052ff2da3a860ebe00b2b1188a3b3a24b5d5626fd4b16e4c5629aca21b164b
Instruction ID: fe4fc1697f83f230ca3afe520c31071bd3e683cf2c192a266098d70480fe0f81
Opcode Fuzzy Hash: de052ff2da3a860ebe00b2b1188a3b3a24b5d5626fd4b16e4c5629aca21b164b
Instruction Fuzzy Hash: 6F314A32714B859EDB20CF31DC557A823A5FB48B88F444026EA4DA7B48DF3CE646C741

Function 00007FF6235C4F90 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF6235C4FAC
LeaveCriticalSection.KERNEL32 ref: 00007FF6235C4FC3
LeaveCriticalSection.KERNEL32 ref: 00007FF6235C504B
SetEvent.KERNEL32 ref: 00007FF6235C506B

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CriticalSection$Leave$EnterEvent
String ID:
API String ID: 3394196147-0
Opcode ID: 401af7361c6d18c862ea4f071fb6758f38da9ad67756e4e78bac1cd16ae14490
Instruction ID: 23ebc0f126c6dcd4bdbe4f7f87d5450296a03bd5c61f6737e8d903d40bbd1392
Opcode Fuzzy Hash: 401af7361c6d18c862ea4f071fb6758f38da9ad67756e4e78bac1cd16ae14490
Instruction Fuzzy Hash: 28214832708B8193DB48CF2AE9842ADB3A4FB48B84F544435DB6DA3765DF38E4A1C740

Function 00007FF6235DE880 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6235DE8AC
GetCurrentThreadId.KERNEL32 ref: 00007FF6235DE8BA
GetCurrentProcessId.KERNEL32 ref: 00007FF6235DE8C6
QueryPerformanceCounter.KERNEL32 ref: 00007FF6235DE8D6

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: e05f7aef3380f0f9b3312b24ce1aa7c1f593c40dbd43f636e11a9c4c637e2614
Instruction ID: da7ec5065b68a217c03e0632a32891770c508946f8aba7b9853193f243764912
Opcode Fuzzy Hash: e05f7aef3380f0f9b3312b24ce1aa7c1f593c40dbd43f636e11a9c4c637e2614
Instruction Fuzzy Hash: C0111C36B15B058AEF00CF60EC552B833A4FB19758F440A31DE6DA6BA4DF78D1548341

Function 00007FF6235C37A0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

setsockopt.WS2_32 ref: 00007FF6235C37DD
CancelIo.KERNEL32 ref: 00007FF6235C37EA
closesocket.WS2_32 ref: 00007FF6235C37FA
SetEvent.KERNEL32 ref: 00007FF6235C3804

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CancelEventclosesocketsetsockopt
String ID:
API String ID: 852421847-0
Opcode ID: 3e6bea74e94700dfcc8d9d47a61c466b5b5c0e1f507d80d6be11655914b66227
Instruction ID: e51b3ec9bf27042ffadbb9009804fb316b59eb01be47756a461292ee2e950c0c
Opcode Fuzzy Hash: 3e6bea74e94700dfcc8d9d47a61c466b5b5c0e1f507d80d6be11655914b66227
Instruction Fuzzy Hash: DCF04632608B8182DB148F25E85832AB330FB89BA4F104335CBAC97AA4CF3DE0658701

Function 00007FF6235C3FF0 Relevance: 6.0, APIs: 4, Instructions: 22synchronizationsleepCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF6235C4002
Sleep.KERNEL32 ref: 00007FF6235C400D
WaitForSingleObject.KERNEL32 ref: 00007FF6235C4024
WaitForSingleObject.KERNEL32 ref: 00007FF6235C4036

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ObjectSingleWait$Sleep
String ID:
API String ID: 2961732021-0
Opcode ID: 83ddd93f6670c03bec4b7f128343a3e6a6daf1263786cfff0f95db90d503808b
Instruction ID: 531b261d0e7b1f8980d9a4cffccdea940abeb7405093bbbed611911027a24c16
Opcode Fuzzy Hash: 83ddd93f6670c03bec4b7f128343a3e6a6daf1263786cfff0f95db90d503808b
Instruction Fuzzy Hash: 2DF0DA72708E4487DB509B39DC592283262EB8AB39F550370CE2DA73E4CF38C4858355

Function 00007FF6235E22A4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6235E22CE

Strings

csm, xrefs: 00007FF6235E22F3
csm, xrefs: 00007FF6235E2462

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: f15189d2199330c0f402dae8ecdfa2ca81426a1eff024833c44a8ddbe4b12987
Instruction ID: 03558ad2b601a8a7a390e1333a85b90d2faffad0028188236a791302f6ad4125
Opcode Fuzzy Hash: f15189d2199330c0f402dae8ecdfa2ca81426a1eff024833c44a8ddbe4b12987
Instruction Fuzzy Hash: 1071BE72A1878186DF609F22D8516797BA0FB04B84F1481B2DE9CB7A89DF3CD591CB02

Function 00007FF6235E187C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF6235E18DB

Strings

MOC, xrefs: 00007FF6235E18EF
RCC, xrefs: 00007FF6235E18F7

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: ff6c3586205ef54b92cc1381aa76c713ce5aef96bda724e5a14e442f6a8185ef
Instruction ID: c28af95fd88cceaceb3942386c257ac13dd4b28c596a8b960578881002e187ab
Opcode Fuzzy Hash: ff6c3586205ef54b92cc1381aa76c713ce5aef96bda724e5a14e442f6a8185ef
Instruction Fuzzy Hash: EA61A032908BC581DB248B15E8413BAB7A0FB85B94F044265EF9DA3B55DF3CE191CB01

Function 00007FF6235CDC4D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00007FF6235CDCA0
CloseHandle.KERNEL32 ref: 00007FF6235CDE27

Strings

%s_bin, xrefs: 00007FF6235CDC95

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CloseHandlewsprintf
String ID: %s_bin
API String ID: 3088109604-2665034546
Opcode ID: 66361e1af3ee593cea34195adac24433fb7505641dbd06c9474f0aaa8f9553f0
Instruction ID: bf483efc73b1dbbddb407ffca8b2eb31d59279d926297293741095cd0c1e8f33
Opcode Fuzzy Hash: 66361e1af3ee593cea34195adac24433fb7505641dbd06c9474f0aaa8f9553f0
Instruction Fuzzy Hash: 0751E366B19A9681EF10DB21C822BB923A5EF85B88F468576DA0DB77C5DF3CD401C303

Function 00007FF6235F1F64 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6235E94E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6235E951B

_get_daylight.LIBCMT ref: 00007FF6235F207C
_get_daylight.LIBCMT ref: 00007FF6235F208D

Strings

?, xrefs: 00007FF6235F200D

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 73dd6a1d9a5ad4992f3991f8c36a8220d63358c9d054768064d2836bf5e58140
Instruction ID: ab07564cc6f91cac6eb44df51cea269480cb881a9c30eabcc6bf41b03ede97ec
Opcode Fuzzy Hash: 73dd6a1d9a5ad4992f3991f8c36a8220d63358c9d054768064d2836bf5e58140
Instruction Fuzzy Hash: F9412922A1838242FF609B25DC0237A66A4EF91BA4F144275EF5CB7AD6DF3CD542C702

Function 00007FF6235E293C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF6235E29E6
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF6235E2A0F

Strings

csm, xrefs: 00007FF6235E2B0F

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: f28967bb51a8388d528e36e8d1b9cbe39d4a27893e421944e70fc0d8e7df8c72
Instruction ID: 29b5644a3cbce4459d490a84d2beccc60803013c3436b16facd606f95f45259e
Opcode Fuzzy Hash: f28967bb51a8388d528e36e8d1b9cbe39d4a27893e421944e70fc0d8e7df8c72
Instruction Fuzzy Hash: 7651537361874186EA20EF26E94226D77A4FB88B90F141175EF8DA7B56CF3CE451CB02

Function 00007FF6235EC224 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6235EC256

Part of subcall function 00007FF6235EE95C: RtlFreeHeap.NTDLL(?,?,?,00007FF6235F6862,?,?,?,00007FF6235F6BDF,?,?,00000000,00007FF6235F7025,?,?,?,00007FF6235F6F57), ref: 00007FF6235EE972
Part of subcall function 00007FF6235EE95C: GetLastError.KERNEL32(?,?,?,00007FF6235F6862,?,?,?,00007FF6235F6BDF,?,?,00000000,00007FF6235F7025,?,?,?,00007FF6235F6F57), ref: 00007FF6235EE97C

GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6235DE051), ref: 00007FF6235EC274

Strings

C:\Users\user\Desktop\f3fBEUL66b.exe, xrefs: 00007FF6235EC262

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
String ID: C:\Users\user\Desktop\f3fBEUL66b.exe
API String ID: 3580290477-2325883835
Opcode ID: aee35bfe6285ca872dc023e0e85ec8bac6debb86297f70b490d45f268cf6f652
Instruction ID: ae69bc9e0274033083a899a074b419aafed0fe703ada81d28f97730f0e441edf
Opcode Fuzzy Hash: aee35bfe6285ca872dc023e0e85ec8bac6debb86297f70b490d45f268cf6f652
Instruction Fuzzy Hash: 51419D76A08B1286EF55DF25AC920BD63A4FF44B84B444076EE8EB7B95DF3CE4418302

Function 00007FF6235FB0F4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6235FB20B
GetLastError.KERNEL32 ref: 00007FF6235FB22D

Strings

U, xrefs: 00007FF6235FB1B7

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 82c14a47abd65dfd2f18e3d0d2973b2ccc07122a063a358567b3cbc0c6ba3651
Instruction ID: 13e0d8114f5c59d7fc6034963c454dff5f18d51415168a31b67f647d471c2759
Opcode Fuzzy Hash: 82c14a47abd65dfd2f18e3d0d2973b2ccc07122a063a358567b3cbc0c6ba3651
Instruction Fuzzy Hash: BC41BF32B18A8182EF209F25E8557BA67A1FB89794F404131EE4EE7B98DF3CD441CB41

Function 00007FF6235E02F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6235C1111), ref: 00007FF6235E0340
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6235C1111), ref: 00007FF6235E0381

Strings

csm, xrefs: 00007FF6235E036E

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 4e14dd832fb4824443fa8c0aec862097db35212d867c479028c393dfe5930aef
Instruction ID: f567cc67e7a0bf0112fd570a7a3c2b41715ffbc0ec0975d1524191a8a907d47a
Opcode Fuzzy Hash: 4e14dd832fb4824443fa8c0aec862097db35212d867c479028c393dfe5930aef
Instruction Fuzzy Hash: FE110D32618B4182EB618F25F84026977E5FB88B84F584275EECD67B69DF3CD551CB00

Function 00007FF6235DA4B0 Relevance: 5.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32 ref: 00007FF6235DA4EE
IsBadReadPtr.KERNEL32 ref: 00007FF6235DA5C3
SetLastError.KERNEL32(?,00000000,00007FF6235DAAC9,?,?,?,?,?,?,?,?,?,00007FF6235CD242), ref: 00007FF6235DA5E5
SetLastError.KERNEL32(?,00000000,00007FF6235DAAC9,?,?,?,?,?,?,?,?,?,00007FF6235CD242), ref: 00007FF6235DA603

Memory Dump Source

Source File: 00000000.00000002.3529908435.00007FF6235C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6235C0000, based on PE: true

Associated: 00000000.00000002.3529896224.00007FF6235C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529931449.00007FF6235FF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529949759.00007FF623615000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529962727.00007FF623618000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529976457.00007FF62361C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3529990771.00007FF623620000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6235c0000_f3fBEUL66b.jbxd

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 82ac0250d1ecd3177f83757e94cf9be5bc81ee4aab1a059e0fd8dc4cfb57a079
Instruction ID: b50b7538f0ff576fd430c109575dbaa2c563d33dcf30674a9ad2559ca4425cd7
Opcode Fuzzy Hash: 82ac0250d1ecd3177f83757e94cf9be5bc81ee4aab1a059e0fd8dc4cfb57a079
Instruction Fuzzy Hash: DF414862B09B4682EF108B16E84526A33B0FB48B91F054475DF4EA7B94EF3CE8A0C311

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report f3fBEUL66b.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\kernelquick.sys

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
f3fBEUL66b.exe

Function 00007FF6235C6370 Relevance: 193.3, APIs: 81, Strings: 29, Instructions: 845
registrystringprocessCOMMON

Function 00007FF6235DB5E0 Relevance: 103.7, APIs: 41, Strings: 18, Instructions: 429
registrylibrarysleepCOMMON

Function 00007FF6235CF410 Relevance: 81.0, APIs: 35, Strings: 11, Instructions: 532
registryprocessfileCOMMON

Function 00007FF6235C72D0 Relevance: 54.7, APIs: 26, Strings: 5, Instructions: 457
COMMON

Function 00007FF6235CFD10 Relevance: 54.6, APIs: 26, Strings: 5, Instructions: 318
windowCOMMON

Function 00007FF6235C8A40 Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 255
COMMON

Function 00007FF6235C8710 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 244
memoryCOMMON

Function 00007FF6235C7A60 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 216
stringregistrycomCOMMON

Function 00007FF6235CB410 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 232
memorytimeCOMMON

Function 00007FF6235D0220 Relevance: 45.3, APIs: 30, Instructions: 260
memorywindowCOMMON

Function 00007FF6235CC340 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 297
windowCOMMON

Function 00007FF6235C3820 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 157
networkstringtimeCOMMON

Function 00007FF6235C8C30 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 101
memoryCOMMON

Function 00007FF6235DBEF0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 223
memoryCOMMON

Function 00007FF6235CD9C0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 137
registryCOMMON